CCNP Security Secure 642-637 Official Cert Guide, w. CD-ROM

Ulteriori informazioni

CCNP Security Secure 642-637 Official Cert Guide is a comprehensive self-study tool for preparing for the Secure exam. This book teaches you how to secure Cisco IOS Software router and switch-based networks and provide security services based on Cisco IOS Software. Complete coverage of all exam topics as posted on the exam topic blueprint ensures you will arrive at a thorough understanding of what you need to master to succeed on the exam. The book follows a logical organization of the Secure exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. This book helps you organize your exam preparation through the use of the consistent features, including:

· Pre-chapter quiz - These quizzes allow you to assess your knowledge of the chapter content and decide how much time to spend on any given section.

· Foundation Topics - These sections make up the majority of the page count, explaining concepts, configurations, with emphasis on the theory and concepts, and with linking the theory to the meaning of the configuration commands.

· Key Topics - Inside the Foundation Topics sections, every figure, table, or list that should absolutely be understood and remembered for the exam is noted with the words "Key Topic" in the margin. This tool allows you to quickly review the most important details in each chapter.

· Exam Preparation - This ending section of each chapter includes additional features for review and study, all designed to help you remember the details as well as to get more depth. You will be instructed to review key topics from the chapter, complete tables and lists from memory, and define key terms.

· Final Preparation Chapter - This final chapter details a set of tools and a study plan to help you complete your exam preparation.

Sommario

Introduction xxxiii
Part I Network Security Technologies Overview
Chapter 1 Network Security Fundamentals 3
  “Do I Know This Already?” Quiz 3
Foundation Topics 7
  Defining Network Security 7
  Building Secure Networks 7
  Cisco SAFE 9
  SCF Basics 9
  SAFE/SCF Architecture Principles 12
  SAFE/SCF Network Foundation Protection (NFP) 14
  SAFE/SCF Design Blueprints 14
  SAFE Usage 15
  Exam Preparation 17
Chapter 2 Network Security Threats 21
  “Do I Know This Already?” Quiz 21
Foundation Topics 24
  Vulnerabilities 24
  Self-Imposed Network Vulnerabilities 24
  Intruder Motivations 29
  Lack of Understanding of Computers or Networks 30
  Intruding for Curiosity 30
  Intruding for Fun and Pride 30
  Intruding for Revenge 30
  Intruding for Profit 31
  Intruding for Political Purposes 31
  Types of Network Attacks 31
  Reconnaissance Attacks 32
  Access Attacks 33
  DoS Attacks 35
  Exam Preparation 36
Chapter 3 Network Foundation Protection (NFP) Overview 39
  “Do I Know This Already?” Quiz 39
Foundation Topics 42
  Overview of Device Functionality Planes 42
  Control Plane 43
  Data Plane 44
  Management Plane 45
  Identifying Network Foundation Protection Deployment Models 45
  Identifying Network Foundation Protection Feature Availability 48
  Cisco Catalyst Switches 48
  Cisco Integrated Services Routers (ISR) 49
  Cisco Supporting Management Components 50
  Exam Preparation 53
Part II Cisco IOS Foundation Security Solutions

Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57   “Do I Know This Already?” Quiz 57
Foundation Topics 60
     Switched Data Plane Attack Types 60
  VLAN Hopping Attacks 60
  CAM Flooding Attacks 61
  MAC Address Spoofing 63
  Spanning Tree Protocol (STP) Spoofing Attacks 63
  DHCP Starvation Attacks 66
  DHCP Server Spoofing 67
  ARP Spoofing 67
  Switched Data Plane Security Technologies 67
  Port Configuration 67
  Port Security 71
  Root Guard, BPDU Guard, and PortFast 74
  DHCP Snooping 75
  Dynamic ARP Inspection (DAI) 77
  IP Source Guard 79
  Private VLANs (PVLAN) 80
  Exam Preparation 84
Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91
  “Do I Know This Already?” Quiz 91
Foundation Topics 94
  Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94
  IBNS and 802.1x Enhancements and Features 94
  802.1x Components 96
  802.1x Interworking 97
  Extensible Authentication Protocol (EAP) 97
  EAP over LAN (EAPOL) 98
  EAP Message Exchange 99
  Port States 100
  Port Authentication Host Modes 101
  EAP Type Selection 102
  EAP—Message Digest Algorithm 5 102
  Protected EAP w/MS-CHAPv2 102
  Cisco Lightweight EAP 103
  EAP—Transport Layer Security 104
  EAP—Tunneled Transport Layer Security 104
  EAP—Flexible Authentication via Secure Tunneling 105
  Exam Preparation 106
Chapter 6 Implementing and Configuring Basic 802.1X 109
  “Do I Know This Already?” Quiz 109
Foundation Topics 112
  Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112
  Gathering Input Parameters 113
  Deployment Tasks 113
  Deployment Choices 114
  General Deployment Guidelines 114
  Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115
  Configuration Choices 115
  Configuration Scenario 115
  Verify Basic 802.1X Functionality 121
  Configure and Verify Cisco ACS for EAP-FAST 121
  Configuration Choices 122
  Configuration Scenario 122
  Configure the Cisco Secure Services Client 802.1X Supplicant 128
  Task 1: Create the CSSC Configuration Profile 128
  Task 2: Create a Wired Network Profile 128
  Tasks 3 and 4: (Optional) Tune 802.1X Timers and
  Authentication Mode 130
  Task 5: Configure the Inner and Outer EAP Mode for the Connection 131
  Task 6: Choose the Login Credentials to Be Used for Authentication 132
  Task 7: Create the CSSC Installation Package 133
  Network Login 134
  Verify and Troubleshoot 802.1 X Operations 134
  Troubleshooting Flow 134
  Successful Authentication 135
  Verify Connection Status 135
  Verify Authentication on AAA Server 135
     Verify Guest/Restricted VLAN Assignment 135
  802.1X Readiness Check 135
  Unresponsive Supplicant 135
  Failed Authentication: RADIUS Configuration Issues 135
  Failed Authentication: Bad Credentials 135
  Exam Preparation 136
Chapter 7 Implementing and Configuring Advanced 802.1X 139
  “Do I Know This Already?” Quiz 139
Foundation Topics 143
  Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143
  Gathering Input Parameters 143
  Deployment Tasks 144
  Deployment Choices 144
  Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145
  EAP-TLS with 802.1X Configuration Tasks 145
  Configuration Scenario 146
  Configuration Choices 146
  Task 1: Configure RADIUS Server 147
  Task 2: Install Identity and Certificate Authority Certificates on All Clients 147
  Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147
  Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149
  Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151
  Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152
  Implementation Guidelines 153
  Feature Support 153
  Verifying EAP-TLS Configuration 153
  Deploying User and Machine Authentication 153
  Configuring User and Machine Authentication Tasks 154
  Configuration Scenario 154
  Task 1: Install Identity and Certificate Authority Certificates on All Clients 155
  Task 2: Configure Support of EAP-TLS on Cisco Secure ACS Server 155
  Task 3: Configure Support of Machine Authentication on Cisco Secure ACS Server 156
  Task 4: Configure Support of Machine Authentication on Microsoft Windows Native 802.1X Supplicant 156
  Task 5: (Optional) Configure Machine Authentication Support Using the Cisco Secure Services Client (CSSC) Supplicant 157
  Task 6: (Optional) Configure Additional User Support Using the Cisco Secure Services Client (CSSC) Supplicant 158
  Implementation Guidelines 158
  Feature Support 158
  Deploying VLAN and ACL Assignment 159
  Deploying VLAN and ACL Assignment Tasks 159
  Configuration Scenario 159
  Configuration Choices 160
  Task 1: Configure Cisco IOS Software 802.1X Authenticator Authorization 160
  Task 2: (Optional) Configure VLAN Assignment on Cisco Secure ACS 161
  Task 3: (Optional) Configure and Prepare for ACL Assignment on Cisco IOS Software Switch 162
  Task 4: (Optional) Configure ACL Assignment on Cisco Secure ACS Server 162
  Verification of VLAN and ACL Assignment with Cisco IOS Software CLI 164
  Verification of VLAN and ACL Assignment on Cisco Secure ACS 165
  Configure and Verify Cisco Secure ACS MAC Address ExceptionPolicies 165
  Cisco Catalyst IOS Software MAC Authentication Bypass (MAB) 165
  Configuration Tasks 166
  Configuration Scenario 166
  Tasks 1 and 2: Configure MAC Authentication Bypass on the Switch and ACS 167
  Verification of Configuration 168
  Implementation Guidelines 168
  Configure and Verify Web Authentication on Cisco IOS Software LAN Switches and Cisco Secure ACS 168
  Configuration Tasks 169
  Configuration Scenario 169
  Task 1: Configure Web Authentication on the Switch 169
  Task 2: Configure Web Authentication on the Cisco Secure ACS Server 171
  Web Authentication Verification 172
  User Experience 172
  Choose a Method to Support Multiple Hosts on a Single Port 172
  Multiple Hosts Support Guidelines 172
  Configuring Support of Multiple Hosts on a Single Port 172
  Configuring Fail-Open Policies 174
  Configuring Critical Ports 174
  Configuring Open Authentication 176
  Resolve 802.1X Compatibility Issues 176
  Wake-on-LAN (WOL) 176
  Non-802.1X IP Phones 177
  Preboot Execution Environment (PXE) 177
  Exam Preparation 178
Chapter 8 Implementing and Configuring Cisco IOS Routed Data Plane Security 183
  “Do I Know This Already?” Quiz 183
Foundation Topics 186
  Routed Data Plane Attack Types 186
  IP Spoofing 186
  Slow-Path Denial of Service 186
  Traffic Flooding 187
  Routed Data Plane Security Technologies 187
  Access Control Lists (ACL) 187
  Flexible Packet Matching 196
  Flexible NetFlow 203
  Unicast Reverse Path Forwarding (Unicast RPF) 209
  Exam Preparation 212
Chapter 9 Implementing and Configuring Cisco IOS Control
Plane Security 219
  “Do I Know This Already?” Quiz 219
Foundation Topics 222
  Control Plane Attack Types 222
  Slow-Path Denial of Service 222
  Routing Protocol Spoofing 222
  Control Plane Security Technologies 222
  Control Plane Policing (CoPP) 222
  Control Plane Protection (CPPr) 226
  Routing Protocol Authentication 232
  Exam Preparation 237
Chapter 10 Implementing and Configuring Cisco IOS Management Plane Security 245
  “Do I Know This Already?” Quiz 245
Foundation Topics 248
  Management Plane Attack Types 248
  Management Plane Security Technologies 248
  Basic Management Security and Privileges 248
  SSH 254
  SNMP 256
  CPU and Memory Thresholding 261
  Management Plane Protection 262
  AutoSecure 263
  Digitally Signed Cisco Software 265
  Exam Preparation 267
Part III Cisco IOS Threat Detection and Control

Chapter 11 Implementing and Configuring Network Address Translation (NAT) 275
  “Do I Know This Already?” Quiz 275
Foundation Topics 278
  Network Address Translation 278
  Static NAT Example 280
  Dynamic NAT Example 280
  PAT Example 281
  NAT Configuration 282
  Overlapping NAT 287
  Exam Preparation 290
Chapter 12 Implementing and Configuring Zone-Based Policy Firewalls 295
  “Do I Know This Already?” Quiz 295
Foundation Topics 298
  Zone-Based Policy Firewall Overview 298
  Zones/Security Zones 298
  Zone Pairs 299
  Transparent Firewalls 300
  Zone-Based Layer 3/4 Policy Firewall Configuration 301
  Class Map Configuration 302
  Parameter Map Configurations 304
  Policy Map Configuration 306
  Zone Configuration 308
  Zone Pair Configuration 309
  Port to Application Mapping (PAM) Configuration 310
  Zone-Based Layer 7 Policy Firewall Configuration 312
  URL Filter 313
  HTTP Inspection 318
  Exam Preparation 323
Chapter 13 Implementing and Configuring IOS Intrusion Prevention System (IPS) 333
     “Do I Know This Already?” Quiz 333
Foundation Topics 336
  Configuration Choices, Basic Procedures, and Required Input Parameters 336
  Intrusion Detection and Prevention with Signatures 337
  Sensor Accuracy 339
  Choosing a Cisco IOS IPS Sensor Platform 340
  Software-Based Sensor 340
  Hardware-Based Sensor 340
  Deployment Tasks 341
  Deployment Guidelines 342
  Deploying Cisco IOS Software IPS Signature Policies 342
  Configuration Tasks 342
  Configuration Scenario 342
  Verification 346
  Guidelines 347
  Tuning Cisco IOS Software IPS Signatures 347
  Event Risk Rating System Overview 348
  Event Risk Rating Calculation 348
  Event Risk Rating Example 349
  Signature Event Action Overrides (SEAO) 349
  Signature Event Action Filters (SEAF) 349
  Configuration Tasks 350
  Configuration Scenario 350
  Verification 355
  Implementation Guidelines 355
  Deploying Cisco IOS Software IPS Signature Updates 355
  Configuration Tasks 356
  Configuration Scenario 356
  Task 1: Install Signature Update License 356
  Task 2: Configure Automatic Signature Updates 357
  Verification 357
  Monitoring Cisco IOS Software IPS Events 358
  Cisco IOS Software IPS Event Generation 358
  Cisco IME Features 358
  Cisco IME Minimum System Requirements 359
  Configuration Tasks 359
  Configuration Scenario 360
     Task 2: Add the Cisco IOS Software IPS Sensor to Cisco IME 361
  Verification 362
  Verification: Local Events 362
  Verification: IME Events 363
  Cisco IOS Software IPS Sensor 363
  Troubleshooting Resource Use 365
 Additional Debug Commands 365
  Exam Preparation 366
Part IV Managing and Implementing Cisco IOS Site-to-Site Security Solutions

Chapter 14 Introduction to Cisco IOS Site-to-Site Security Solutions 369
  “Do I Know This Already?” Quiz 369
Foundation Topics 372
  Choose an Appropriate VPN LAN Topology 372
  Input Parameters for Choosing the Best VPN LAN Topology 373
  General Deployment Guidelines for Choosing the Best VPN LAN Topology 373
  Choose an Appropriate VPN WAN Technology 373
  Input Parameters for Choosing the Best VPN WAN Technology 374
  General Deployment Guidelines for Choosing the Best VPN WAN Technology 376
  Core Features of IPsec VPN Technology 376
  IPsec Security Associations 377
  Internet Key Exchange (IKE) 377
  IPsec Phases 377
  IKE Main and Aggressive Mode 378
  Encapsulating Security Payload 378
  Choose Appropriate VPN Cryptographic Controls 379
  IPsec Security Associations 379
  Algorithm Choices 379
  General Deployment Guidelines for Choosing Cryptographic Controls for a Site-to-Site VPN Implementation 381
  Design and Implementation Resources 382
  Exam Preparation 383
Chapter 15 Deploying VTI-Based Site-to-Site IPsec VPNs 387
  “Do I Know This Already?” Quiz 387
Foundation Topics 390
  Plan a Cisco IOS Software VTI-Based Site-to-Site VPN 390
  Virtual Tunnel Interfaces 390
  Input Parameters 392
  Deployment Tasks 393
  Deployment Choices 393
  General Deployment Guidelines 393
     Configuring Basic IKE Peering 393
  Cisco IOS Software Default IKE PSK-Based Policies 394
  Configuration Tasks 394
  Configuration Choices 395
  Configuration Scenario 395
  Task 1: (Optional) Configure an IKE Policy on Each Peer 395
  Tasks 2 and 3: Generate and Configure Authentication Credentials on Each Peer 396
  Verify Local IKE Sessions 396
  Verify Local IKE Policies 396
  Verify a Successful Phase 1 Exchange 397
  Implementation Guidelines 397
  Troubleshooting IKE Peering 397
  Troubleshooting Flow 397
  Configuring Static Point-to-Point IPsec VTI Tunnels 398
  Default Cisco IOS Software IPsec Transform Sets 398
  Configuration Tasks 398
  Configuration Choices 399
  Configuration Scenario 399
  Task 1: (Optional) Configure an IKE Policy on Each Peer 399
  Task 2: (Optional) Configure an IPsec Transform Set 399
  Task 3: Configure an IPsec Protection Profile 400
  Task 4: Configure a Virtual Tunnel Interface (VTI) 400
  Task 5: Apply the Protection Profile to the Tunnel Interface 401
  Task 6: Configure Routing into the VTI Tunnel 401
  Implementation Guidelines 401
  Verify Tunnel Status and Traffic 401
  Troubleshooting Flow 402
  Configure Dynamic Point-to-Point IPsec VTI Tunnels 403
  Virtual Templates and Virtual Access Interfaces 403
  ISAKMP Profiles 404
  Configuration Tasks 404
  Configuration Scenario 404
  Task 1: Configure IKE Peering 405
  Task 2: (Optional) Configure an IPsec Transform Set 405
  Task 3: Configure an IPsec Protection Profile 405
  Task 4: Configure a Virtual Template Interface 406
  Task 5: Map Remote Peer to a Virtual Template Interface 406
  Verify Tunnel Status on the Hub 407
  Implementation Guidelines 407
  Exam Preparation 408
Chapter 16 Deploying Scalable Authentication in Site-to-Site IPsec VPNs 411
  “Do I Know This Already?” Quiz 411
Foundation Topics 414
  Describe the Concept of a Public Key Infrastructure 414
  Manual Key Exchange with Verification 414
  Trusted Introducing 414
  Public Key Infrastructure: Certificate Authorities 416
  X.509 Identity Certificate 417
  Certificate Revocation Checking 418
  Using Certificates in Network Applications 419
  Deployment Choices 420
  Deployment Steps 420
  Input Parameters 421
  Deployment Guidelines 421
  Configure, Verify, and Troubleshoot a Basic Cisco IOS Software Certificate Server 421
  Configuration Tasks for a Root Certificate Server 422
  Configuration Scenario 423
  Task 1: Create an RSA Key Pair 423
  Task 2: Create a PKI Trustpoint 424
  Tasks 3 and 4: Create the CS and Configure the Database Location 424
  Task 5: Configure an Issuing Policy 425
  Task 6: Configure the Revocation Policy 425
  Task 7: Configure the SCEP Interface 426
  Task 8: Enable the Certificate Server 426
  Cisco Configuration Professional Support 426
  Verify the Cisco IOS Software Certificate Server 427
  Feature Support 427
  Implementation Guidelines 428
  Troubleshooting Flow 429
  PKI and Time: Additional Guidelines 429
  Enroll a Cisco IOS Software VPN Router into a PKI and Troubleshoot the Enrollment Process 429
  PKI Client Features 429
  Simple Certificate Enrollment Protocol 430
  Key Storage 430
  Configuration Tasks 430
  Configuration Scenario 431
  Task 1: Create an RSA Key Pair 431
  Task 2: Create an RSA Key Pair 432
  Task 3: Authenticate the PKI Certificate Authority 432
  Task 4: Create an Enrollment Request on the VPN Router 433
  Task 5: Issue the Client Certificate on the CA Server 434
  Certificate Revocation on the Cisco IOS Software Certificate Server 434
  Cisco Configuration Professional Support 434
  Verify the CA and Identity Certificates 435
  Feature Support 435
  Implementation Guidelines 436
  Troubleshooting Flow 436
  Configure and Verify the Integration of a Cisco IOS Software VPN Router with Supporting PKI Entities 436
  IKE Peer Authentication 436
  IKE Peer Certificate Authorization 437
  Configuration Tasks 437
  Configuration Scenario 437
  Task 1: Configure an IKE Policy 438
  Task 2: Configure an ISAKMP Profile 438
  Task 3: Configure Certificate-Based Authorization of Remote Peers 438
  Verify IKE SA Establishment 439
  Feature Support 439
  Implementation Guidelines 440
  Troubleshooting Flow 440
  Configuring Advanced PKI Integration 440
  Configuring CRL Handling on PKI Clients 441
  Using OCSP or AAA on PKI Clients 441
  Exam Preparation 442
Chapter 17 Deploying DMVPNs 447
  “Do I Know This Already?” Quiz 447
Foundation Topics 451
  Understanding the Cisco IOS Software DMVPN
  Architecture 451
  Building Blocks of DMVPNs 452
  Hub-and-Spoke Versus On-Demand Fully Meshed VPNs 452
  DMVPN Initial State 453
  DMVPN Spoke-to-Spoke Tunnel Creation 453
  DMVPN Benefits and Limitations 454
  Plan the Deployment of a Cisco IOS Software DMVPN 455
  Input Parameters 455
  Deployment Tasks 455
  Deployment Choices 456
  General Deployment Guidelines 456
  Configure and Verify Cisco IOS Software GRE Tunnels 456
  GRE Features and Limitations 456
  Point-to-Point Versus Point-to-Multipoint GRE Tunnels 457
  Point-to-Point Tunnel Configuration Example 457
  Configuration Tasks for a Hub-and-Spoke Network 459
  Configuration Scenario 459
  Task 1: Configure an mGRE Interface on the Hub 459
  Task 2: Configure a GRE Interface on the Spoke 459
  Verify the State of GRE Tunnels 460
  Configure and Verify a Cisco IOS Software NHRP Client and Server 461
  (m)GRE and NHRP Integration 461
  Configuration Tasks 461
  Configuration Scenario 461
  Task 1: Configure an NHRP Server 461
  Task 2: Configure an NHRP Client 462
  Verify NHRP Mappings 462
  Debugging NHRP 463
  Configure and Verify a Cisco IOS Software DMVPN Hub 464
  Configuration Tasks 464
  Configuration Scenario 464
  Task 1: (Optional) Configure an IKE Policy 464
  Task 2: Generate and/or Configure Authentication Credentials 465
  Task 3: Configure an IPsec Profile 465
  Task 4: Create an mGRE Tunnel Interface 465
  Task 5: Configure the NHRP Server 465
  Task 6: Associate the IPsec Profile with the mGRE Interface 466
  Task 7: Configure IP Parameters on the mGRE Interface 466
  Cisco Configuration Professional Support 466
  Verify Spoke Registration 466
  Verify Registered Spoke Details 467
  Implementation Guidelines 468
  Feature Support 468
     Configure and Verify a Cisco IOS Software DMVPN Spoke 468
  Configuration Tasks 468
  Configuration Scenario 469
  Task 1: (Optional) Configure an IKE Policy 469
  Task 2: Generate and/or Configure Authentication Credentials 469
  Task 3: Configure an IPsec Profile 469
  Task 4: Create an mGRE Tunnel Interface 470
  Task 5: Configure the NHRP Client 470
  Task 6: Associate the IPsec Profile with the mGRE Interface 470
  Task 7: Configure IP Parameters on the mGRE Interface 471
  Verify Tunnel State and Traffic Statistics 471
  Configure and Verify Dynamic Routing in a Cisco IOS Software DMVPN 471
  EIGRP Hub Configuration 472
  OSPF Hub Configuration 473
  Hub-and-Spoke Routing and IKE Peering on Spoke 473
  Full Mesh Routing and IKE Peering on Spoke 474
  Troubleshoot a Cisco IOS Software DMVPN 474
  Troubleshooting Flow 475
  Exam Preparation 476
Chapter 18 Deploying High Availability in Tunnel-Based IPsec VPNs 481
  “Do I Know This Already?” Quiz 481
Foundation Topics 484
  Plan the Deployment of Cisco IOS Software Site-to-Site IPsec VPN High-Availability Features 484
  VPN Failure Modes 484
  Partial Failure of the Transport Network 484
  Partial or Total Failure of the Service Provider (SP) Transport
  Network 485
  Partial or Total Failure of a VPN Device 485
  Deployment Guidelines 485
  Use Routing Protocols for VPN Failover 486
  Routing to VPN Tunnel Endpoints 486
  Routing Protocol Inside the VPN Tunnel 486
  Recursive Routing Hazard 487
  Routing Protocol VPN Topologies 487
  Routing Tuning for Path Selection ...