Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide
Catherine Paquet
Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide
Catherine Paquet
- Producent: Cisco Press
- Rok produkcji: 2012
- ISBN: 9781587142727
- Ilość stron: 704
- Oprawa: Twarda
Niedostępna
Opis: Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide - Catherine Paquet
Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide Second Edition Foundation learning for the CCNA Security IINS 640-554 exam Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is a Cisco-authorized, self-paced learning tool for CCNA(R) Security 640-554 foundation learning. This book provides you with the knowledge needed to secure Cisco(R) networks. By reading this book, you will gain a thorough understanding of how to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. This book focuses on using Cisco IOS routers to protect the network by capitalizing on their advanced features as a perimeter router, firewall, intrusion prevention system, and site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security, the Cisco Secure Access Control System (ACS), and the Cisco Adaptive Security Appliance (ASA). You learn how to perform basic tasks to secure a small branch office network using Cisco IOS security features available through web-based GUIs (Cisco Configuration Professional) and the CLI on Cisco routers, switches, and ASAs. Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book. Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining. -- Develop a comprehensive network security policy to counter threats against information security -- Secure borderless networks -- Learn how to use Cisco IOS Network Foundation Protection (NFP) and Cisco Configuration Professional (CCP) -- Securely implement the management and reporting features of Cisco IOS devices -- Deploy Cisco Catalyst Switch security features -- Understand IPv6 security features -- Plan threat control strategies -- Filter traffic with access control lists -- Configure ASA and Cisco IOS zone-based firewalls -- Implement intrusion prevention systems (IPS) and network address translation (NAT) -- Secure connectivity with site-to-site IPsec VPNs and remote access VPNs This volume is in the Foundation Learning Guide Series offered by Cisco Press(R). These guides are developed together with Cisco as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams. Category: Cisco Certification Covers: CCNA Security IINS exam 640-554Introduction xxviii Part I Networking Security Fundamentals Chapter 1 Network Security Concepts and Policies 1 Building Blocks of Information Security 2 Basic Security Assumptions 2 Basic Security Requirements 2 Data, Vulnerabilities, and Countermeasures 3 Data Classification 4 Vulnerabilities Classifications 7 Countermeasures Classification 8 Need for Network Security 12 Intent Evolution 13 Threat Evolution 14 Trends Affecting Network Security 16 Adversaries, Methodologies, and Classes of Attack 19 Adversaries 20 Methodologies 21 Threats Classification 23 Man-in-the-Middle Attacks 32 Overt and Covert Channels 33 Botnets 37 DoS and DDoS Attacks 37 Principles of Secure Network Design 39 Defense in Depth 41 Evaluating and Managing the Risk 42 Levels of Risks 43 Risk Analysis and Management 44 Risk Analysis 44 Building Blocks of Risk Analysis 47 A Lifecycle Approach to Risk Management 49 Regulatory Compliance 50 Security Policies 53 Security Policy Components 55 Governing Policy 56 End-User Policies 57 Technical Policies 57 Standards, Guidelines, and Procedures 59 Security Policy Roles and Responsibilities 61 Security Awareness 62 Secure Network Lifecycle Management 63 IT Governance, Risk Management, and Compliance 64 Secure Network Life Cycle 64 Initiation Phase 65 Acquisition and Development Phase 65 Implementation Phase 66 Operations and Maintenance Phase 67 Disposition Phase 67 Models and Frameworks 67 Network Security Posture 69 Network Security Testing 70 Security Testing Techniques 70 Common Testing Tools 71 Incident Response 72 Incident Management 73 Computer Crime Investigations 74 Laws and Ethics 75 Liability 76 Disaster Recovery and Business Continuity Planning 77 Business Continuity Concepts 78 Summary 79 References 79 Publications 79 Web Resources 80 Review Questions 80 Chapter 2 Security Strategy and Cisco Borderless Network 85 Borderless Networks 85 Cisco Borderless Network Security Architecture 86 Borderless End Zone 88 Borderless Internet 89 Borderless Data Center 90 Policy Management Layer 91 Borderless Network Services 91 Borderless Security Products 92 SecureX, a Context-Aware Security Approach 93 SecureX Core Components 94 Threat Control and Containment 98 Cisco Security Intelligence Operation 99 Cloud Security, Content Security, and Data Loss Prevention 100 Content Security 101 Data Loss Prevention 101 Cloud-Based Security 101 Web Security 101 Email Security 104 Secure Connectivity Through VPNs 105 Security Management 106 Cisco Security Manager 107 Summary 108 References 108 Review Questions 109 Part II Protecting the Network Infrastructure Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111 Threats Against the Network Infrastructure 112 Cisco NFP Framework 114 Control Plane Security 118 CoPP 119 CPPr 119 Traffic Classes 120 Routing Protocol Integrity 121 Cisco AutoSecure 122 Management Plane Security 123 Secure Management and Reporting 124 Role-Based Access Control 126 Deploying AAA 127 Data Plane Security 128 Access Control List Filtering 128 Cisco Configuration Professional 131 CCP Initial Configuration 133 Cisco Configuration Professional User Interface and Features 136 Menu Bar 136 Toolbar 138 Navigation Pane 138 Content Pane 142 Status Bar 142 Cisco Configuration Professional Building Blocks 142 Communities 142 Creating Communities 143 Managing Communities 144 Templates 145 User Profiles 147 Using CCP to Harden Cisco IOS Devices 148 Security Audit 149 One-Step Lockdown 152 Cisco IOS AutoSecure 152 Summary 154 References 155 Review Questions 155 Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159 Configuring Secure Administration Access 159 Configuring an SSH Daemon for Secure Management Access 161 Configuring Passwords on Cisco IOS Devices 163 Setting Timeouts for Router Lines 164 Configuring the Minimum Length for Router Passwords 165 Enhanced Username Password Security 166 Securing ROM Monitor 167 Securing the Cisco IOS Image and Configuration Files 168 Configuring Multiple Privilege Levels 170 Configuring Role-Based Command-Line Interface Access 171 Implementing Secure Management and Reporting 174 Planning Considerations for Secure Management and Reporting 175 Secure Management and Reporting Architecture 176 Secure Management and Reporting Guidelines 176 Enabling Time Features 176 Network Time Protocol 177 Using Syslog Logging for Network Security 178 Implementing Log Messaging for Security 179 Using SNMP to Manage Network Devices 182 SNMPv3 Architecture 183 Enabling SNMP Options Using Cisco CCP 185 Configuring AAA on a Cisco Router 186 Authentication, Authorization, and Accounting 186 Authenticating Router Access 188 Configuring AAA Authentication and Method Lists 190 Configuring AAA on a Cisco Router Using the Local Database 191 Configuring AAA Local Authentication 192 AAA on a Cisco Router Using Cisco Secure ACS 198 Cisco Secure ACS Overview 198 Cisco Identity Services Engine 204 TACACS+ and RADIUS Protocols 205 TACACS+ 205 RADIUS 206 Comparing TACACS+ and RADIUS 206 AAA on a Cisco Router Using an External Database 208 Configuration Steps for AAA Using an External Database 208 AAA Servers and Groups 208 AAA Authentication Method Lists 210 AAA Authorization Policies 211 AAA Accounting Policies 213 AAA Configuration for TACACS+ Example 215 Troubleshooting TACACS+ 216 Deploying and Configuring Cisco Secure ACS 218 Evolution of Authorization 219 Before: Group-Based Policies 219 Now: More Than Just Identities 220 Rule-Based Policies 222 Configuring Cisco Secure ACS 5.2 223 Configuring Authorization Policies for Device Administration 224 Summary 230 References 230 Review Questions 231 Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233 Overview of VLANs and Trunking 234 Trunking and 802.1Q 235 802.1Q Tagging 236 Native VLANs 237 Configuring VLANs and Trunks 237 Step 1: Configuring and Verifying 802.1Q Trunks 238 Step 2: Creating a VLAN 240 Step 3: Assigning Switch Ports to a VLAN 242 Step 4: Configuring Inter-VLAN Routing 243 Spanning Tree Overview 244 STP Fundamentals 245 Verifying RSTP and PVRST+ 248 Mitigating Layer 2 Attacks 249 Basic Switch Operation 249 Layer 2 Best Practices 250 Layer 2 Protection Toolkit 250 Mitigating VLAN Attacks 251 VLAN Hopping 251 Mitigating Spanning Tree Attacks 254 PortFast 255 Mitigating CAM Table Overflow Attacks 259 Mitigating MAC Address Spoofing Attacks 260 Using Port Security 261 Errdisable Recovery 263 Summary 270 References 271 Review Questions 271 Chapter 6 Securing the Data Plane in IPv6 Environments 275 The Need for IPv6 275 IPv6 Features and Enhancements 278 IPv6 Headers 279 Stateless Address Autoconfiguration 280 Internet Control Message Protocol Version 6 281 IPv6 General Features 282 Transition to IPv6 283 IPv6 Addressing 285 IPv6 Address Representation 285 IPv6 Address Types 286 IPv6 Unicast Addressing 286 Assigning IPv6 Global Unicast Addresses 291 Manual Interface Assignment 291 EUI-64 Interface ID Assignment 291 Stateless Autoconfiguration 292 DHCPv6 (Stateful) 292 IPv6 EUI-64 Interface Identifier 292 IPv6 and Cisco Routers 293 IPv6 Address Configuration Example 294 Routing Considerations for IPv6 294 Revisiting Threats: Considerations for IPv6 295 Examples of Possible IPv6 Attacks 298 Recommended Practices 300 Summary 301 References 301 Review Questions 302 Part III Threat Control and Containment Chapter 7 Planning a Threat Control Strategy 305 Threats Revisited 305 Trends in Network Security Threats 306 Threat Mitigation and Containment: Design Fundamentals 307 Threat Control Design Guidelines 308 Application Layer Visibility 309 Distributed Security Intelligence 309 Security Intelligence Analysis 310 Integrated Threat Control Strategy 311 Cisco Threat Control and Containment Categories 311 Integrated Approach to Threat Control 312 Application Awareness 313 Application-Specific Gateways 313 Security Management 313 Cisco Security Intelligence Operations Site 313 Cisco Threat Control and Containment Solutions Fundamentals 314 Cisco Security Appliances 314 Cisco IPSs 316 Summary 317 References 318 Review Questions 318 Chapter 8 Access Control Lists for Threat Mitigation 319 ACL Fundamentals 320 Types of IP ACLs 324 ACL Wildcard Masking and VLSM Review 325 Subnetting Overview 326 Subnetting Example: Class C 326 Subnetting Example 327 Variable-Length Subnet Masking 328 A Working VLSM Example 329 ACL Wildcard Bits 331 Example: Wildcard Masking Process for IP Subnets 332 Example: Wildcard Masking Process with a Single IP Address 333 Example: Wildcard Masking Process with a Match Any IP Address 334 Using ACLs to Control Traffic 335 Example: Numbered Standard IPv4 ACL-Deny a Specific Subnet 336 Numbered Extended IPv4 ACL 338 Displaying ACLs 342 Enhancing ACLs with Object Groups 343 ACL Considerations 345 Configuring ACLs for Threat Control Using Cisco Configuration Professional 347 Rules in Cisco Configuration Professional 347 Working with ACLs in CCP 348 ACL Editor 349 Adding Rules 350 Associating Rules with Interfaces 352 Enabling Logging with CCP 354 Monitoring ACLs with CCP 356 Configuring an Object Group with CCP 357 Using ACLs in IPv6 Environments 360 Summary 363 References 364 Review Questions 364 Chapter 9 Firewall Fundamentals and Network Address Translation 367 Introducing Firewall Technologies 367 Firewall Fundamentals 367 Firewalls in a Layered Defense Strategy 370 Static Packet-Filtering Firewalls 372 Application Layer Gateways 374 Dynamic or Stateful Packet-Filtering Firewalls 378 Other Types of Firewalls 382 Application Inspection Firewalls, aka Deep Packet Inspection 382 Transparent Firewalls (Layer 2 Firewalls) 383 NAT Fundamentals 384 Example of Translating an Inside Source Address 387 NAT Deployment Choices 389 Firewall Designs 390 Firewall Policies in a Layered Defense Strategy 391 Firewall Rules Design Guidelines 392 Summary 394 References 394 Review Questions 394 Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397 Cisco Firewall Solutions 398 Cisco IOS Zone-Based Policy Firewall 398 Zone-Based Policy Firewall Overview 398 Zones and Zone Pairs 402 Self Zone 402 Zone-Based Topology Examples 403 Introduction to Cisco Common Classification Policy Language 403 Zone-Based Policy Firewall Actions 407 Service Policy Zone Pair Assignments 408 Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408 Zone-Based Policy Firewall: Rules for Router Traffic 409 Configuring Basic Interzone Policies Using CCP and the CLI 411 Step 1: Start the Basic Firewall Wizard 412 Step 2: Select Trusted and Untrusted Interfaces 413 Step 3: Review and Verify the Resulting Policies 416 Verifying and Tuning the Configuration 416 Step 4: Enabling Logging 417 Step 5: Verifying Firewall Status and Activity 419 Step 6: Modifying Zone-Based Firewall Configuration Objects 420 Step 7: Verifying the Configuration Using the CLI 421 Configuring NAT Services for Zone-Based Firewalls 422 Step 1: Run the Basic NAT Wizard 423 Step 2: Select NAT Inside and Outside Interfaces 424 Step 3: Verify NAT with CCP and the CLI 426 Cisco ASA Firewall 427 Stateful Packet Filtering and Application Awareness 427 Network Services Offered by the Cisco ASA 5500 Series 428 Network Address Translation 428 Additional Network Services 431 Cisco ASA Security Technologies 431 Cisco ASA Configuration Fundamentals 432 Cisco ASA 5505 435 Cisco ASDM 436 Preparing the Cisco ASA 5505 for ASDM 437 Cisco ASDM Features and Menus 438 Cisco Modular Policy Framework 443 Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443 Policy Map: Configuring the Action That Will Be Applied to the Traffic 444 Service Policy: Activating the Policy 444 Cisco ASA Modular Policy Framework: Simple Example 445 Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446 Scenario Configuration Steps Using Cisco ASDM 446 Summary 461 References 462 Cisco.com Resources 462 Other Resources 462 CCP and ASDM Demo Mode Tutorials 462 Review Questions 463 Chapter 11 Intrusion Prevention Systems 467 IPS Fundamentals 467 Introducing IDS and IPS 467 So, IDS or IPS? Why Not Both? 473 Alarm Types 474 Intrusion Prevention Technologies 475 Signature-Based IDS/IPS 476 Policy-Based IDS/IPS 477 Anomaly-Based IDS/IPS 477 Reputation-Based IPS 478 IPS Attack Responses 478 IPS Anti-Evasion Techniques 480 Risk-Based Intrusion Prevention 482 IPv6-Aware IPS 484 Alarms 484 IPS Alarms: Event Monitoring and Management 485 Global Correlation 486 IPS Deployment 488 Cisco IPS Offerings 490 IPS Best Practices 492 Cisco IPS Architecture 494 Cisco IOS IPS 495 Cisco IOS IPS Features 495 Scenario: Protecting the Branch Office Against Inside Attack 497 Signatures 497 Signature Files 498 Signature Management 500 Examining Signature Microengines 500 Signature Tuning 502 Optimal Signature Set 504 Monitoring IPS Alarms and Event Management 505 Configuring Cisco IOS IPS Using Cisco Configuration Professional 507 Step 1: Download Cisco IOS IPS Signature Package 508 Step 2: Launch IPS Policies Wizard 509 Step 3: Verify Configuration and Signature Files 515 Step 4: Perform Signature Tuning 517 Step 5: Verify Alarms 521 Configuring Cisco IOS IPS Using the CLI 524 Summary 529 References 530 Cisco.com Resources 530 General IDS/IPS Resource 530 Review Questions 530 Part IV Secure Connectivity Chapter 12 Fundamentals of Cryptography and VPN Technologies 533 VPN Overview 534 VPN Types 535 Site-to-Site VPNs 536 Remote-Access VPNs 537 Examining Cryptographic Services 538 Cryptology Overview 538 The History of Cryptography 540 Ciphers 540 Block and Stream Ciphers 547 Block Ciphers 547 Stream Ciphers 548 The Process of Encryption 549 Encryption Application Examples 550 Cryptanalysis 551 Desirable Encryption Algorithm Features 554 Key Management 555 Key Management Components 555 Keyspaces 556 Key Length Issues 556 Example of the Impact of Key Length 557 Symmetric and Asymmetric Encryption Overview 557 Symmetric Encryption Algorithms 558 Comparing Symmetric Encryption Algorithms 560 DES Modes of Operation 561 DES Security Guidelines 561 The Rijndael Cipher 563 AES Versus 3DES 564 Asymmetric Encryption Algorithms 565 Public Key Confidentiality 566 Encryption Algorithm Selection 567 Cryptographic Hashes and Digital Signatures 568 Hashing Algorithms 571 MD5 572 SHA-1 572 SHA-2 573 Hashed Message Authentication Codes 573 Overview of Digital Signatures 575 Digital Signatures = Encrypted Message Digest 578 Diffie-Hellman 579 Diffie-Hellman Example 581 Cryptographic Processes in VPNs 582 Asymmetric Encryption: Digital Signatures 583 Asymmetric Encryption Overview 583 Public Key Authentication 584 RSA and Digital Signatures 585 Public Key Infrastructure 587 PKI Terminology and Components 589 Certificate Classes 590 Certificate Authorities 590 PKI Standards 593 Certificate Revocation 599 Certificate Use 600 Digital Certificates and CAs 601 Summary 602 References 603 Books and Articles 603 Standards 603 Encryption Regulations 603 Review Questions 604 Chapter 13 IPsec Fundamentals 609 IPsec Framework 609 Suite B Cryptographic Standard 611 Encryption Algorithms 612 Key Exchange: Diffie-Hellman 613 Data Integrity 614 Authentication 615 IPsec Protocol 616 Authentication Header 618 Encapsulating Security Payload 619 IPsec Modes of Operations 620 Transport Mode 621 Tunnel Mode 621 IKE Protocol 622 IKEv1 Modes 624 IKEv1 Phases 625 IKEv1 Phase 1 625 IKEv1 Phase 1 Example 626 IKEv1 Phase 2 631 IKE Version 2 632 IKEv1 Versus IKEv2 633 IPv6 VPNs 635 IPsec Services for Transitioning to IPv6 636 Summary 637 References 637 Books 637 Cisco.com Resources 637 Review Questions 637 Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers 641 Site-to-Site IPsec: Planning and Preparation 641 Site-to-Site IPsec VPN Operations 642 Planning and Preparation Checklist 643 Building Blocks of Site-to-Site IPsec 643 Interesting Traffic and Crypto ACLs 643 Mirrored Crypto ACLs 644 Cipher Suite 645 Crypto Map 646 Configuring a Site-to-Site IPsec VPN Using CCP 647 Initiating the VPN Wizard 647 VPN Connection Information 649 IKE Proposals 652 Transform Set 653 Traffic to Protect 654 Configuration Summary 656 Creating a Mirror Configuration for the Peer Site 657 Verifying the IPsec Configuration Using CCP and CLI 658 Verifying IPsec Configuration Using CLI 658 Verifying IKE Policy Using the CLI 659 Verifying IKE Phase 2 Policy Using the CLI 660 Verifying Crypto Maps Using the CLI 660 Monitoring Established IPsec VPN Connections 661 IKE Policy Negotiation 662 VPN Troubleshooting 662 Monitoring IKE Security Association 664 Monitoring IPsec Security Association 664 Summary 665 References 666 Review Questions 666 Chapter 15 SSL VPNs with Cisco ASA 669 SSL VPNs in Borderless Networks 670 Cisco SSL VPN 671 SSL and TLS Protocol Framework 672 SSL and TLS 673 SSL Cryptography 674 SSL Tunnel Establishment 675 SSL Tunnel Establishment Example 676 Cisco SSL VPN Deployment Options and Considerations 679 Cisco SSL VPN Client: Full Network Access 681 SSL VPN on Cisco ASA in Clientless Mode 683 Clientless Configuration Scenario 683 Task 1: Launch the Clientless SSL VPN Wizard from ASDM 684 Task 2: Configure the SSL VPN Interface 684 Task 3: Configure User Authentication 686 Task 4: Configure User Group Policy 686 Task 5: Configure a Bookmark List 687 Task 6: Verify the Clientless SSL VPN Wizard Configuration 690 Log In to the VPN Portal: Clientless SSL VPN 690 SSL VPN on ASA Using the Cisco AnyConnect VPN Client 692 Cisco AnyConnect Configuration Scenario 693 Phase 1: Configure Cisco ASA for Cisco AnyConnect 693 Task 1: Connection Profile Identification 694 Task 2: VPN Protocols and Device Certificate 695 Task 3: Client Image 696 Task 4: Authentication Methods 697 Task 5: Client Address Assignment 698 Task 6: Network Name Resolution Servers 700 Task 7: Network Address Translation Exemption 700 Task 8: AnyConnect Client Deployment Summary 702 Phase 2: Configure the Cisco AnyConnect VPN Client 702 Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client 706 Verifying VPN Connectivity from Cisco ASA 706 Summary 707 References 708 Review Questions 708 Appendix A Answers to Chapter Review Questions 711 9781587142727 TOC 10/16/2012
Szczegóły: Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide - Catherine Paquet
Tytuł: Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide
Autor: Catherine Paquet
Producent: Cisco Press
ISBN: 9781587142727
Rok produkcji: 2012
Ilość stron: 704
Oprawa: Twarda
Waga: 1.49 kg