larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

CCNA Security Course Booklet Version 1.2, 3rd Edition

Book

  • Sorry, this book is no longer in print.
Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2015
  • Edition: 3rd
  • Book
  • ISBN-10: 1-58713-346-6
  • ISBN-13: 978-1-58713-346-6

CCNA Security Course Booklet Version 1.2

Your Cisco Networking Academy Course Booklet is designed as a study resource you can easily read, highlight, and review on the go, wherever the Internet is not available or practical:

--The text is extracted directly, word-for-word, from the online course so you can highlight important points and take notes in the “Your Chapter Notes” section.

--Headings with the exact page correlations provide a quick reference to the online course for your classroom discussions and exam preparation.

--An icon system directs you to the online curriculum to take full advantage of the images embedded within the Networking Academy online course interface and reminds you to perform the labs and Packet Tracer activities.

The Course Booklet is a basic, economical paper-based resource to help you succeed with the Cisco Networking Academy online course.

Related Titles:

CCNA Security Lab Manual Version 1.2
ISBN-13: 978-1-58713-347-3
ISBN-10: 1-58713-347-4

CCNA Security (640-554) Portable Command Guide
ISBN-13: 978-1-58720-448-7
ISBN-10: 1-58720-448-7

Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide, Second Edition
ISBN-13: 978-1-58714-272-7
ISBN-10: 1-58714-272-4

CCNA Security 640-554 Official Cert Guide
ISBN-13: 978-1-58720-446-3
ISBN-10: 1-58720-446-0

Table of Contents

Chapter 1 Modern Network Security Threats 1

1.0 Introduction 1

1.1 Fundamental Principles of a Secure Network 2

    1.1.1 Evolution of Network Security 2

        1.1.1.1 Code Red Worm Attack 2

        1.1.1.2 Evolution of Security Threats 2

        1.1.1.3 Evolution of Network Security Tools 3

        1.1.1.4 Threats to Networks 4

        1.1.1.5 Encryption and Cryptography 4

    1.1.2 Drivers for Network Security 5

        1.1.2.1 The Hacker 5

        1.1.2.2 Evolution of Hacking 5

        1.1.2.3 First Network Attacks 6

        1.1.2.4 Network Security Professionals 6

    1.1.3 Network Security Organizations 7

        1.1.3.1 Network Security Organizations 7

        1.1.3.2 SANS Institute 7

        1.1.3.3 CERT 8

        1.1.3.4 (ISC)2 8

        1.1.3.5 RSS 9

    1.1.4 Domains of Network Security 9

        1.1.4.1 Network Security Domains 9

        1.1.4.2 Security Policy 10

    1.1.5 Network Security Policies 10

        1.1.5.1 Network Security Policy 10

        1.1.5.2 Cisco SecureX Architecture 10

        1.1.5.3 Cisco SecureX Product Categories 11

        1.1.5.4 Network Security Policy Objectives 11

1.2 Viruses, Worms, and Trojan horses 11

    1.2.1 Viruses 11

        1.2.1.1 Primary Vulnerabilities for End User Devices 11

        1.2.1.2 Comparison of a Human Virus and a Computer Virus 12

    1.2.2 Worms 12

        1.2.2.1 Worms 12

        1.2.2.2 Worm Components 13

        1.2.2.3 Worm and Virus Exploit Comparison 13

    1.2.3 Trojan horses 14

        1.2.3.1 Trojan Horse Concept 14

        1.2.3.2 Trojan Horse Classifications 15

    1.2.4 Mitigating Viruses, Worms, and Trojan Horses 15

        1.2.4.1 Buffer Overflows 15

        1.2.4.2 Antivirus Software 15

        1.2.4.3 Worm Mitigation 16

        1.2.4.4 SQL Slammer Worm 16

1.3 Attack Methodologies 17

    1.3.1 Reconnaissance Attacks 17

        1.3.1.1 Types of Attacks 17

        1.3.1.2 Types of Reconnaissance Attacks 18

        1.3.1.3 Packet Sniffer 18

        1.3.1.4 Ping Sweeps and Port Scans 18

        1.3.1.5 Mitigating Reconnaissance Attacks 19

    1.3.2 Access Attacks 19

        1.3.2.1 Access Attacks 19

        1.3.2.2 Types of Access Attacks 20

        1.3.2.3 Mitigating Access Attacks 20

    1.3.3 Denial of Service Attacks 21

        1.3.3.1 DoS Attacks 21

        1.3.3.2 DoS and DDoS 21

        1.3.3.3 Types of DoS Attacks 22

        1.3.3.4 DoS Attack Symptoms 22

    1.3.4 Mitigating Network Attacks 23

        1.3.4.1 Mitigating Network Attacks 23

        1.3.4.2 Mitigating Reconnaissance Attacks 23

        1.3.4.3 Mitigating Access Attacks 24

        1.3.4.4 Mitigating DoS Attacks 24

    1.3.4.5 Defending the Network 24

1.4 Cisco Network Foundation Protection Framework 25

    1.4.1 NFP 25

        1.4.1.1 NFP Framework 25

        1.4.1.2 Control Plane 26

        1.4.1.3 Management Plane 26

        1.4.1.4 Data Plane 27

1.5 Chapter Summary 28

        1.5.1.1 Lab - Researching Network Attacks and Security Audit Tools 28

        1.5.1.2 Chapter Summary 28

Your Chapter Notes 30

Chapter 2 Securing Network Devices 31

2.0 Chapter Introduction 31

2.1 Securing Device Access 31

    2.1.1 Securing the Edge Router 31

        2.1.1.1 Securing the Network Infrastructure 31

        2.1.1.2 Implementing Security 32

        2.1.1.3 Securing Routers 33

        2.1.1.4 Secure Administrative Access 34

        2.1.1.5 Secure Local and Remote Access 34

    2.1.2 Configuring Secure Administrative Access 35

        2.1.2.1 Securing Passwords 35

        2.1.2.2 Securing Administrative Access 36

        2.1.2.3 Increase Password Security 37

        2.1.2.4 Configuring Secure Local Database Entries 38

    2.1.3 Configuring Enhanced Security for Virtual Logins 39

        2.1.3.1 Enhancing the Login Process 39

        2.1.3.2 Configuring Login Enhancement Features 39

        2.1.3.3 Enable Login Enhancements 39

        2.1.3.4 Logging Failed Attempts 40

        2.1.3.5 Provide Legal Notification 41

    2.1.4 Configuring SSH 41

        2.1.4.1 Configuring Before SSH Is Implemented 41

        2.1.4.2 Configuring SSH 42

        2.1.4.3 Additional SSH Commands 43

        2.1.4.4 Connecting to an SSH-Enabled Router 43

        2.1.4.5 Enabling SSH Using CCP 44

2.2 Assigning Administrative Roles 45

    2.2.1 Configuring Privilege Levels 45

        2.2.1.1 Limiting Command Availability 45

        2.2.1.2 Privilege Levels 45

        2.2.1.3 Configuring Privilege Levels 46

        2.2.1.4 Assigning Privilege Levels 47

        2.2.1.5 Limitations of Privilege Levels 48

    2.2.2 Configuring Role-Based CLI 48

        2.2.2.1 Role-Based CLI Access 48

        2.2.2.2 Role-Based Views 49

        2.2.2.3 Configuring Role-Based Views 50

        2.2.2.4 Configuring Role-Based CLI Superviews 50

        2.2.2.5 Verify Role-Based CLI Views 51

2.3 Monitoring and Managing Devices 51

    2.3.1 Securing Cisco IOS Image and Configuration Files 51

        2.3.1.1 Cisco IOS Resilient Configuration Feature 51

        2.3.1.2 Enabling the IOS Image Resilience Feature 52

        2.3.1.3 Restoring a Primary Bootset Image 53

        2.3.1.4 Recovering a Router Password 53

        2.3.1.5 Disabling Password Recovery 54

    2.3.2 Secure Management and Reporting 55

        2.3.2.1 Managing and Monitoring Network Devices 55

        2.3.2.2 Management Access 56

        2.3.2.3 In-Band and Out-of-Band Access 57

    2.3.3 Using Syslog for Network Security 57

        2.3.3.1 Introduction to Syslog 57

        2.3.3.2 Syslog Operation 58

        2.3.3.3 Syslog Message 59

        2.3.3.4 Syslog Systems 60

        2.3.3.5 Configuring System Logging 60

        2.3.3.6 Configuring Syslog Using CCP 60

        2.3.3.7 Monitor Syslog Messages Using CCP 61

    2.3.4 Using SNMP for Network Security 61

        2.3.4.1 Introduction to SNMP 61

        2.3.4.2 SNMP Operation 62

        2.3.4.3 SNMP Agent Traps 62

        2.3.4.4 SNMP Vulnerabilities 63

        2.3.4.5 SNMP Community Strings 63

        2.3.4.6 SNMPv3 64

        2.3.4.7 Enabling SNMP Using CCP 64

        2.3.4.8 Setting SNMP Traps 65

    2.3.5 Using NTP 66

        2.3.5.1 Network Time Protocol 66

        2.3.5.2 NTP Server 66

        2.3.5.3 NTP Authentication 67

        2.3.5.4 Enabling NTP Using CCP 68

2.4 Using Automated Security Features 68

    2.4.1 Performing a Security Audit 68

        2.4.1.1 Cisco Discovery Protocol 68

        2.4.1.2 Protocols and Services Default Settings 69

        2.4.1.3 Cisco IOS Security Tools 69

        2.4.1.4 CCP Security Audit Wizard 70

    2.4.2 Locking Down a Router Using AutoSecure 70

        2.4.2.1 Cisco AutoSecure 70

        2.4.2.2 Using the Cisco AutoSecure Feature 71

        2.4.2.3 Using the auto secure Command 72

    2.4.3 Locking Down a Router Using CCP 72

        2.4.3.1 Cisco One-Step Lockdown in CCP 72

        2.4.3.2 Cisco AutoSecure Versus CCP One-Step Lockdown 73

2.5 Summary 74

        2.5.1.1 Lab - Securing the Router for Administrative Access.pdf 74

        2.5.1.2 Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations 75

        2.5.1.3 Summary 75

Your Chapter Notes 76

Chapter 3 Authentication, Authorization, and Accounting 77

3.0 Introduction 77

3.1 Purpose of AAA 77

    3.1.1 AAA Overview 77

        3.1.1.1 Authentication without AAA 77

        3.1.1.2 AAA Components 78

    3.1.2 AAA Characteristics 79

        3.1.2.1 Authentication Modes 79

        3.1.2.2 Authorization 79

        3.1.2.3 Accounting 80

3.2 Local AAA Authentication 80

    3.2.1 Configuring Local AAA Authentication with CLI 80

        3.2.1.1 Authenticating Administrative Access 80

        3.2.1.2 Authentication Methods 81

        3.2.1.3 Default and Named Methods 82

        3.2.1.4 Fine-Tuning the Authentication Configuration 82

    3.2.2 Configuring Local AAA Authentication with CCP 83

        3.2.2.1 Enable AAA 83

        3.2.2.2 Add User Accounts 83

        3.2.2.3 Configure Method Lists 84

    3.2.3 Troubleshooting Local AAA Authentication 84

        3.2.3.1 Debug Options 84

        3.2.3.2 Debugging AAA Authentication 84

3.3 Server-Based AAA 85

    3.3.1 Server-Based AAA Characteristics 85

        3.3.1.1 Comparing Local AAA and Server-Based AAA Implementations 85

        3.3.1.2 Introducing Cisco Secure Access Control Server 85

    3.3.2 Server-Based AAA Communication Protocols 85

        3.3.2.1 Introducing TACACS+ and RADIUS 85

        3.3.2.2 TACACS+ Authentication 86

        3.3.2.3 RADIUS Authentication 86

    3.3.3 Cisco Secure ACS 87

        3.3.3.1 TACACS+ and RADIUS with Cisco Secure ACS 87

        3.3.3.2 Cisco Secure ACS Features 87

        3.3.3.3 Cisco Secure ACS as a TrustSec Component 88

        3.3.3.4 Cisco Secure ACS, High-Performance, and Scalability 88

        3.3.3.5 Cisco Secure ACS Software and Hardware Implementation Options 89

    3.3.4 Configuring Cisco Secure ACS 89

        3.3.4.1 Software and Network Requirements for Cisco Secure ACS 89

        3.3.4.2 Cisco Secure ACS Home Page 90

        3.3.4.3 Adding Cisco Secure ACS Clients 91

        3.3.4.4 Cisco Secure ACS Databases 92

    3.3.5 Configuring Cisco Secure ACS Users and Groups 93

        3.3.5.1 Cisco Secure ACS User Database Setup 93

        3.3.5.2 Cisco Secure ACS Group Setup 93

        3.3.5.3 Cisco Secure ACS User Setup 94

3.4 Server-Based AAA Authentication 94

    3.4.1 Configuring Server-Based AAA Authentication with CLI 94

        3.4.1.1 Steps for Configuring Server-Based AAA Authentication with CLI 94

        3.4.1.2 Configuring the CLI for TACACS+ and RADIUS Servers 94

    3.4.2 Configuring Server-Based AAA Authentication with CCP 96

        3.4.2.1 Configuring CCP for TACACS+ 96

        3.4.2.2 Configuring Method Lists with CCP 96

        3.4.2.3 Configuring Lines with Method Lists using CCP 97

    3.4.3 Troubleshooting Server-Based AAA Authentication 98

        3.4.3.1 Monitoring Authentication Traffic 98

        3.4.3.2 Debugging TACACS+ and RADIUS 98

3.5 Server-Based AAA Authorization and Accounting 98

    3.5.1 Configuring Server-Based AAA Authorization 98

        3.5.1.1 Introduction to Server-Based AAA Authorization 98

        3.5.1.2 AAA Authorization Types 99

        3.5.1.3 AAA Authorization Fundamentals with CCP 99

        3.5.1.4 AAA Authorization Methods with CCP 100

    3.5.2 Configuring Server-Based AAA Accounting 100

        3.5.2.1 Introduction to Server-Based AAA Accounting 100

        3.5.2.2 AAA Accounting Configuration with the CLI 101

3.6 Summary 102

        3.6.1.1 Lab - Securing Administrative Access Using AAA and RADIUS 102

        3.6.1.2 Packet Tracer - Configure AAA Authentication on Cisco Routers 102

        3.6.1.3 Summary 102

Your Chapter Notes 103

Chapter 4 Implementing Firewall Technologies 105

4.0 Introduction 105

4.1 Access Control Lists 105

    4.1.1 Configuring Standard and Extended IPv4 ACLs with CLI 105

        4.1.1.1 Introduction to Access Control Lists 105

        4.1.1.2 Standard and Extended Numbered IP ACLs 106

        4.1.1.3 Standard and Extended Named IP ACLs 107

        4.1.1.4 Logging ACL Matches 108

        4.1.1.5 Access Control Entry Rules 108

        4.1.1.6 Standard ACL Example 109

        4.1.1.7 Extended ACL Example 110

        4.1.1.8 Editing Extended ACLs 110

        4.1.1.9 How Cisco Routers Parse Standard ACLs 111

    4.1.2 Topology and Flow for ACLs 112

        4.1.2.1 How Cisco Routers Handle ACL Matches 112

        4.1.2.2 ACL Placement 112

        4.1.2.3 ACL Design 113

        4.1.2.4 Verifying ACL Functionality 113

    4.1.3 Configuring Standard and Extended ACLs with Cisco Configuration Professional 113

        4.1.3.1 Introduction to Configuring ACLs with Cisco Configuration Professional 113

        4.1.3.2 Cisco Configuration Professional Rules 114

        4.1.3.3 Creating a Rule 114

        4.1.3.4 Applying a Rule to an Interface 115

        4.1.3.5 Delivering a Rule 116

    4.1.4 Configuring TCP Established and Reflexive ACLs 116

        4.1.4.1 First Generation Approach to Stateful Firewall 116

        4.1.4.2 Monitoring TCP Flag Settings 117

        4.1.4.3 TCP Established in Action 117

        4.1.4.4 Reflexive ACLs 117

        4.1.4.5 Using Reflexive ACLs 118

    4.1.5 Configuring Dynamic ACLs 119

        4.1.5.1 Introducing Dynamic ACLs 119

        4.1.5.2 Dynamic ACL Operation 120

        4.1.5.3 Steps for Configuring a Dynamic ACL 120

        4.1.5.4 Dynamic ACL Timeouts 121

    4.1.6 Configuring Time-Based ACLs 122

        4.1.6.1 Introduction to Time-Based ACLs 122

        4.1.6.2 Time-Based ACL Configuration 122

        4.1.6.3 Time-Based ACL Scenario 123

    4.1.7 Troubleshooting Complex ACL Implementations 124

        4.1.7.1 Commands to Verify and Troubleshoot ACLs 124

        4.1.7.2 Monitoring ACL Matches 124

        4.1.7.3 Debugging ACLs 124

    4.1.8 Mitigating Attacks with ACLs 125

        4.1.8.1 Mitigating Spoofing and DoS Attacks 125

        4.1.8.2 Antispoofing with ACLs 125

        4.1.8.3 Permitting Necessary Traffic Through a Firewall 126

        4.1.8.4 Mitigating ICMP Abuse 126

        4.1.8.5 Mitigating SNMP Exploits 126

    4.1.9 IPv6 ACLs 127

        4.1.9.1 Introducing IPv6 ACLs 127

        4.1.9.2 Extended IPv6 ACLs 128

        4.1.9.3 Configuring IPv6 ACLs 128

    4.1.10 Using Object Groups in ACEs 128

        4.1.10.1 Introducing Object Groups 128

        4.1.10.2 Network and Service Object Groups 129

        4.1.10.3 Configuring Network and Service Object Groups 129

        4.1.10.4 Creating an Object Group-Based ACL 130

4.2 Firewall Technologies 131

    4.2.1 Securing Networks with Firewalls 131

        4.2.1.1 Defining Firewalls 131

        4.2.1.2 Benefits and Limitations of Firewalls 131

    4.2.2 Types of Firewalls 132

        4.2.2.1 Descriptions of Firewall Types 132

        4.2.2.2 Packet Filtering Firewall 133

        4.2.2.3 Stateful Firewalls 134

        4.2.2.4 Cisco Firewall Solutions 135

    4.2.3 Classic Firewall 136

        4.2.3.1 Introducing Classic Firewall 136

        4.2.3.2 Classic Firewall Operation 137

        4.2.3.3 Classic Firewall Inspection Rules 138

        4.2.3.4 Classic Firewall Configuration 139

    4.2.4 Firewalls in Network Design 140

        4.2.4.1 Demilitarized Zones 140

        4.2.4.2 Layered Defense 141

        4.2.4.3 Firewalls and the Security Policy 141

4.3 Zone-Based Policy Firewalls 142

    4.3.1 Zone-Based Policy Firewall Characteristics 142

        4.3.1.1 Introducing Zone-Based Policy Firewall 142

        4.3.1.2 Benefits of Zone-Based Policy Firewall 142

        4.3.1.3 Zone-Based Policy Firewall Design 143

    4.3.2 Zone-Based Policy Firewall Operation 144

        4.3.2.1 Zone-Based Policy Firewall Actions 144

        4.3.2.2 Zone-Based Policy Firewall Rules 144

        4.3.2.3 Zone-Based Policy Firewall Rules for Routers 145

    4.3.3 Configuring a Zone-Based Policy Firewall with CLI 146

        4.3.3.1 Steps for Configuring Zone-Based Policy Firewalls with CLI 146

        4.3.3.2 Create Zones 147

        4.3.3.3 Defining Traffic Classes 147

        4.3.3.4 Specify Firewall Policies 148

        4.3.3.5 Apply Firewall Policies and Assign Router Interfaces 148

    4.3.4 Configuring Zone-Based Policy Firewall with Cisco Configuration Professional Wizard 149

        4.3.4.1 Basic and Advanced Firewall Wizards 149

        4.3.4.2 Firewall Interface Configuration 150

        4.3.4.3 Security Level Configuration 150

        4.3.4.4 Deliver Configuration 151

        4.3.4.5 Manual Configuration with Cisco Configuration Professional 151

        4.3.4.6 Defining Zones 151

        4.3.4.7 Configuring Class Maps 152

        4.3.4.8 Creating Policy Maps 153

        4.3.4.9 Defining Zone Pairs 153

        4.3.4.10 Editing Firewall Policy View 154

        4.3.4.11 View Firewall Activity 154

        4.3.4.12 Viewing the Zone-Based Policy Firewall State Table 154

4.4 Summary 155

        4.4.1.1 Lab - Configuring Zone-Based Policy Firewalls 155

        4.4.1.2 Packet Tracer - Configure IP ACLs to Mitigate Attacks 155

        4.4.1.3 Packet Tracer - Configuring a Zone-Based Policy Firewall 155

        4.4.1.4 Summary 156

Your Chapter Notes 157

Chapter 5 Implementing Intrusion Prevention 159

5.0 Introduction 159

5.1 IPS Technologies 160

    5.1.1 IDS and IPS Characteristics 160

        5.1.1.1 Zero-Day Attacks 160

        5.1.1.2 Monitor for Attacks 160

        5.1.1.3 Detect and Stop Attacks 160

        5.1.1.4 IDS and IPS Characteristics 161

        5.1.1.5 Advantages and Disadvantages of IDS and IPS 161

    5.1.2 Network-Based IPS Implementations 162

        5.1.2.1 Network IPS Sensors 162

        5.1.2.2 Cisco IPS Solutions 163

        5.1.2.3 Choose an IPS Solution 164

        5.1.2.4 IPS Advantages and Disadvantages 164

5.2 IPS Signatures 165

    5.2.1 IPS Signature Characteristics 165

        5.2.1.1 Signature Attributes 165

        5.2.1.2 Signature Types 165

        5.2.1.3 Signature File 166

        5.2.1.4 Signature Micro-Engines 166

        5.2.1.5 Acquire the Signature File 167

    5.2.2 IPS Signature Alarms 168

        5.2.2.1 Signature Alarm 168

        5.2.2.2 Pattern-Based Detection 168

        5.2.2.3 Anomaly-Based Detection 169

        5.2.2.4 Policy-Based Detection 169

        5.2.2.5 Benefits of Implementing an IPS 170

    5.2.3 Tuning IPS Signature Alarms 170

        5.2.3.1 Trigger False Alarms 170

        5.2.3.2 Tune Signatures 171

    5.2.4 IPS Signature Actions 172

        5.2.4.1 Signature Actions 172

        5.2.4.2 Generate an Alert 172

        5.2.4.3 Log the Activity 173

        5.2.4.4 Drop or Prevent the Activity 173

        5.2.4.5 Reset, Block, and Allow Traffic 173

    5.2.5 Manage and Monitor IPS 174

        5.2.5.1 Monitor Activity 174

        5.2.5.2 Monitoring Considerations 174

        5.2.5.3 Monitor IPS Using Cisco Configuration Professional 175

        5.2.5.4 Secure Device Event Exchange 176

        5.2.5.5 IPS Configuration Best Practices 176

    5.2.6 IPS Global Correlation 177

        5.2.6.1 Cisco Global Correlation 177

        5.2.6.2 Cisco SensorBase Network 177

        5.2.6.3 Cisco Security Intelligence Operation 178

5.3 Implement IPS 178

    5.3.1 Configure Cisco IOS IPS with CLI 178

        5.3.1.1 Implement IOS IPS 178

        5.3.1.2 Download the IOS IPS Files 179

        5.3.1.3 Configure an IPS Crypto Key 179

        5.3.1.4 Enable IOS IPS 180

        5.3.1.5 Load the IPS Signature Package in RAM 181

    5.3.2 Configure Cisco IOS IPS with Cisco Configuration Professional 181

        5.3.2.1 Implement IOS IPS Using Cisco Configuration Professional 181

        5.3.2.2 Launch the IPS Rule Wizard 182

        5.3.2.3 Specify the Signature File 183

        5.3.2.4 Configure the Crypto Key 183

        5.3.2.5 Complete the IOS IPS Wizard 183

    5.3.3 Modifying Cisco IOS IPS Signatures 184

        5.3.3.1 Retire and Unretire Signatures 184

        5.3.3.2 Change Signature Actions 184

        5.3.3.3 Edit Signatures 185

        5.3.3.4 Tune a Signature 185

        5.3.3.5 Access and Configure Signature Parameters 185

5.4 Verify and Monitor IPS 186

    5.4.1 Verify Cisco IOS IPS 186

        5.4.1.1 Verify IOS IPS 186

        5.4.1.2 Verify IOS IPS Using Cisco Configuration Professional 186

    5.4.2 Monitoring Cisco IOS IPS 187

        5.4.2.1 Report IPS Alerts 187

        5.4.2.2 Enable SDEE 187

        5.4.2.3 Monitor IOS IPS Using Cisco Configuration Professional 188

5.5 Summary 188

        5.5.1.1 Lab - Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP 188

        5.5.1.2 Packet Tracer - Configure IOS Intrusion Prevention System (IPS) using CLI 188

        5.5.1.3 Summary 188

Your Chapter Notes 189

Chapter 6 Securing the Local-Area Network 191

6.0 Introduction 191

6.1 Endpoint Security 191

    6.1.1 Introducing Endpoint Security 191

        6.1.1.1 Introducing Endpoint Security 191

        6.1.1.2 SecureX Architecture 192

        6.1.1.3 Trusted Code and Trusted Path 192

        6.1.1.4 Operating System Vulnerabilities 193

        6.1.1.5 Cisco Endpoint Security Solutions 194

    6.1.2 Endpoint Security with Cisco ESA and WSA 194

        6.1.2.1 Cisco Email and Web Security Appliances 194

        6.1.2.2 Cisco Email Security Appliance 195

        6.1.2.3 Cisco Web Security Appliance 195

    6.1.3 Endpoint Security with Network Admission Control 196

        6.1.3.1 Cisco Network Admission Control 196

        6.1.3.2 Cisco NAC Functions 196

        6.1.3.3 Cisco NAC Components 197

        6.1.3.4 Cisco NAC Guest Server 197

        6.1.3.5 Cisco NAC Profiler 198

6.2 Layer 2 Security Considerations 199

    6.2.1 Introducing Layer 2 Security 199

        6.2.1.1 Mitigating Layer 2 Attacks 199

        6.2.1.2 Buffer Overflow 199

    6.2.2 MAC Address Spoofing 200

        6.2.2.1 Switch MAC Address Table 200

        6.2.2.2 MAC Address Spoofing Attacks 200

    6.2.3 MAC Address Table Overflow 201

        6.2.3.1 MAC Address Overflow Attacks 201

        6.2.3.2 macof Tool 201

    6.2.4 Spanning Tree Protocol Manipulation 202

        6.2.4.1 Spanning Tree Algorithm: Introduction 202

        6.2.4.2 Spanning Tree Algorithm: Port Roles 203

        6.2.4.3 Spanning Tree Algorithm: Root Bridge 204

        6.2.4.4 Spanning Tree Algorithm: Path Cost 205

        6.2.4.5 802.1D BPDU Frame Format 206

        6.2.4.6 BPDU Propagation and Process 206

        6.2.4.7 Extended System ID 207

        6.2.4.8 Video Demonstration - Observing Spanning Tree Protocol Operation 209

        6.2.4.9 STP Manipulation Attacks 209

    6.2.5 LAN Storms 209

        6.2.5.1 LAN Storm Attacks 209

        6.2.5.2 Storm Control 209

    6.2.6 VLAN Attacks 210

        6.2.6.1 VLAN Functions 210

        6.2.6.2 VLAN Hopping Attack 210

        6.2.6.3 VLAN Double-Tagging Attack 211

6.3 Configuring Layer 2 Security 211

    6.3.1 Configuring Port Security 211

        6.3.1.1 Port Security Operation 211

        6.3.1.2 Basic Port Security Configuration 212

        6.3.1.3 Advanced Port Security Configuration 212

        6.3.1.4 Port Security Aging 214

        6.3.1.5 Port Security with IP Phones 214

    6.3.2 Verifying Port Security 214

        6.3.2.1 Verify Port Security for Interfaces 214

        6.3.2.2 Verify Port Security for Addresses 215

        6.3.2.3 SNMP MAC Address Notification 215

    6.3.3 Configuring BPDU Guard, BPDU Filter, and Root Guard 215

        6.3.3.1 PortFast 215

        6.3.3.2 Configure BPDU Guard 216

        6.3.3.3 Verify BPDU Guard 216

        6.3.3.4 BPDU Filtering 216

        6.3.3.5 Root Guard 217

    6.3.4 Configuring Storm Control 217

        6.3.4.1 Broadcast, Multicast, and Unicast Traffic Rates 217

        6.3.4.2 Storm Control Configuration 218

        6.3.4.3 Verify Storm Control 219

    6.3.5 Configuring VLAN Trunk Security 219

        6.3.5.1 VLAN Trunk Security Guidelines 219

        6.3.5.2 VLAN Trunk Security Configuration 219

    6.3.6 Configuring Cisco Switched Port Analyzer 220

        6.3.6.1 Port Mirroring 220

        6.3.6.2 Cisco SPAN Configuration and Verification 220

        6.3.6.3 SPAN with Intrusion Detection 220

    6.3.7 Configuring PVLAN Edge 221

        6.3.7.1 Verify Protected Ports 221

        6.3.7.2 Verifying Protected Ports 221

    6.3.8 Recommended Practices for Layer 2 221

        6.3.8.1 Layer 2 Guidelines for Endpoint Security 221

        6.3.8.2 VLAN and Trunk Guidelines 222

6.4 Wireless, VoIP, and SAN Security 222

    6.4.1 Enterprise Advanced Technology Security Considerations 222

        6.4.1.1 Advanced Technology Topologies 222

        6.4.1.2 Wireless Security Introduction 222

        6.4.1.3 VoIP Security Introduction 223

        6.4.1.4 SAN Security Introduction 223

    6.4.2 Wireless Security Considerations 223

        6.4.2.1 Wireless NICs 223

        6.4.2.2 Wireless Home Router 224

        6.4.2.3 Business Wireless Solutions 224

        6.4.2.4 Wireless Access Points 225

        6.4.2.5 Lightweight Access Points and Wireless LAN Controllers 225

        6.4.2.6 War Driving 226

        6.4.2.7 Wireless Hacking 226

    6.4.3 Wireless Security Solutions 227

        6.4.3.1 History of Wireless Technologies 227

        6.4.3.2 Wireless Security Guidelines 227

    6.4.4 VoIP Security Considerations 228

        6.4.4.1 VoIP Business Advantages 228

        6.4.4.2 VoIP Components and Protocols 229

        6.4.4.3 VoIP Security Threats 229

        6.4.4.4 Spam over Internet Telephony 230

        6.4.4.5 Vishing, Toll Fraud, and SIP Vulnerabilities 231

    6.4.5 VoIP Security Solutions 232

        6.4.5.1 Voice VLANs 232

        6.4.5.2 VoIP with Cisco Adaptive Security Appliance 232

        6.4.5.3 VoIP with Encryption 233

        6.4.5.4 Hardening Voice Devices 233

    6.4.6 SAN Security Considerations 234

        6.4.6.1 Introducing SANs 234

        6.4.6.2 SAN Transport Technologies 234

        6.4.6.3 SAN World Wide Names 235

        6.4.6.4 Fiber Channel Zoning 236

        6.4.6.5 Virtual SANs 236

    6.4.7 SAN Security Solutions 236

        6.4.7.1 SAN Security Guidelines 236

        6.4.7.2 SAN Management Tools 237

        6.4.7.3 Securing Fabric and Target Access 237

        6.4.7.4 VSANs with Zones 237

        6.4.7.5 Security with iSCSI and FCIP 238

6.5 Summary 238

        6.5.1.1 Lab - Securing Layer 2 Switches 238

        6.5.1.2 Packet Tracer - Layer 2 Security 238

        6.5.1.3 Packet Tracer - Layer 2 VLAN Security 239

        6.5.1.4 Summary 239

Your Chapter Notes 240

Chapter 7 Cryptographic Systems 241

7.0 Introduction 241

7.1 Cryptographic Services 241

    7.1.1 Securing Communications 241

        7.1.1.1 Authentication, Integrity, and Confidentiality 241

        7.1.1.2 Authentication 242

        7.1.1.3 Data Integrity 243

        7.1.1.4 Data Confidentiality 243

    7.1.2 Cryptography 243

        7.1.2.1 Creating Cipher Text 243

        7.1.2.2 Transposition Ciphers 245

        7.1.2.3 Substitution Ciphers 245

        7.1.2.4 One-Time Pad Ciphers 246

    7.1.3 Cryptanalysis 247

        7.1.3.1 Cracking Code 247

        7.1.3.2 Methods for Cracking Code 247

        7.1.3.3 Cracking Code Example 248

    7.1.4 Cryptology 249

        7.1.4.1 Making and Breaking Secret Codes 249

        7.1.4.2 Cryptanalysis 249

        7.1.4.3 The Secret Is in the Keys 249

7.2 Basic Integrity and Authenticity 250

    7.2.1 Cryptographic Hashes 250

        7.2.1.1 Cryptographic Hash Function 250

        7.2.1.2 Cryptographic Hash Function Properties 250

        7.2.1.3 Well-Known Hash Functions 251

    7.2.2 Integrity with MD5 and SHA-1 251

        7.2.2.1 Message Digest 5 Algorithm 251

        7.2.2.2 Secure Hash Algorithm 252

        7.2.2.3 MD5 Versus SHA 252

    7.2.3 Authenticity with HMAC 253

        7.2.3.1 Keyed-Hash Message Authentication Code 253

        7.2.3.2 HMAC Operation 254

        7.2.3.3 Hashing in Cisco Products 254

    7.2.4 Key Management 254

        7.2.4.1 Characteristics of Key Management 254

        7.2.4.2 The Keyspace 255

        7.2.4.3 Types of Cryptographic Keys 256

        7.2.4.4 Choosing Cryptographic Keys 256

7.3 Confidentiality 257

    7.3.1 Encryption 257

        7.3.1.1 Cryptographic Encryption 257

        7.3.1.2 Symmetric and Asymmetric Encryption 258

        7.3.1.3 Symmetric Encryption 259

        7.3.1.4 Symmetric Block Ciphers and Stream Ciphers 259

        7.3.1.5 Choosing an Encryption Algorithm 260

    7.3.2 Data Encryption Standard 261

        7.3.2.1 DES Symmetric Encryption 261

        7.3.2.2 DES Operation 261

        7.3.2.3 DES Summary 262

    7.3.3 3DES 262

        7.3.3.1 Improving DES with 3DES 262

        7.3.3.2 3DES Operation 263

    7.3.4 Advanced Encryption Standard 263

        7.3.4.1 AES Origins 263

        7.3.4.2 AES Summary 264

    7.3.5 Alternate Encryption Algorithms 264

        7.3.5.1 Software-Optimized Encryption Algorithm (SEAL) 264

        7.3.5.2 RC Algorithms 264

    7.3.6 Diffie-Hellman Key Exchange 265

        7.3.6.1 Diffie-Hellman (DH) Algorithm 265

        7.3.6.2 DH Operation 266

7.4 Public Key Cryptography 266

    7.4.1 Symmetric Versus Asymmetric Encryption 266

        7.4.1.1 Asymmetric Key Algorithms 266

        7.4.1.2 Public Key + Private Key = Confidentiality 267

        7.4.1.3 Private Key + Public Key = Authentication 267

        7.4.1.4 Asymmetric Algorithms 268

    7.4.2 Digital Signatures 269

        7.4.2.1 Using Digital Signatures 269

        7.4.2.2 Digital Signature Specifics 270

        7.4.2.3 Digital Signature Process 270

        7.4.2.4 Digitally Signed Code 271

        7.4.2.5 Digital Signature Algorithm 271

    7.4.3 Rivest, Shamir, and Alderman 272

        7.4.3.1 RSA Asymmetric Algorithms 272

        7.4.3.2 RSA Summary 272

    7.4.4 Public Key Infrastructure 272

        7.4.4.1 Public Key Infrastructure Overview 272

        7.4.4.2 PKI Framework 273

        7.4.4.3 Components of a PKI 274

        7.4.4.4 PKI Usage Scenarios 274

    7.4.5 PKI Standards 275

        7.4.5.1 Interoperability of Different PKI Vendors 275

        7.4.5.2 X.509 Standard 275

        7.4.5.3 Public-Key Cryptography Standards 276

        7.4.5.4 Simple Certificate Enrollment Protocol 276

    7.4.6 Certificate Authorities 277

        7.4.6.1 Single-Root PKI Topology 277

        7.4.6.2 Hierarchical CA Topology 277

        7.4.6.3 Complex PKI Topology 278

    7.4.7 Digital Certificates and CAs 279

        7.4.7.1 Step 1: Retrieve CA Certificates 279

        7.4.7.2 Step 2: Submit Certificate Requests to the CA 279

        7.4.7.3 Step 3: Authenticate End Points 279

        7.4.7.4 PKI Summary 280

7.5 Summary 280

        7.5.1.1 Lab - Exploring Encryption Methods 280

        7.5.1.2 Summary 281

Your Chapter Notes 282

Chapter 8 Implementing Virtual Private Networks 283

8.0 Introduction 283

8.1 VPNs 283

    8.1.1 VPN Overview 283

        8.1.1.1 Introducing VPNs 283

        8.1.1.2 Types of VPNs 284

    8.1.2 VPN Topologies 285

        8.1.2.1 Site-to-Site and Remote-Access VPNs 285

        8.1.2.2 Site-to-Site VPN 285

        8.1.2.3 Remote-Access VPN 285

        8.1.2.4 VPN Client Software Options 286

        8.1.2.5 Cisco IOS SSL VPN 286

    8.1.3 VPN Solutions 287

        8.1.3.1 Cisco VPN Product Lines 287

        8.1.3.2 Cisco IOS VPN Feature Support 288

        8.1.3.3 VPN Services with Cisco ASA 288

        8.1.3.4 Cisco IPsec VPN Clients 289

        8.1.3.5 Cisco VPN Hardware Modules 290

8.2 GRE VPNs 290

    8.2.1 Configuring a Site-to-Site GRE Tunnel 290

        8.2.1.1 Introduction to GRE Tunnels 290

        8.2.1.2 GRE Header 291

        8.2.1.3 Configuring GRE 291

        8.2.1.4 GRE with IPsec 291

8.3 IPsec VPN Components and Operation 292

    8.3.1 Introducing IPsec 292

        8.3.1.1 IPsec as an IETF Standard 292

        8.3.1.2 Confidentiality 293

        8.3.1.3 Integrity 293

        8.3.1.4 Authentication 294

        8.3.1.5 Secure Key Exchange 295

    8.3.2 IPsec Security Protocols 296

        8.3.2.1 IPsec Framework Protocols 296

        8.3.2.2 Authentication Header 296

        8.3.2.3 ESP 297

        8.3.2.4 Encryption and Authentication with ESP 297

        8.3.2.5 Transport and Tunnel Modes 297

    8.3.3 Internet Key Exchange 298

        8.3.3.1 Security Associations 298

        8.3.3.2 IKE Phase 1 and Phase 2 299

        8.3.3.3 Three Key Exchanges 299

        8.3.3.4 Aggressive Mode 300

        8.3.3.5 IKE Phase 2 300

8.4 Implementing Site-to-Site IPsec VPNs with CLI 301

    8.4.1 Configuring a Site-to-Site IPsec VPN 301

        8.4.1.1 IPsec VPN Negotiation 301

        8.4.1.2 IPsec Configuration Tasks 301

    8.4.2 Task 1 – Configure Compatible ACLs 302

        8.4.2.1 Protocols 50 and 51 and UDP Port 500 302

        8.4.2.2 Configure Compatible ACLs 302

    8.4.3 Task 2 – Configure IKE 303

        8.4.3.1 IKE Parameters for ISAKMP 303

        8.4.3.2 Negotiating ISAKMP Policies 303

        8.4.3.3 Pre-Shared Keys 304

    8.4.4 Task 3 – Configure the Transform Sets 304

        8.4.4.1 Defining Transform Sets 304

        8.4.4.2 Configuring the Transform Sets 305

    8.4.5 Task 4 – Configure the Crypto ACLs 305

        8.4.5.1 Defining Crypto ACLs 305

        8.4.5.2 Crypto ACL Syntax 305

        8.4.5.3 Symmetric Crypto ACLs 306

    8.4.6 Task 5 – Apply the Crypto Map 306

        8.4.6.1 Defining Crypto Maps 306

        8.4.6.2 Crypto Map Syntax 307

        8.4.6.3 Applying the Crypto Map 308

    8.4.7 Verify and Troubleshoot the IPsec Configuration 308

        8.4.7.1 Commands to Verify and Troubleshoot IPsec Configuration 308

        8.4.7.2 IPsec show Commands 308

        8.4.7.3 Verifying Security Associations 309

        8.4.7.4 Troubleshooting VPN Connectivity 309

8.5 Implementing Site-to-Site IPsec VPNs with CCP 309

    8.5.1 Configuring IPsec Using CCP 309

        8.5.1.1 Steps for IPsec VPN Configuration with CCP 309

        8.5.1.2 CCP VPN Wizards 309

        8.5.1.3 Site-to-Site VPN Wizard 310

        8.5.1.4 Quick Setup and Step-by-Step Wizard 310

    8.5.2 VPN Wizard – Quick Setup 310

        8.5.2.1 Quick Setup 310

        8.5.2.2 Finishing Quick Setup 311

    8.5.3 VPN Wizard – Step by Step Setup 311

        8.5.3.1 Step by Step Wizard 311

        8.5.3.2 IKE Proposal 312

        8.5.3.3 Transform Set 312

        8.5.3.4 Traffic to Protect 312

        8.5.3.5 Configuration Summary 313

    8.5.4 Verifying, Monitoring, and Troubleshooting VPNs 313

        8.5.4.1 Testing the Tunnel 313

        8.5.4.2 View IPsec Tunnels 313

8.6 Implementing Remote-Access VPNs 314

    8.6.1 A Shift to Telecommuting 314

        8.6.1.1 Advantages of Telecommuting 314

        8.6.1.2 Benefits of Telecommuting 314

        8.6.1.3 Teleworker WAN Connection Options 314

    8.6.2 Introducing Remote-Access VPNs 315

        8.6.2.1 Remote-Access VPN Options 315

        8.6.2.2 Access Requirements Determine Remote-Access VPN 315

    8.6.3 SSL VPNs 316

        8.6.3.1 Cisco IOS SSL VPN Technology 316

        8.6.3.2 Types of SSL VPN Access 317

        8.6.3.3 Full Client Access Mode 317

        8.6.3.4 Steps to Establishing SSL VPN 318

        8.6.3.5 SSL VPN Design 318

    8.6.4 Cisco Easy VPN 319

        8.6.4.1 Introducing Cisco Easy VPN 319

        8.6.4.2 Cisco Easy VPN Endpoints 320

        8.6.4.3 Cisco Easy VPN Connection Steps 320

    8.6.5 Configuring a VPN Server with CCP 321

        8.6.5.1 CCP Tasks for Cisco Easy VPN Server 321

        8.6.5.2 Initial Easy VPN Server Steps 321

        8.6.5.3 Selecting the Transform Set 321

        8.6.5.4 Group Authorization and Group Policy Lookup 322

        8.6.5.5 Easy VPN Server Summary 322

    8.6.6 Connecting with a VPN Client 322

        8.6.6.1 Introducing Cisco VPN Client 322

        8.6.6.2 Connection Status 323

8.7 Summary 323

        8.7.1.1 Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP 323

        8.7.1.2 Lab - Configuring a Remote Access VPN Server and Client 323

        8.7.1.3 Lab - (Optional) Configuring a Remote Access VPN Server and Client 324

        8.7.1.4 Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN using CLI 324

        8.7.1.5 Summary 324

Your Chapter Notes 326

Chapter 9 Implementing the Cisco Adaptive Security Appliance 327

9.0 Introduction 327

9.1 Introduction to the ASA 328

    9.1.1 Overview of the ASA 328

        9.1.1.1 Overview of ASA Firewalls 328

        9.1.1.2 Review of Firewalls in Network Design 329

        9.1.1.3 Stateful Firewall Review 330

        9.1.1.4 ASA Firewall Modes and Features 331

        9.1.1.5 ASA Licensing Requirements 332

    9.1.2 Basic ASA Configuration 332

        9.1.2.1 Overview of ASA 5505 332

        9.1.2.2 ASA Security Levels 333

        9.1.2.3 ASA 5505 Deployment Scenarios 334

9.2 ASA Firewall Configuration 335

    9.2.1 Introduction to the ASA Firewall Configuration 335

        9.2.1.1 Introduce Basic ASA Settings 335

        9.2.1.2 ASA Default Configuration 336

        9.2.1.3 ASA Interactive Setup Initialization Wizard 337

    9.2.2 Configuring Management Settings and Services 337

        9.2.2.1 Configuring Basic Settings 337

        9.2.2.2 Configuring Interfaces 338

        9.2.2.3 Verifying Basic Settings 340

        9.2.2.4 Configuring a Default Static Route 340

        9.2.2.5 Configuring Remote Access Services 340

        9.2.2.6 Configuring Network Time Protocol Services 341

        9.2.2.7 Configuring DHCP Services 341

    9.2.3 Introduction to ASDM 342

        9.2.3.1 Overview of ASDM 342

        9.2.3.2 Starting ASDM 343

        9.2.3.3 ASDM Dashboard 344

        9.2.3.4 Configuring Management Settings in ASDM 345

        9.2.3.5 Configuring Management Services in ASDM 346

    9.2.4 ASDM Wizards 346

        9.2.4.1 ASDM Wizards 346

        9.2.4.2 The Startup Wizard 346

        9.2.4.3 Different Types of VPN Wizards 347

        9.2.4.4 Other Wizards 348

    9.2.5 Object Groups 348

        9.2.5.1 Introduction to Objects and Object Groups 348

        9.2.5.2 Configuring Network Objects 349

        9.2.5.3 Configuring Service Objects 349

        9.2.5.4 Object Groups 350

        9.2.5.5 Configuring Object Groups 351

        9.2.5.6 Objects in ASDM 352

    9.2.6 ACLs 352

        9.2.6.1 ASA ACLs 352

        9.2.6.2 Types of ASA ACL Filtering 353

        9.2.6.3 Types of ASA ACLs 353

        9.2.6.4 Configuring ACLs 354

        9.2.6.5 ACL and Object Groups 355

        9.2.6.6 ACL Using Object Groups Examples 355

        9.2.6.7 Configuring ACLs Using ASDM 356

    9.2.7 NAT Services on an ASA 356

        9.2.7.1 ASA NAT Overview 356

        9.2.7.2 Configuring NAT and PAT 357

        9.2.7.3 Configuring NAT and PAT Examples 358

        9.2.7.4 Configuring Static NAT Example 358

        9.2.7.5 Configuring Dynamic NAT and PAT in ASDM 359

        9.2.7.6 Configuring Static NAT in ASDM 360

    9.2.8 AAA in ASDM 360

        9.2.8.1 AAA Review 360

        9.2.8.2 Local Database and Servers 361

        9.2.8.3 Sample AAA Configuration 362

        9.2.8.4 Configuring AAA Authentication 362

        9.2.8.5 Binding the Authentication 362

9.2.9 Service Policies on an ASA 363

        9.2.9.1 Overview of MPF 363

        9.2.9.2 Configuring Class Maps 363

        9.2.9.3 Configuring the Policy Map and Service Policy 365

        9.2.9.4 ASA Default Policy 366

        9.2.9.5 Configuring a Service Policy Using ASDM 366

9.3 ASA VPN Configuration 366

    9.3.1 ASA Remote-Access VPN Options 366

        9.3.1.1 Implementing SSL VPNs Using Cisco ASA 366

        9.3.1.2 IPsec versus SSL 367

        9.3.1.3 Remote-Access Solutions 368

        9.3.1.4 Cisco AnyConnect 368

        9.3.1.5 AnyConnect for Mobile Devices 369

    9.3.2 Configuring Clientless SSL VPN 369

        9.3.2.1 Configuring SSL VPN on ASA Using the AnyConnect Client 369

        9.3.2.2 Sample VPN Topology 370

        9.3.2.3 Clientless SSL VPN 370

        9.3.2.4 Clientless SSL VPN (Cont.) 370

        9.3.2.5 Verifying Clientless SSL VPN 371

        9.3.2.6 Generated CLI Config 372

    9.3.3 Configuring AnyConnect SSL VPN 372

        9.3.3.1 Configuring SSL VPN AnyConnect 372

        9.3.3.2 Sample SSL VPN Topology 373

        9.3.3.3 AnyConnect SSL VPN 373

        9.3.3.4 AnyConnect SSL VPN (Cont.) 374

        9.3.3.5 Verifying AnyConnect Connection 375

        9.3.3.6 Verifying AnyConnect Connection (Cont.) 375

        9.3.3.7 Generated CLI Configuration 376

9.4 Summary 376

        9.4.1.1 Lab - Configuring ASA Basic Settings and Firewall Using CLI 376

        9.4.1.2 Lab - Configuring ASA Basic Settings and Firewall Using ASDM 377

        9.4.1.3 Lab - Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM 377

        9.4.1.4 Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM 377

        9.4.1.5 Packet Tracer - Configuring ASA Basic Settings and Firewall Using CLI 377

        9.4.1.6 Summary 378

Your Chapter Notes 379

Chapter 10 Managing a Secure Network 381

10.0 Introduction 381

10.1 Principles of Secure Network Design 382

    10.1.1 Ensuring a Network Is Secure 382

        10.1.1.1 Security Policies 382

        10.1.1.2 Avoid Wrong Assumptions 383

    10.1.2 Threat Identification and Risk Analysis 384

        10.1.2.1 Identifying Threats 384

        10.1.2.2 Risk Analysis in IT 384

        10.1.2.3 Single Loss Expectancy Quantitative Risk Analysis 385

        10.1.2.4 Annualized Rate of Occurrence Quantitative Risk Analysis 386

        10.1.2.5 Why Perform a Quantitative Risk Analysis? 387

    10.1.3 Risk Management and Risk Avoidance 387

        10.1.3.1 Methods of Handling Risks 387

        10.1.3.2 Risk Management 388

        10.1.3.3 Risk Avoidance 388

10.2 Security Architecture 389

    10.2.1 Introducing the Cisco SecureX Architecture 389

        10.2.1.1 Borderless Networks 389

        10.2.1.2 SecureX Security Architecture 389

        10.2.1.3 Centralized Context-Aware Network Scanning Element 390

        10.2.1.4 Cisco Security Intelligence Operations 391

    10.2.2 Solutions for the Cisco SecureX Architecture 391

        10.2.2.1 SecureX Products 391

        10.2.2.2 Cisco Secure Edge and Branch 392

        10.2.2.3 Secure Email and Web 392

        10.2.2.4 Secure Access 392

        10.2.2.5 Secure Mobility 393

        10.2.2.6 Secure Data Center and Virtualization 394

        10.2.2.7 Network Security Services 395

10.3 Operations Security 395

    10.3.1 Introducing Operations Security 395

        10.3.1.1 Operation Security 395

        10.3.1.2 Overview of the Operations Team 396

    10.3.2 Principles of Operations Security 396

        10.3.2.1 Separation of Duties 396

        10.3.2.2 Rotation of Duties 397

        10.3.2.3 Trusted Recovery 397

        10.3.2.4 Configuration and Change Control 398

10.4 Network Security Testing 399

    10.4.1 Introducing Network Security Testing 399

        10.4.1.1 Network Security Testing 399

        10.4.1.2 Types of Network Tests 399

        10.4.1.3 Applying Network Test Results 400

    10.4.2 Network Security Testing Tools 400

        10.4.2.1 Network Testing Tools 400

        10.4.2.2 Nmap 401

        10.4.2.3 SuperScan 402

10.5 Business Continuity Planning and Disaster Recovery 402

    10.5.1 Continuity Planning and Disaster Recovery 402

        10.5.1.1 Business Continuity Planning 402

        10.5.1.2 Disaster Recovery 403

    10.5.2 Recovery Plans and Redundancy 403

        10.5.2.1 Recovery Plans 403

        10.5.2.2 Redundancy 403

        10.5.3 Secure Copy 404

        10.5.3.1 Secure Copy 404

        10.5.3.2 SCP Server Configuration 404

10.6 System Development Life Cycle 405

    10.6.1 Introducing the SDLC 405

        10.6.1.1 System Life Cycle 405

        10.6.1.2 Phases of SDLC 405

    10.6.2 Phases of the SDLC 406

        10.6.2.1 Initiation 406

        10.6.2.2 Acquisition and Development 406

        10.6.2.3 Implementation 407

        10.6.2.4 Operations and Maintenance 407

        10.6.2.5 Disposition 408

10.7 Developing a Comprehensive Security Policy 408

    10.7.1 Security Policy Overview 408

        10.7.1.1 Secure Network Life Cycle 408

        10.7.1.2 Security Policy 408

        10.7.1.3 Security Policy Audience 409

    10.7.2 Structure of a Security Policy 410

        10.7.2.1 Security Policy Hierarchy 410

        10.7.2.2 Governing Policy 410

        10.7.2.3 Technical Policies 410

        10.7.2.4 End User Policies 411

    10.7.3 Standards, Guidelines, and Procedures 411

        10.7.3.1 Security Policy Documents 411

        10.7.3.2 Standards Documents 412

        10.7.3.3 Guideline Documents 412

        10.7.3.4 Procedure Documents 412

    10.7.4 Roles and Responsibilities 413

        10.7.4.1 Organizational Reporting Structure 413

        10.7.4.2 Common Executive Titles 413

    10.7.5 Security Awareness and Training 413

        10.7.5.1 Security Awareness Program 413

        10.7.5.2 Awareness Campaigns 414

        10.7.5.3 Security Training Course 414

        10.7.5.4 Educational Program 415

    10.7.6 Laws and Ethics 416

        10.7.6.1 Laws 416

        10.7.6.2 Ethics 416

        10.7.6.3 Code of Ethics 417

    10.7.7 Responding to a Security Breach 418

        10.7.7.1 Motive, Opportunity, and Means 418

        10.7.7.2 Collecting Data 419

10.8 Summary 419

        10.8.1.1 Lab - CCNA Security Comprehensive Lab 419

        10.8.1.2 Packet Tracer - Skills Integration Challenge 420

        10.8.1.3 Summary 420

Your Chapter Notes 422

Glossary 423

9781587133466   TOC   9/8/2014

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020