larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide, 2nd Edition


  • Sorry, this book is no longer in print.
Not for Sale

eBook (Watermarked)

  • Your Price: $44.79
  • List Price: $55.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

  • About
  • Description
  • Sample Content
  • Updates


  • Brings together core real-world knowledge for designing, implementing, and monitoring comprehensive security policies with Cisco technologies
  • Teaches you how to implement security services in Cisco routers and switches
  • New coverage: borderless network security, network foundation protection, IPv6 data plane security, ACL and ASA updates, IKEv2, SSL VPNs, and much more
  • Developed with the Cisco certification team, creators of the newest IINS exams and courses

  • Copyright 2013
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 784
  • Edition: 2nd
  • Book
  • ISBN-10: 1-58714-272-4
  • ISBN-13: 978-1-58714-272-7

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide Second Edition

Foundation learning for the CCNA Security IINS 640-554 exam

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is a Cisco-authorized, self-paced learning tool for CCNA® Security 640-554 foundation learning. This book provides you with the knowledge needed to secure Cisco® networks. By reading this book, you will gain a thorough understanding of how to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

This book focuses on using Cisco IOS routers to protect the network by capitalizing on their advanced features as a perimeter router, firewall, intrusion prevention system, and site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security, the Cisco Secure Access Control System (ACS), and the Cisco Adaptive Security Appliance (ASA). You learn how to perform basic tasks to secure a small branch office network using Cisco IOS security features available through web-based GUIs (Cisco Configuration Professional) and the CLI
on Cisco routers, switches, and ASAs.

Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book.

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

-- Develop a comprehensive network security policy to counter threats against information security

-- Secure borderless networks

-- Learn how to use Cisco IOS Network Foundation Protection (NFP) and Cisco Configuration Professional (CCP)

-- Securely implement the management and reporting features of Cisco IOS devices

-- Deploy Cisco Catalyst Switch security features

-- Understand IPv6 security features

-- Plan threat control strategies

-- Filter traffic with access control lists

-- Configure ASA and Cisco IOS zone-based firewalls

-- Implement intrusion prevention systems (IPS) and network address translation (NAT)

-- Secure connectivity with site-to-site IPsec VPNs and remote access VPNs

This volume is in the Foundation Learning Guide Series offered by Cisco Press®. These guides are developed together with Cisco as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams.

Category: Cisco Certification

Covers: CCNA Security IINS exam 640-554

Online Sample Chapter

Network Security Concepts and Policies

Sample Pages

Download the sample pages (includes Chapter 1 and Index)

Table of Contents

Introduction xxviii

Part I Networking Security Fundamentals

Chapter 1 Network Security Concepts and Policies 1

Building Blocks of Information Security 2

Basic Security Assumptions 2

Basic Security Requirements 2

Data, Vulnerabilities, and Countermeasures 3

Data Classification 4

Vulnerabilities Classifications 7

Countermeasures Classification 8

Need for Network Security 12

Intent Evolution 13

Threat Evolution 14

Trends Affecting Network Security 16

Adversaries, Methodologies, and Classes of Attack 19

Adversaries 20

Methodologies 21

Threats Classification 23

Man-in-the-Middle Attacks 32

Overt and Covert Channels 33

Botnets 37

DoS and DDoS Attacks 37

Principles of Secure Network Design 39

Defense in Depth 41

Evaluating and Managing the Risk 42

Levels of Risks 43

Risk Analysis and Management 44

Risk Analysis 44

Building Blocks of Risk Analysis 47

A Lifecycle Approach to Risk Management 49

Regulatory Compliance 50

Security Policies 53

Security Policy Components 55

Governing Policy 56

End-User Policies 57

Technical Policies 57

Standards, Guidelines, and Procedures 59

Security Policy Roles and Responsibilities 61

Security Awareness 62

Secure Network Lifecycle Management 63

IT Governance, Risk Management, and Compliance 64

Secure Network Life Cycle 64

Initiation Phase 65

Acquisition and Development Phase 65

Implementation Phase 66

Operations and Maintenance Phase 67

Disposition Phase 67

Models and Frameworks 67

Network Security Posture 69

Network Security Testing 70

Security Testing Techniques 70

Common Testing Tools 71

Incident Response 72

Incident Management 73

Computer Crime Investigations 74

Laws and Ethics 75

Liability 76

Disaster Recovery and Business Continuity Planning 77

Business Continuity Concepts 78

Summary 79

References 79

Publications 79

Web Resources 80

Review Questions 80

Chapter 2 Security Strategy and Cisco Borderless Network 85

Borderless Networks 85

Cisco Borderless Network Security Architecture 86

Borderless End Zone 88

Borderless Internet 89

Borderless Data Center 90

Policy Management Layer 91

Borderless Network Services 91

Borderless Security Products 92

SecureX, a Context-Aware Security Approach 93

SecureX Core Components 94

Threat Control and Containment 98

Cisco Security Intelligence Operation 99

Cloud Security, Content Security, and Data Loss Prevention 100

Content Security 101

Data Loss Prevention 101

Cloud-Based Security 101

Web Security 101

Email Security 104

Secure Connectivity Through VPNs 105

Security Management 106

Cisco Security Manager 107

Summary 108

References 108

Review Questions 109

Part II Protecting the Network Infrastructure

Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111

Threats Against the Network Infrastructure 112

Cisco NFP Framework 114

Control Plane Security 118

CoPP 119

CPPr 119

Traffic Classes 120

Routing Protocol Integrity 121

Cisco AutoSecure 122

Management Plane Security 123

Secure Management and Reporting 124

Role-Based Access Control 126

Deploying AAA 127

Data Plane Security 128

Access Control List Filtering 128

Cisco Configuration Professional 131

CCP Initial Configuration 133

Cisco Configuration Professional User Interface and Features 136

Menu Bar 136

Toolbar 138

Navigation Pane 138

Content Pane 142

Status Bar 142

Cisco Configuration Professional Building Blocks 142

Communities 142

Creating Communities 143

Managing Communities 144

Templates 145

User Profiles 147

Using CCP to Harden Cisco IOS Devices 148

Security Audit 149

One-Step Lockdown 152

Cisco IOS AutoSecure 152

Summary 154

References 155

Review Questions 155

Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159

Configuring Secure Administration Access 159

Configuring an SSH Daemon for Secure Management Access 161

Configuring Passwords on Cisco IOS Devices 163

Setting Timeouts for Router Lines 164

Configuring the Minimum Length for Router Passwords 165

Enhanced Username Password Security 166

Securing ROM Monitor 167

Securing the Cisco IOS Image and Configuration Files 168

Configuring Multiple Privilege Levels 170

Configuring Role-Based Command-Line Interface Access 171

Implementing Secure Management and Reporting 174

Planning Considerations for Secure Management and Reporting 175

Secure Management and Reporting Architecture 176

Secure Management and Reporting Guidelines 176

Enabling Time Features 176

Network Time Protocol 177

Using Syslog Logging for Network Security 178

Implementing Log Messaging for Security 179

Using SNMP to Manage Network Devices 182

SNMPv3 Architecture 183

Enabling SNMP Options Using Cisco CCP 185

Configuring AAA on a Cisco Router 186

Authentication, Authorization, and Accounting 186

Authenticating Router Access 188

Configuring AAA Authentication and Method Lists 190

Configuring AAA on a Cisco Router Using the Local Database 191

Configuring AAA Local Authentication 192

AAA on a Cisco Router Using Cisco Secure ACS 198

Cisco Secure ACS Overview 198

Cisco Identity Services Engine 204

TACACS+ and RADIUS Protocols 205



Comparing TACACS+ and RADIUS 206

AAA on a Cisco Router Using an External Database 208

Configuration Steps for AAA Using an External Database 208

AAA Servers and Groups 208

AAA Authentication Method Lists 210

AAA Authorization Policies 211

AAA Accounting Policies 213

AAA Configuration for TACACS+ Example 215

Troubleshooting TACACS+ 216

Deploying and Configuring Cisco Secure ACS 218

Evolution of Authorization 219

Before: Group-Based Policies 219

Now: More Than Just Identities 220

Rule-Based Policies 222

Configuring Cisco Secure ACS 5.2 223

Configuring Authorization Policies for Device Administration 224

Summary 230

References 230

Review Questions 231

Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233

Overview of VLANs and Trunking 234

Trunking and 802.1Q 235

802.1Q Tagging 236

Native VLANs 237

Configuring VLANs and Trunks 237

Step 1: Configuring and Verifying 802.1Q Trunks 238

Step 2: Creating a VLAN 240

Step 3: Assigning Switch Ports to a VLAN 242

Step 4: Configuring Inter-VLAN Routing 243

Spanning Tree Overview 244

STP Fundamentals 245

Verifying RSTP and PVRST+ 248

Mitigating Layer 2 Attacks 249

Basic Switch Operation 249

Layer 2 Best Practices 250

Layer 2 Protection Toolkit 250

Mitigating VLAN Attacks 251

VLAN Hopping 251

Mitigating Spanning Tree Attacks 254

PortFast 255

Mitigating CAM Table Overflow Attacks 259

Mitigating MAC Address Spoofing Attacks 260

Using Port Security 261

Errdisable Recovery 263

Summary 270

References 271

Review Questions 271

Chapter 6 Securing the Data Plane in IPv6 Environments 275

The Need for IPv6 275

IPv6 Features and Enhancements 278

IPv6 Headers 279

Stateless Address Autoconfiguration 280

Internet Control Message Protocol Version 6 281

IPv6 General Features 282

Transition to IPv6 283

IPv6 Addressing 285

IPv6 Address Representation 285

IPv6 Address Types 286

IPv6 Unicast Addressing 286

Assigning IPv6 Global Unicast Addresses 291

Manual Interface Assignment 291

EUI-64 Interface ID Assignment 291

Stateless Autoconfiguration 292

DHCPv6 (Stateful) 292

IPv6 EUI-64 Interface Identifier 292

IPv6 and Cisco Routers 293

IPv6 Address Configuration Example 294

Routing Considerations for IPv6 294

Revisiting Threats: Considerations for IPv6 295

Examples of Possible IPv6 Attacks 298

Recommended Practices 300

Summary 301

References 301

Review Questions 302

Part III Threat Control and Containment

Chapter 7 Planning a Threat Control Strategy 305

Threats Revisited 305

Trends in Network Security Threats 306

Threat Mitigation and Containment: Design Fundamentals 307

Threat Control Design Guidelines 308

Application Layer Visibility 309

Distributed Security Intelligence 309

Security Intelligence Analysis 310

Integrated Threat Control Strategy 311

Cisco Threat Control and Containment Categories 311

Integrated Approach to Threat Control 312

Application Awareness 313

Application-Specific Gateways 313

Security Management 313

Cisco Security Intelligence Operations Site 313

Cisco Threat Control and Containment Solutions Fundamentals 314

Cisco Security Appliances 314

Cisco IPSs 316

Summary 317

References 318

Review Questions 318

Chapter 8 Access Control Lists for Threat Mitigation 319

ACL Fundamentals 320

Types of IP ACLs 324

ACL Wildcard Masking and VLSM Review 325

Subnetting Overview 326

Subnetting Example: Class C 326

Subnetting Example 327

Variable-Length Subnet Masking 328

A Working VLSM Example 329

ACL Wildcard Bits 331

Example: Wildcard Masking Process for IP Subnets 332

Example: Wildcard Masking Process with a Single IP Address 333

Example: Wildcard Masking Process with a Match Any IP Address 334

Using ACLs to Control Traffic 335

Example: Numbered Standard IPv4 ACLDeny a Specific Subnet 336

Numbered Extended IPv4 ACL 338

Displaying ACLs 342

Enhancing ACLs with Object Groups 343

ACL Considerations 345

Configuring ACLs for Threat Control Using Cisco Configuration Professional 347

Rules in Cisco Configuration Professional 347

Working with ACLs in CCP 348

ACL Editor 349

Adding Rules 350

Associating Rules with Interfaces 352

Enabling Logging with CCP 354

Monitoring ACLs with CCP 356

Configuring an Object Group with CCP 357

Using ACLs in IPv6 Environments 360

Summary 363

References 364

Review Questions 364

Chapter 9 Firewall Fundamentals and Network Address Translation 367

Introducing Firewall Technologies 367

Firewall Fundamentals 367

Firewalls in a Layered Defense Strategy 370

Static Packet-Filtering Firewalls 372

Application Layer Gateways 374

Dynamic or Stateful Packet-Filtering Firewalls 378

Other Types of Firewalls 382

Application Inspection Firewalls, aka Deep Packet Inspection 382

Transparent Firewalls (Layer 2 Firewalls) 383

NAT Fundamentals 384

Example of Translating an Inside Source Address 387

NAT Deployment Choices 389

Firewall Designs 390

Firewall Policies in a Layered Defense Strategy 391

Firewall Rules Design Guidelines 392

Summary 394

References 394

Review Questions 394

Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397

Cisco Firewall Solutions 398

Cisco IOS Zone-Based Policy Firewall 398

Zone-Based Policy Firewall Overview 398

Zones and Zone Pairs 402

Self Zone 402

Zone-Based Topology Examples 403

Introduction to Cisco Common Classification Policy Language 403

Zone-Based Policy Firewall Actions 407

Service Policy Zone Pair Assignments 408

Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408

Zone-Based Policy Firewall: Rules for Router Traffic 409

Configuring Basic Interzone Policies Using CCP and the CLI 411

Step 1: Start the Basic Firewall Wizard 412

Step 2: Select Trusted and Untrusted Interfaces 413

Step 3: Review and Verify the Resulting Policies 416

Verifying and Tuning the Configuration 416

Step 4: Enabling Logging 417

Step 5: Verifying Firewall Status and Activity 419

Step 6: Modifying Zone-Based Firewall Configuration Objects 420

Step 7: Verifying the Configuration Using the CLI 421

Configuring NAT Services for Zone-Based Firewalls 422

Step 1: Run the Basic NAT Wizard 423

Step 2: Select NAT Inside and Outside Interfaces 424

Step 3: Verify NAT with CCP and the CLI 426

Cisco ASA Firewall 427

Stateful Packet Filtering and Application Awareness 427

Network Services Offered by the Cisco ASA 5500 Series 428

Network Address Translation 428

Additional Network Services 431

Cisco ASA Security Technologies 431

Cisco ASA Configuration Fundamentals 432

Cisco ASA 5505 435

Cisco ASDM 436

Preparing the Cisco ASA 5505 for ASDM 437

Cisco ASDM Features and Menus 438

Cisco Modular Policy Framework 443

Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443

Policy Map: Configuring the Action That Will Be Applied to the Traffic 444

Service Policy: Activating the Policy 444

Cisco ASA Modular Policy Framework: Simple Example 445

Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446

Scenario Configuration Steps Using Cisco ASDM 446

Summary 461

References 462 Resources 462

Other Resources 462

CCP and ASDM Demo Mode Tutorials 462

Review Questions 463

Chapter 11 Intrusion Prevention Systems 467

IPS Fundamentals 467

Introducing IDS and IPS 467

So, IDS or IPS? Why Not Both? 473

Alarm Types 474

Intrusion Prevention Technologies 475

Signature-Based IDS/IPS 476

Policy-Based IDS/IPS 477

Anomaly-Based IDS/IPS 477

Reputation-Based IPS 478

IPS Attack Responses 478

IPS Anti-Evasion Techniques 480

Risk-Based Intrusion Prevention 482

IPv6-Aware IPS 484

Alarms 484

IPS Alarms: Event Monitoring and Management 485

Global Correlation 486

IPS Deployment 488

Cisco IPS Offerings 490

IPS Best Practices 492

Cisco IPS Architecture 494

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020