CCNA Security Offical Exam Certification Guide, w. CD-ROM - For Exam 640-553

Ulteriori informazioni

This is Cisco's official, com

Sommario

Introduction xxv
Part I Fundamentals of Network Security
Chapter 1 Networking Security Concepts
“Do I Know This Already?” Quiz 5
Foundation Topics 8
Understanding Network and Information Security Basics 8
    Network Security Objectives 8
    Confidentiality, Integrity, and Availability 8
    Cost-Benefit Analysis of Security 9
    Classifying Assets 10
    Classifying Vulnerabilities 11
    Classifying Countermeasures 12
    What Do We Do with the Risk? 12
Recognizing Current Network Threats 13
    Potential Attackers 13
    Attack Methods 14
    Attack Vectors 15
    Man-in-the-Middle Attacks 15
    Other Miscellaneous Attack Methods 16
Applying Fundamental Security Principles to Network Design 17
    Guidelines 17
    How It All Fits Together 19
Exam Preparation Tasks 20
Review All the Key Topics 20
Complete the Tables and Lists from Memory 20
Define Key Terms 20
Chapter 2 Understanding Security Policies Using a Lifecycle Approach
“Do I Know This Already?” Quiz 23
Foundation Topics 25
Risk Analysis and Management 25
    Secure Network Lifecycle 25
    Risk Analysis Methods 25
    Security Posture Assessment 26
    An Approach to Risk Management 27
    Regulatory Compliance Affecting Risk 28
Security Policies 28
    Who, What, and Why 28
    Specific Types of Policies 29
    Standards, Procedures, and Guidelines 30
    Testing the Security Architecture 31
    Responding to an Incident on the Network 32
    Collecting Evidence 32
    Reasons for Not Being an Attacker 32
    Liability 33
    Disaster Recovery and Business Continuity Planning 33
Exam Preparation Tasks 34
Review All the Key Topics 34
Complete the Tables and Lists from Memory 34
Define Key Terms 34
Chapter 3 Building a Security Strategy
“Do I Know This Already?” Quiz 37
Foundation Topics 40
Securing Borderless Networks 40
    The Changing Nature of Networks 40
    Logical Boundaries 40
    SecureX and Context-Aware Security 42
Controlling and Containing Data Loss 42
    An Ounce of Prevention 42
    Secure Connectivity Using VPNs 43
    Secure Management 43
Exam Preparation Tasks 44
Review All the Key Topics 44
Complete the Tables and Lists from Memory 44
Define Key Terms 44
Part II Protecting the Network Infrastructure
Chapter 4 Network Foundation Protection
“Do I Know This Already?” Quiz 49
Foundation Topics 52
Using Network Foundation Protection to Secure Networks 52
    The Importance of the Network Infrastructure 52
    The Network Foundation Protection (NFP) Framework 52
    Interdependence 53
    Implementing NFP 53
Understanding the Management Plane 55
    First Things First 55
    Best Practices for Securing the Management Plane 55
Understanding the Control Plane 56
    Best Practices for Securing the Control Plane 56
Understanding the Data Plane 57
    Best Practices for Protecting the Data Plane 59
    Additional Data Plane Protection Mechanisms 59
Exam Preparation Tasks 60
Review All the Key Topics 60
Complete the Tables and Lists from Memory 60
Define Key Terms 60
Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure
“Do I Know This Already?” Quiz 63
Foundation Topics 65
Introducing Cisco Configuration Professional 65
Understanding CCP Features and the GUI 65
    The Menu Bar 66
    The Toolbar 67
    Left Navigation Pane 68
    Content Pane 69
    Status Bar 69
Setting Up New Devices 69
CCP Building Blocks 70
    Communities 70
    Templates 74
    User Profiles 78
CCP Audit Features 81
    One-Step Lockdown 84
    A Few Highlights 84
Exam Preparation Tasks 88
Review All the Key Topics 88
Complete the Tables and Lists from Memory 88
Define Key Terms 88
Command Reference to Check Your Memory 89
Chapter 6 Securing the Management Plane on Cisco IOS Devices
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Securing Management Traffic 94
    What Is Management Traffic and the Management Plane? 94
    Beyond the Blue Rollover Cable 94
    Management Plane Best Practices 95
    Password Recommendations 97
    Using AAA to Verify Users 97
        AAA Components 98
        Options for Storing Usernames, Passwords, and Access Rules 98
        Authorizing VPN Users 99
        Router Access Authentication 100
        The AAA Method List 101
    Role-Based Access Control 102
        Custom Privilege Levels 103
        Limiting the Administrator by Assigning a View 103
    Encrypted Management Protocols 103
    Using Logging Files 104
    Understanding NTP 105
    Protecting Cisco IOS Files 106
Implement Security Measures to Protect the Management Plane 106
    Implementing Strong Passwords 106
    User Authentication with AAA 108
    Using the CLI to Troubleshoot AAA for Cisco Routers 113
    RBAC Privilege Level/Parser View 118
    Implementing Parser Views 120
    SSH and HTTPS 122
    Implementing Logging Features 125
        Configuring Syslog Support 125
    SNMP Features 128
    Configuring NTP 131
    Securing the Cisco IOS Image and Configuration Files 133
Exam Preparation Tasks 134
Review All the Key Topics 134
Complete the Tables and Lists from Memory 135
Define Key Terms 135
Command Reference to Check Your Memory 135
Chapter 7 Implementing AAA Using IOS and the ACS Server
“Do I Know This Already?” Quiz 137
Foundation Topics 140
Cisco Secure ACS, RADIUS, and TACACS 140
    Why Use Cisco ACS? 140
    What Platform Does ACS Run On? 141
    What Is ISE? 141
    Protocols Used Between the ACS and the Router 141
    Protocol Choices Between the ACS Server and the Client (the Router) 142
Configuring Routers to Interoperate with an ACS Server 143
Configuring the ACS Server to Interoperate with a Router 154
Verifying and Troubleshooting Router-to-ACS Server Interactions 164
Exam Preparation Tasks 171
Review All the Key Topics 171
Complete the Tables and Lists from Memory 171
Define Key Terms 171
Command Reference to Check Your Memory 172
Chapter 8 Securing Layer 2 Technologies
“Do I Know This Already?” Quiz 175
Foundation Topics 178
VLAN and Trunking Fundamentals 178
    What Is a VLAN? 178
    Trunking with 802.1Q 180
    Following the Frame, Step by Step 181
    The Native VLAN on a Trunk 181
    So, What Do You Want to Be? (Says the Port) 182
    Inter-VLAN Routing 182
    The Challenge of Using Physical Interfaces Only 182
    Using Virtual “Sub” Interfaces 182
Spanning-Tree Fundamentals 183
    Loops in Networks Are Usually Bad 184
    The Life of a Loop 184
    The Solution to the Layer 2 Loop 184
    STP Is Wary of New Ports 187
    Improving the Time Until Forwarding 187
Common Layer 2 Threats and How to Mitigate Them 188
    Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188
    Layer 2 Best Practices 189
    Do Not Allow Negotiations 190
    Layer 2 Security Toolkit 190
    Specific Layer 2 Mitigation for CCNA Security 191
        BPDU Guard 191
        Root Guard 192
        Port Security 192
Exam Preparation Tasks 195
Review All the Key Topics 195
Complete the Tables and Lists from Memory 195
Review the Port Security Video Included with This Book 196
Define Key Terms 196
Command Reference to Check Your Memory 196
Chapter 9 Securing the Data Plane in IPv6
“Do I Know This Already?” Quiz 199
Foundation Topics 202
Understanding and Configuring IPv6 202
    Why IPv6? 202
    The Format of an IPv6 Address 203
        Understanding the Shortcuts 205
        Did We Get an Extra Address? 205
        IPv6 Address Types 206
Configuring IPv6 Routing 208
    Moving to IPv6 210
Developing a Security Plan for IPv6 210
    Best Practices Common to Both IPv4 and IPv6 210
    Threats Common to Both IPv4 and IPv6 212
    The Focus on IPv6 Security 213
    New Potential Risks with IPv6 213
    IPv6 Best Practices 214
Exam Preparation Tasks 216
Review All the Key Topics 216
Complete the Tables and Lists from Memory 216
Define Key Terms 217
Command Reference to Check Your Memory 217
Part III Mitigating and Controlling Threats
Chapter 10 Planning a Threat Control Strategy
“Do I Know This Already?” Quiz 221
Foundation Topics 224
Designing Threat Mitigation and Containment 224
    The Opportunity for the Attacker Is Real 224
    Many Potential Risks 224
    The Biggest Risk of All 224
    Where Do We Go from Here? 225
Securing a Network via Hardware/Software/Services 226
    Switches 227
    Routers 228
    ASA Firewall 230
    Other Systems and Services 231
Exam Preparation Tasks 232
Review All the Key Topics 232
Complete the Tables and Lists from Memory 232
Define Key Terms 232
Chapter 11 Using Access Control Lists for Threat Mitigation
“Do I Know This Already?” Quiz 235
Foundation Topics 238
Access Control List Fundamentals and Benefits 238
    Access Lists Aren't Just for Breakfast Anymore 238
    Stopping Malicious Traffic with an Access List 239
    What Can We Protect Against? 240
    The Logic in a Packet-Filtering ACL 241
    Standard and Extended Access Lists 242
    Line Numbers Inside an Access List 243
    Wildcard Masks 244
    Object Groups 244
Implementing IPv4 ACLs as Packet Filters 244
    Putting the Policy in Place 244
    Monitoring the Access Lists 255
    To Log or Not to Log 257
Implementing IPv6 ACLs as Packet Filters 259
Exam Preparation Tasks 263
Review All the Key Topics 263
Complete the Tables and Lists from Memory 263
Review the NAT Video Included with This Book 263
Define Key Terms 264
Command Reference to Check Your Memory 264
Chapter 12 Understanding Firewall Fundamentals
“Do I Know This Already?” Quiz 267
Foundation Topics 270
Firewall Concepts and Technologies 270
    Firewall Technologies 270
    Objectives of a Good Firewall 270
    Firewall Justifications 271
    The Defense-in-Depth Approach 272
    Five Basic Firewall Methodologies 273
        Static Packet Filtering 274
        Application Layer Gateway 275
        Stateful Packet Filtering 276
        Application Inspection 277
        Transparent Firewalls 277
Using Network Address Translation 278
    NAT Is About Hiding or Changing the Truth About Source Addresses 278
    Inside, Outside, Local, Global 279
    Port Address Translation 280
    NAT Options 281
Creating and Deploying Firewalls 283
    Firewall Technologies 283
    Firewall Design Considerations 283
    Firewall Access Rules 284
    Packet-Filtering Access Rule Structure 285
    Firewall Rule Design Guidelines 285
    Rule Implementation Consistency 286
Exam Preparation Tasks 288
Review All the Key Topics 288
Complete the Tables and Lists from Memory 288
Define Key Terms 288
Chapter 13 Implementing Cisco IOS Zone-Based Firewalls
“Do I Know This Already?” Quiz 291
Foundation Topics 294
Cisco IOS Zone-Based Firewall 294
    How Zone-Based Firewall Operates 294
    Specific Features of Zone-Based Firewalls 294
    Zones and Why We Need Pairs of Them 295
    Putting the Pieces Together 296
    Service Policies 297
    The Self Zone 300
Configuring and Verifying Cisco IOS Zone-Based Firewall 300
    First Things First 301
    Using CCP to Configure the Firewall 301
    Verifying the Firewall 314
    Verifying the Configuration from the Command Line 315
    Implementing NAT in Addition to ZBF 319
    Verifying Whether NAT Is Working 322
Exam Preparation Tasks 324
Review All the Key Topics 324
Review the Video Bonus Material 324
Complete the Tables and Lists from Memory 324
Define Key Terms 325
Command Reference to Check Your Memory 325
Chapter 14 Configuring Basic Firewall Policies on Cisco ASA
“Do I Know This Already?” Quiz 327
Foundation Topics 330
The ASA Appliance Family and Features 330
    Meet the ASA Family 330
    ASA Features and Services 331
ASA Firewall Fundamentals 333
    ASA Security Levels 333
    The Default Flow of Traffic 335
    Tools to Manage the ASA 336
    Initial Access 337
    Packet Filtering on the ASA 337
    Implementing a Packet-Filtering ACL 338
    Modular Policy Framework 338
    Where to Apply a Policy 339
Configuring the ASA 340
    Beginning the Configuration 340
    Getting to the ASDM GUI 345
    Configuring the Interfaces 347
    IP Addresses for Clients 355
    Basic Routing to the Internet 356
    NAT and PAT 357
    Permitting Additional Access Through the Firewall 359
    Using Packet Tracer to Verify Which Packets Are Allowed 362
    Verifying the Policy of No Telnet 366
Exam Preparation Tasks 368
Review All the Key Topics 368
Complete the Tables and Lists from Memory 368
Define Key Terms 369
Command Reference to Check Your Memory 369
Chapter 15 Cisco IPS/IDS Fundamentals
“Do I Know This Already?” Quiz 371
Foundation Topics 374
IPS Versus IDS 374
    What Sensors Do 374
    Difference Between IPS and IDS 374
    Sensor Platforms 376
    True/False Negatives/Positives 376
    Positive/Negative Terminology 377
Identifying Malicious Traffic on the Network 377
    Signature-Based IPS/IDS 377
    Policy-Based IPS/IDS 378
    Anomaly-Based IPS/IDS 378
    Reputation-Based IPS/IDS 378
    When Sensors Detect Malicious Traffic 379
    Controlling Which Actions the Sensors Should Take 381
    Implementing Actions Based on the Risk Rating 382
    IPv6 and IPS 382
    Circumventing an IPS/IDS 382
Managing Signatures 384
    Signature or Severity Levels 384
Monitoring and Managing Alarms and Alerts 385
    Security Intelligence 385
    IPS/IDS Best Practices 386
Exam Preparation Tasks 387
Review All the Key Topics 387
Complete the Tables and Lists from Memory 387
Define Key Terms 387
Chapter 16 Implementing IOS-Based IPS
“Do I Know This Already?” Quiz 389
Foundation Topics 392
Understanding and Installing an IOS-Based IPS 392
    What Can IOS IPS Do? 392
    Installing the IOS IPS Feature 393
    Getting to the IPS Wizard 394
Working with Signatures in an IOS-Based IPS 400
    Actions That May Be Taken 405
    Best Practices When Tuning IPS 412
Managing and Monitoring IPS Alarms 412
Exam Preparation Tasks 417
Review All the Key Topics 417
Complete the Tables and Lists from Memory 417
Define Key Terms 417
Command Reference to Check Your Memory 418
Part IV Using VPNs for Secure Connectivity
Chapter 17 Fundamentals of VPN Technology
“Do I Know This Already?” Quiz 423
Foundation Topics 426
Understanding VPNs and Why We Use Them 426
    What Is a VPN? 426
    Types of VPNs 427
        Two Main Types of VPNs 427
    Main Benefits of VPNs 427
        Confidentiality 428
        Data Integrity 428
        Authentication 430
        Antireplay 430
Cryptography Basic Components 430
    Ciphers and Keys 430
        Ciphers 430
        Keys 431
    Block and Stream Ciphers 431
        Block Ciphers 432
        Stream Ciphers 432
    Symmetric and Asymmetric Algorithms 432
        Symmetric 432
        Asymmetric 433
    Hashes 434
    Hashed Message Authentication Code 434
    Digital Signatures 435
        Digital Signatures in Action 435
    Key Management 436
    IPsec and SSL 436
        IPsec 436
        SSL 437
Exam Preparation Tasks 439
Review All the Key Topics 439
Complete the Tables and Lists from Memory 439
Define Key Terms 439
Chapter 18 Fundamentals of the Public Key Infrastructure
“Do I Know This Already?” Quiz 441
Foundation Topics 444
Public Key Infrastructure 444
    Public and Private Key Pairs 444
    RSA Algorithm, the Keys, and Digital Certificates 445
        Who Has Keys and a Digital Certificate? 445
        How Two Parties Exchange Public Keys 445
        Creating a Digital Signature 445
    Certificate Authorities 446
    Root and Identity Certificates 446
        Root Certificate 446
        Identity Certificate 448
        Using the Digital Certificates to get the Peer's Public Key 448
        X.500 and X.509v3 Certificates 449
    Authenticating and Enrolling with the CA 450
    Public Key Cryptography Standards 450
    Simple Certificate Enrollment Protocol 451
    Revoked Certificates 451
    Uses for Digital Certificates 452
    PKI Topologies 452
        Single Root CA 453
        Hierarchical CA with Subordinate CAs 453
        Cross-Certifying CAs 453
Putting the Pieces of PKI to Work 453
    Default of the ASA 454
    Viewing the Certificates in ASDM 455
    Adding a New Root Certificate 455
    Easier Method for Installing Both Root and Identity certificates 457
Exam Preparation Tasks 462
Review All the Key Topics 462
Complete the Tables and Lists from Memory 462
Define Key Terms 463
Command Reference to Check Your Memory 463
Chapter 19 Fundamentals of IP Security
“Do I Know This Already?” Quiz 465
Foundation Topics 468
IPsec Concepts, Components, and Operations 468
    The Goal of IPsec 468
    The Play by Play for IPsec 469
        Step 1: Negotiate the IKE Phase 1 Tunnel 469
        Step 2: Run the DH Key Exchange 471
        Step 3: Authenticate the Peer 471
        What About the User's Original Packet? 471
        Leveraging What They Have Already Built 471
        Now IPsec Can Protect the User's Packets 472
        Traffic Before IPsec 472
        Traffic After IPsec 473
    Summary of the IPsec Story 474
Configuring and Verifying IPsec 475
    Tools to Configure the Tunnels 475
    Start with a Plan 475
    Applying the Configuration 475
    Viewing the CLI Equivalent at the Router 482
    Completing and Verifying IPsec 484
Exam Preparation Tasks 491
Review All the Key Topics 491
Complete the Tables and Lists from Memory 491
Define Key Terms 492
Command Reference to Check Your Memory 492
Chapter 20 Implementing IPsec Site-to-Site VPNs
“Do I Know This Already?” Quiz 495
Foundation Topics 498
Planning and Preparing an IPsec Site-to-Site VPN 498
    Customer Needs 498
    Planning IKE Phase 1 500
    Planning IKE Phase 2 501
Implementing and Verifying an IPsec Site-to-Site VPN 502
    Troubleshooting IPsec Site-to-Site VPNs 511
Exam Preparation Tasks 526
Review All the Key Topics 526
Complete the Tables and Lists from Memory 526
Define Key Terms 526
Command Reference to Check Your Memory 526
Chapter 21 Implementing SSL VPNs Using Cisco ASA
“Do I Know This Already?” Quiz 529
Foundation Topics 532
Functions and Use of SSL for VPNs 532
    Is IPsec Out of the Picture? 532
    SSL and TLS Protocol Framework 533
    The Play by Play of SSL for VPNs 534
    SSL VPN Flavors 534
Configuring SSL Clientless VPNs on ASA 535
    Using the SSL VPN Wizard 536
    Digital Certificates 537
    Authenticating Users 538
    Logging In 541
    Seeing the VPN Activity from the Server 543
Configuring the Full SSL AnyConnect VPN on the ASA 544
    Types of SSL VPNs 545
    Configuring Server to Support the AnyConnect Client 545
    Groups, Connection Profiles, and Defaults 552
    One Item with Three Different Names 553
    Split Tunneling 554
Exam Preparation Tasks 556
Review All the Key Topics 556
Complete the Tables and Lists from Memory 556
Define Key Terms 556
Chapter 22 Final Preparation
Tools for Final Preparation 559
    Pearson IT Certification Practice Test Engine and Questions on the CD 559
        Installing the Software from the CD 560
        Activating and Downloading the Practice Exam 560
        Activating Other Exams 560
        Premium Edition 561
    The Cisco Learning Network 561
    Memory Tables 561
    Chapter-Ending Review Tools 561
    Videos 562
Suggested Plan for Final Review/Study 562
    Using the Exam Engine 562
Summary 563
Part V Appendixes
Appendix A Answers to the “Do I Know This Already?” Quizzes 567
Appendix B CCNA Security 640-554 (IINSv2) Exam Updates 573
Glossary 577
On the CD
Appendix C Memory Tables
Appendix D Memory Tables Answer Key
 
 
9781587204463   TOC   6/5/2012
 

Info autore

Michael Watkins lehrt Business Administration an der Harvard Business School und beschäftigt sich seit langem mit den Themen Leadership und Verhandlung. Er hat mehrere erfolgreiche Managementbücher verfasst; »Die entscheidenden 90 Tage« hat sich in den USA bereits mehr als 200 000 Mal verkauft und viele Führungskräfte beim erfolgreichen Eintritt in eine neue Position unterstützt.

Riassunto

CCNA Security 640-554 Official Cert Guide presents an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable the reader to decide how much time he or she needs to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help drill key concepts that must known thoroughly.