CCNA Security (640-554) Portable Command Guide Book

Introduction xvii

Part I: Networking Security Fundamentals

CHAPTER 1 Networking Security Concepts 1

Basic Security Concepts 2

Assets, Vulnerabilities, Threats, and Countermeasures 2

Confidentiality, Integrity, and Availability 2

Data Classification Criteria 2

Data Classification Levels 2

Classification Roles 3

Threat Classification 3

Preventive, Detective, and Corrective Controls 3

Risk Avoidance, Transfer, and Retention 4

Drivers for Network Security 4

Evolution of Threats 4

Tracking Threats 5

Malicious Code: Viruses, Worms, and Trojan Horses 5

Anatomy of a Worm 6

Mitigating Malware and Worms 6

Threats in Borderless Networks 7

Hacker Titles 7

Thinking Like a Hacker 8

Reconnaissance Attacks 8

Access Attacks 9

Password Cracking 10

Denial-of-Service Attacks 10

Principles of Secure Network Design 11

Defense in Depth 11

CHAPTER 2 Implementing Security Policies Using a Lifecycle Approach 13

Risk Analysis 13

Quantitative Risk Analysis Formula 14

Quantitative Risk Analysis Example 15

Regulatory Compliance 15

Security Policy 17

Standards, Guidelines, and Procedures 18

Security Policy Audience Responsibilities 19

Security Awareness 19

Secure Network Lifecycle Management 19

Models and Frameworks 21

Assessing and Monitoring the Network Security Posture 21

Testing the Security Architecture 22

Incident Response 22

Incident Response Phases 22

Computer Crime Investigation 23

Collection of Evidence and Forensics 23

Law Enforcement and Liability 23

Ethics 23

Disaster-Recovery and Business-Continuity Planning 23

CHAPTER 3 Building a Security Strategy for Borderless Networks 25

Cisco Borderless Network Architecture 25

Borderless Security Products 26

Cisco SecureX Architecture and Context-Aware Security 26

Cisco TrustSec 28

TrustSec Confidentiality 28

Cisco AnyConnect 29

Cisco Security Intelligence Operations 29

Threat Control and Containment 29

Cloud Security and Data-Loss Prevention 30

Secure Connectivity Through VPNs 31

Security Management 31

Part II: Protecting the Network Infrastructure

CHAPTER 4 Network Foundation Protection 33

Threats Against the Network Infrastructure 33

Cisco Network Foundation Protection Framework 34

Control Plane Security 35

Control Plane Policing 36

Management Plane Security 36

Role-Based Access Control 37

Secure Management and Reporting 37

Data Plane Security 37

ACLs 37

Antispoofing 38

Layer 2 Data Plane Protection 38

CHAPTER 5 Protecting the Network Infrastructure Using CCP 39

Cisco Configuration Professional 39

Cisco Configuration Professional Express 40

Connecting to Cisco CP Express Using the GUI 41

Cisco Configuration Professional 44

Configuring an ISR for CCP Support 44

Installing CCP on a Windows PC 45

Connecting to an ISR Using CCP 45

CCP Features and User Interface 47

Application Menu Options 48

Toolbar Menu Options 48

Toolbar Configure Options 49

Toolbar Monitor Options 49

Using CCP to Configure IOS Device-Hardening Features 49

CCP Security Audit 49

CCP One-Step Lockdown 50

Using the Cisco IOS AutoSecure CLI Feature 51

Configuring AutoSecure via the CLI 51

CHAPTER 6 Securing the Management Plane 53

Planning a Secure Management and Reporting Strategy 54

Securing the Management Plane 54

Securing Passwords 55

Securing the Console Line and Disabling the Auxiliary Line 55

Securing VTY Access with SSH 56

Securing VTY Access with SSH Example 57

Securing VTY Access with SSH Using CCP Example 58

Securing Configuration and IOS Files 60

Restoring Bootset Files 61

Implementing Role-Based Access Control on Cisco Routers 62

Configuring Privilege Levels 62

Configuring Privilege Levels Example 62

Configuring RBAC via the CLI 62

Configuring RBAC via the CLI Example 63

Configuring Superviews 63

Configuring a Superview Example 64

Configuring RBAC Using CCP Example 64

Network Monitoring 67

Configuring a Network Time Protocol Master Clock 67

Configuring an NTP Client 67

Configuring an NTP Master and Client Example 67

Configuring an NTP Client Using CCP Example 68

Configuring Syslog 69

Configuring Syslog Example 71

Configuring Syslog Using CCP Example 71

Configuring SNMP 74

Configuring SNMP Using CCP 74

CHAPTER 7 Securing Management Access with AAA 77

Authenticating Administrative Access 78

Local Authentication 78

Server-Based Authentication 78

Authentication, Authorization, and Accounting Framework 79

Local AAA Authentication 79

Configuring Local AAA Authentication Example 80

Configuring Local AAA Authentication Using CCP Example 81

Server-Based AAA Authentication 86

TACACS+ Versus RADIUS 86

Configuring Server-Based AAA Authentication 87

Configuring Server-Based AAA Authentication Example 88

Configuring Server-Based AAA Authentication Using CCP Example 89

AAA Authorization 94

Configuring AAA Authorization Example 94

Configuring AAA Authorization Using CCP 94

AAA Accounting 98

Configuring AAA Accounting Example 98

Cisco Secure ACS 98

Adding a Router as a AAA Client 99

Configuring Identity Groups and an Identity Store 99

Configuring Access Service to Process Requests 100

Creating Identity and Authorization Policies 101

CHAPTER 8 Securing the Data Plane on Catalyst Switches 103

Common Threats to the Switching Infrastructure 104

Layer 2 Attacks 104

Layer 2 Security Guidelines 104

MAC Address Attacks 105

Configuring Port Security 105

Fine-Tuning Port Security 106

Configuring Optional Port Security Settings 107

Configuring Port Security Example 108

Spanning Tree Protocol Attacks 109

STP Enhancement Features 109

Configuring STP Enhancement Features 110

Configuring STP Enhancements Example 111

LAN Storm Attacks 112

Configuring Storm Control 112

Configuring Storm Control Example 113

VLAN Hopping Attacks 113

Mitigating VLAN Attacks 114

Mitigating VLAN Attacks Example 114

Advanced Layer 2 Security Features 115

ACLs and Private VLANs 116

Cisco Integrated Security Features 116

Secure the Switch Management Plane 117

CHAPTER 9 Securing the Data Plane in IPv6 Environments 119

Overview of IPv6 119

Comparison Between IPv4 and IPv6 119

The IPv6 Header 120

ICMPv6 121

Stateless Autoconfiguration 122

IPv4-to-IPv6 Transition Solutions 122

IPv6 Routing Solutions 122

IPv6 Threats 123

IPv6 Vulnerabilities 124

IPv6 Security Strategy 124

Configuring Ingress Filtering 124

Secure Transition Mechanisms 125

Future Security Enhancements 125

Part III: Threat Control and Containment

CHAPTER 10 Planning a Threat Control Strategy 127

Threats 127

Trends in Information Security Threats 127

Threat Control Guidelines 128

Threat Control Design Guidelines 128

Integrated Threat Control Strategy 129

Cisco Security Intelligence Operations 130

CHAPTER 11 Confi guring ACLs for Threat Mitigation 131

Access Control List 131

Mitigating Threats Using ACLs 132

ACL Design Guidelines 132

ACL Operation 132

Configuring ACLs 134

ACL Configuration Guidelines 134

Filtering with Numbered Extended ACLs 134

Configuring a Numbered Extended ACL Example 135

Filtering with Named Extended ACLs 135

Configuring a Named Extended ACL Example 136

Configuring an Extended ACL Using CCP Example 136

Enhancing ACL Protection with Object Groups 140

Network Object Groups 140

Service Object Groups 140

Using Object Groups in Extended ACLs 141

Configuring Object Groups in ACLs Example 142

Configuring Object Groups in ACLs Using CCP Example 144

ACLs in IPv6 149

Mitigating IPv6 Attacks Using ACLs 149

IPv6 ACLs Implicit Entries 149

Filtering with IPv6 ACLs 149

Configuring an IPv6 ACL Example 151

CHAPTER 12 Confi guring Zone-Based Firewalls 153

Firewall Fundamentals 153

Types of Firewalls 154

Firewall Design 154

Firewall Policies 154

Firewall Rule Design Guidelines 155

Cisco IOS Firewall Evolution 155

Cisco IOS Zone-Based Policy Firewall 156

Cisco Common Classification Policy Language 156

ZFW Design Considerations 156

Default Policies, Traffic Flows, and Zone Interaction 157

Configuring an IOS ZFW 157

Configuring an IOS ZFW Using the CLI Example 160

Configuring an IOS ZFW Using CCP Example 161

Configuring NAT Services for ZFWs Using CCP Example 167

CHAPTER 13 Confi guring Cisco IOS IPS 171

IDS and IPS Fundamentals 171

Types of IPS Sensors 172

Types of Signatures 172

Types of Alarms 172

Intrusion Prevention Technologies 173

IPS Attack Responses 174

IPS Anti-Evasion Techniques 175

Managing Signatures 175

Cisco IOS IPS Signature Files 176

Implementing Alarms in Signatures 176

IOS IPS Severity Levels 177

Event Monitoring and Management 177

IPS Recommended Practices 178

Configuring IOS IPS 178

Creating an IOS IPS Rule and Specifying the IPS Signature File Location 179

Tuning Signatures per Category 180

Configuring IOS IPS Example 183

Configuring IOS IPS Using CCP Example 185

Signature Tuning Using CCP 193

Part IV: Secure Connectivity

CHAPTER 14 VPNs and Cryptology 195

Virtual Private Networks 195

VPN Deployment Modes 196

Cryptology = Cryptography + Cryptanalysis 197

Historical Cryptographic Ciphers 197

Modern Substitution Ciphers 198

Encryption Algorithms 198

Cryptanalysis 199

Cryptographic Processes in VPNs 200

Classes of Encryption Algorithms 201

Symmetric Encryption Algorithms 201

Asymmetric Encryption Algorithm 202

Choosing an Encryption Algorithm 202

Choosing an Adequate Keyspace 202

Cryptographic Hashes 203

Well-Known Hashing Algorithms 203

Hash-Based Message Authentication Codes 203

Digital Signatures 204

CHAPTER 15 Asymmetric Encryption and PKI 207

Asymmetric Encryption 207

Public Key Confidentiality and Authentication 207

RSA Functions 208

Public Key Infrastructure 208

PKI Terminology 209

PKI Standards 209

PKI Topologies 210

PKI Characteristics 211

CHAPTER 16 IPsec VPNs 213

IPsec Protocol 213

IPsec Protocol Framework 214

Encapsulating IPsec Packets 215

Transport Versus Tunnel Mode 215

Confidentiality Using Encryption Algorithms 216

Data Integrity Using Hashing Algorithms 216

Peer Authentication Methods 217

Key Exchange Algorithms 217

NSA Suite B Standard 218

Internet Key Exchange 218

IKE Negotiation Phases 219

IKEv1 Phase 1 (Main Mode and Aggressive Mode) 219

IKEv1 Phase 2 (Quick Mode) 220

IKEv2 Phase 1 and 2 220

IKEv1 Versus IKEv2 221

IPv6 VPNs 221

CHAPTER 17 Confi guring Site-to-Site VPNs 223

Site-to-Site IPsec VPNs 223

IPsec VPN Negotiation Steps 223

Planning an IPsec VPN 224

Cipher Suite Options 225

Configuring IOS Site-to-Site VPNs 225

Verifying the VPN Tunnel 229

Configuring a Site-to-Site IPsec VPN Using IOS Example 230

Configuring a Site-to-Site IPsec VPN Using CCP Example 232

Generating a Mirror Configuration Using CCP 241

Testing and Monitoring IPsec VPNs 242

Monitoring Established IPsec VPN Connections Using CCP 244

Part V: Securing the Network Using the ASA

CHAPTER 18 Introduction to the ASA 247

Adaptive Security Appliance 247

ASA Models 248

Routed and Transparent Firewall Modes 249

ASA Licensing 249

Basic ASA Configuration 251

ASA 5505 Front and Back Panel 251

ASA 5510 Front and Back Panel 252

ASA Security Levels 253

ASA 5505 Port Configuration 255

ASA 5505 Deployment Scenarios 255

ASA 5505 Configuration Options 255

CHAPTER 19 Introduction to ASDM 257

Adaptive Security Device Manager 257

Accessing ASDM 258

Factory Default Settings 258

Resetting the ASA 5505 to Factory Default Settings 259

Erasing the Factory Default Settings 259

Setup Initialization Wizard 259

Installing and Running ASDM 260

Running ASDM 262

ASDM Wizards 264

The Startup Wizard 264

VPN Wizards 265

Advanced Wizards 266

CHAPTER 20 Confi guring Cisco ASA Basic Settings 267

ASA Command-Line Interface 267

Differences Between IOS and ASA OS 268

Configuring Basic Settings 268

Configuring Basic Management Settings 269

Enabling the Master Passphrase 269

Configuring Interfaces 270

Configuring the Inside and Outside SVIs 270

Assigning Layer 2 Ports to VLANs 271

Configuring a Third SVI 272

Configuring the Management Plane 272

Enabling Telnet, SSH, and HTTPS Access 272

Configuring Time Services 274

Configuring the Control Plane 274

Configuring a Default Route 274

Basic Settings Example 274

Configuring Basic Settings Example Using the CLI 275

Configuring Basic Settings Example Using ASDM 277

CHAPTER 21 Confi guring Cisco ASA Advanced Settings 283

ASA DHCP Services 284

DHCP Client 284

DHCP Server Services 284

Configuring DHCP Server Example Using the CLI 285

Configuring DHCP Server Example Using ASDM 287

ASA Objects and Object Groups 289

Network and Service Objects 289

Network, Protocol, ICMP, and Service Object Groups 291

Configuring Objects and Object Groups Example Using ASDM 293

ASA ACLs 295

ACL Syntax 296

Configuring ACLs Example Using the CLI 297

Configuring ACLs with Object Groups Example Using the CLI 299

Configuring ACLs with Object Groups Example Using ASDM 300

ASA NAT Services 301

Auto-NAT 302

Dynamic NAT, Dynamic PAT, and Static NAT 302

Configuring Dynamic and Static NAT Example Using the CLI 304

Configuring Dynamic NAT Example Using ASDM 306

AAA Access Control 308

Local AAA Authentication 308

Server-Based AAA Authentication 309

Configuring AAA Server-Based Authentication Example Using the CLI 309

Configuring AAA Server-Based Authentication Example Using ASDM 310

Modular Policy Framework Service Policies 313

Class Maps, Policy Maps, and Service Policies 314

Default Global Policies 317

Configure Service Policy Example Using ASDM 318

CHAPTER 22 Confi guring Cisco ASA SSL VPNs 319

Remote-Access VPNs 319

Types of Remote-Access VPNs 319

ASA SSL VPN 320

Client-Based SSL VPN Example Using ASDM 321

Clientless SSL VPN Example Using ASDM 328

APPENDIX Create Your Own Journal Here 335

TOC, 9781587204487, 5/1/2012