CCNA. Security STUDY GUIDE. Tim Boyles. Covers All Exam Objectives for IINS

Size: px

Start display at page:

Download "CCNA. Security STUDY GUIDE. Tim Boyles. Covers All Exam Objectives for IINS"

Ralf Foster
5 years ago
Views:

Covers All Exam Objectives for IINS 640-553

Questions Electronic Flashcards Entire Book in PDF

1 Covers All Exam Objectives for IINS Includes Real-World Scenarios, Hands-On and Written Labs, and Leading-Edge Exam Prep Software Featuring: Custom Test Engine Hundreds of Sample Questions Electronic Flashcards Entire Book in PDF CCNA Security STUDY GUIDE IINS Exam Tim Boyles SERIOUS SKILLS.

3 CCNA Security Study Guide Exam IINS OBJECTIVE CHAPTER Describe the security threats facing modern network infrastructures Describe and list mitigation methods for common network attacks 2, 6 Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks 2, 6 Describe the Cisco Self Defending Network architecture 2 Secure Cisco routers Secure Cisco routers using the SDM Security Audit feature 5 Use the One-Step Lockdown feature in SDM to secure a Cisco router 5 Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements Secure administrative access to Cisco routers by configuring multiple privilege levels 3 3 Secure administrative access to Cisco routers by configuring role based CLI 3 Secure the Cisco IOS image and configuration file 3 Implement AAA on Cisco routers using local router database and external ACS Explain the functions and importance of AAA 4 Describe the features of TACACS+ and RADIUS AAA protocols 4 Configure AAA authentication 4 Configure AAA authorization 4 Configure AAA accounting 4 Mitigate threats to Cisco routers and networks using ACLs Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI 7 7 Configure IP ACLs to prevent IP address spoofing using CLI 7 Discuss the caveats to be considered when building ACLs 7

4 OBJECTIVE Implement secure network management and reporting Use CLI and SDM to configure SSH on Cisco routers to enable secured management access Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server CHAPTER 5 5 Mitigate common Layer 2 attacks Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features 6 Implement the Cisco IOS firewall feature set using SDM Describe the operational strengths and weaknesses of the different firewall technologies 7 Explain stateful firewall operations and the function of the state table 7 Implement Zone Based Firewall using SDM 7 Implement the Cisco IOS IPS feature set using SDM Define network based vs. host based intrusion detection and prevention 8 Explain IPS technologies, attack responses, and monitoring options 8 Enable and verify Cisco IOS IPS operations using SDM 8 Implement site-to-site VPNs on Cisco Routers using SDM Explain the different methods used in cryptography 9, 10 Explain IKE protocol functionality and phases 10 Describe the building blocks of IPSec and the security functions it provides 12 Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM 12 Exam specifications and content are subject to change at any time without prior notice and at Cisco s sole discretion. Please visit Cisco s website ( for the most current information on exam content.

5 CCNA Security Study Guide Tim Boyles

6 Acquisitions Editor: Jeff Kellum Development Editor: Stef Jones Technical Editors: Chris Carson, Billy Haines Production Editor: Angela Smith Copy Editor: Judy Flynn Editorial Manager: Pete Gaughan Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Publisher: Neil Edde Media Project Manager 1: Laura Moss-Hollister Media Associate Producer: Doug Kuhn Media Quality Assurance: Josh Frank Book Designers: Judy Fung and Bill Gibson Proofreader: Rebecca Rider Indexer: Jack Lewis Project Coordinator, Cover: Lynsey Stanford Cover Designer: Ryan Sneed Copyright 2010 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) , fax (978) Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) , fax (201) , or online at Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) , outside the U.S. at (317) or fax (317) Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data is available from publisher. TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNA is a registered trademark of Cisco Technology, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book

7 To God and my family. Without the support and love from both, I would not be able to do what I do. Thanks for the many blessings. Acknowledgments When you take on a project like this, there are always a number of people involved, and this one is no exception. I could not have done this book without the help and support of several folks. First, I d like to thank my technical editor, Chris Carson, for keeping me honest and offering candid feedback. Chris also contributed to this book by writing Chapter 10 and Chapter 11. His help was invaluable. I would also like to thank Patrick Conlan, who provided access to most of the equipment used in the writing of this book. A special thanks goes out to Stef Jones, this book s developmental editor. Stef was the one to keep me in line and was a tremendous help in shaping up some of the more difficult chapters. And last but not least, thanks to the team at Sybex for supporting me in this endeavor: Pete Gaughan, editorial manager; Jeff Kellum, acquisitions editor; and Jenni Housh, Connor O Brien, and Angela Smith, who are all on the editorial team. I m sure I gave Jeff plenty of cause for concern over the course of the better part of a year, but we all survived I think. Also, thanks to copyeditor Judy Flynn, proofreader Rebecca Rider, and indexer Jack Lewis.

8 About The Author Tim Boyles is an IT manager at a large retailer based in the Dallas Fort Worth Metroplex. He has been involved in networking and security for over 20 years. He is the holder of many certifications, including CISSP, CISA, CISM, GCIH, GAWN, and of course CCNA and CCNA-Security. Tim has worked on many networking and security books. He was previously the security practice leader for the South Central operation of BT Global Services and has been engaged with consulting for a number of years with numerous large corporate clients. He is also a mentor instructor for the SANS Institute, having conducted sessions on CISSP training, Incident Handling, Wireless Penetration Testing, and Web Application Security. About the Contributor Chris L. Carson, CCIE #19511, is a principal at Ethical Networks, a network and security consulting provider in the Dallas Ft. Worth area. He has been in the network and security industry for more than 17 years and holds over 20 industry certifications, including CCIE, CCSP, CEH, and CCNA-Security. Most of his career has been spent working for large Cisco Gold partners throughout the United States. Chris s previous position as a security practice manager and principal for one of the largest Cisco partners in North Texas has provided him with expertise in designing, implementing, and troubleshooting solutions for many Fortune 500 customers.

9 Contents at a Glance Introduction Assessment Test xvii xxiv Chapter 1 Introduction to Network Security 1 Chapter 2 Creating the Secure Network 25 Chapter 3 Securing Administrative Access 51 Chapter 4 Configuring AAA Services 77 Chapter 5 Securing Your Router 117 Chapter 6 Layer 2 Security 159 Chapter 7 Implementing Cisco IOS Firewall 193 Chapter 8 Implementing Cisco IOS Intrusion Prevention 245 Chapter 9 Understanding Cryptographic Solutions 281 Chapter 10 Using Digital Signatures 299 Chapter 11 Using Asymmetric Encryption and PKI 323 Chapter 12 Implementing Site-to-Site IPsec VPN Solutions 377 Appendix A Securing Voice Solutions 425 Appendix B Introduction to SAN Security 441 Appendix C Exploring Endpoint Security 451 Appendix D Capstone Exercise 461 Appendix E About the Companion CD 483 Glossary 487 Index 495

11 Contents Introduction Assessment Test xvii xxiv Chapter 1 Introduction to Network Security 1 Threats to Network Security 2 External Threats 3 Internal Threats 5 Application Security 6 Network Security Objectives 6 Classification of Data 8 Security Controls 11 Security Controls by Type 11 Security Controls by Purpose 12 Incident Response 13 Preparation 13 Identification 15 Containment 16 Eradication 17 Recovery 17 Lessons Learned 17 Law and Ethics 18 Legal Matters 18 Intellectual Property 19 Ethics 20 Review Questions 21 Answers to Review Questions 23 Chapter 2 Creating the Secure Network 25 Creating a Security Policy 26 Goals of a Security Policy 26 Policies and Procedures 27 Other Documents 28 Managing Risk 28 Secure Network Design 32 Creating Security Awareness 34 Maintaining Operational Security 35 Defining the Systems Development Life Cycle 35 Review of Operations Security 37 Evolution of Threats 38

12 viii Contents The Cisco Self-Defending Network 39 Characteristics of the Cisco Self-Defending Network 40 Components of the Cisco Self-Defending Network 42 Summary 42 Exam Essentials 42 Written Lab 43 Review Questions 44 Answers to Review Questions 48 Answers to Written Lab 50 Chapter 3 Securing Administrative Access 51 Securing Administrative Access 52 Methods of Accessing the Router 52 Modes of Interaction with the Router 52 Configuring Passwords 54 Configuring Privilege Levels 56 CLI Views 56 Securing Router Files 58 Login Features for Virtual Connections 58 Configuring a Banner Message 59 Cisco ISR Routers 61 Cisco Security Device Manager (SDM) 62 Prerequisites for Running SDM 62 Introduction to SDM 64 Summary 67 Exam Essentials 68 Written Lab 68 Hands-on Lab 69 Hands-on Lab 3.1: Configuring Passwords 69 Review Questions 70 Answers to Review Questions 74 Answers to Written Lab 75 Chapter 4 Configuring AAA Services 77 Defining AAA Services 78 Defining RADIUS and TACACS+ 79 RADIUS 80 TACACS+ 81 Configuring AAA Using Cisco Secure ACS 82 Introduction to Cisco Secure ACS for Windows 83 Preparation and Installation of Cisco Secure ACS for Windows 86

13 Contents ix Configuring Authentication 91 AAA Local User Authentication 92 Using Method Lists 93 Configuring Authorization 94 Configuring Accounting 95 Configuring TACACS+ 96 Configuring AAA Services from the Command Line 97 Configuring AAA Services with Cisco SDM 98 Troubleshooting AAA on Cisco Routers 104 Summary 106 Exam Essentials 106 Written Lab 107 Hands-on Labs 108 Hands-on Lab 4.1: Configuring AAA Authentication with a Local Database 108 Hands-on Lab 4.2: Configuring TACACS+ Authentication, Authorization, and Accounting 109 Review Questions 110 Answers to Review Questions 114 Answers to Written Lab 116 Chapter 5 Securing Your Router 117 Using the Command-Line Interface to Lock Down the Router 118 Locking Down the Management Plane 118 Locking Down the Forwarding Plane 121 Understanding One-Step Lockdown 128 Configuring One-Step Lockdown with SDM 128 Differences between One-Step Lockdown and AutoSecure 131 Securing Management and Logging 131 Configuring Syslog Support on a Cisco Router 131 Using SNMP v3 to Secure Management Traffic 134 Securing Administration Using SSH 136 Using SDM to Configure a Syslog Server, SSH, SNMP, and NTP 138 Summary 149 Exam Essentials 150 Written Lab 151 Hands-on Lab 151 Hands-on Lab 5.1: Configuring a Router for SSH Administrative Access 151 Review Questions 153 Answers to Review Questions 157 Answers to Written Lab 158

14 x Contents Chapter 6 Layer 2 Security 159 Basic Protection of Layer 2 Switches 160 How to Prevent VLAN Attacks 161 Double Tagging 161 Switch Spoofing 162 Mitigating STP Attacks 163 Mitigating DHCP Server Spoofing 165 Configuring DCHP Snooping 166 Dynamic ARP Inspection 166 Protecting against CAM Table Attacks 167 Preventing MAC Spoofing 168 Configuring Port Security 169 Configuring SPAN, RSPAN, and Storm Control 173 Configuring Switched Port Analyzer (SPAN) 173 Configuring Remote Switched Port Analyzer (RSPAN) 175 Configuring Storm Control 178 Summary 179 Exam Essentials 179 Written Lab 181 Hands-on Labs 181 Hands-on Lab 6.1: Configuring Protection against a Spanning Tree Attack 181 Hands-on Lab 6.2: Configuring SPAN on a Cisco Switch to Do Troubleshooting 182 Hands-on Lab 6.3: Configuring Port Security on a Cisco Switch 183 Review Questions 185 Answers to Review Questions 189 Answers to Written Lab 191 Chapter 7 Implementing Cisco IOS Firewall 193 Firewall Basics 194 Packet Filtering Firewall 196 Application-Layer Firewall 197 Stateful Firewall 197 Access Control Lists 198 Basic ACLs 198 Turbo ACLs 200 How to Develop ACLs 201 Applying ACLs to Router Interfaces 201 Filtering Traffic with ACLs 202 Logical and Performance Considerations for ACLs 204

15 Contents xi The Cisco IOS Firewall 205 Authentication Proxy 206 Transparent Firewall 206 Stateful Packet Inspection 206 Configure Cisco IOS Firewall with SDM 211 Basic Firewall 212 Advanced Firewall 218 Verify Cisco IOS Firewall Configurations 226 Basic Firewall 227 Advanced Firewall 231 Implementing Zone-Based Firewall 235 Summary 236 Exam Essentials 237 Written Lab 237 Hands-on Lab 238 Hands-on Lab 7.1: Configuring an Access List 238 Review Questions 239 Answers to Review Questions 242 Answers to Written Lab 243 Chapter 8 Implementing Cisco IOS Intrusion Prevention 245 IDS and IPS 246 Introducing the Intrusion Detection System 246 Basic Functions of the Intrusion Prevention System 247 Using IDS and IPS Together 249 Benefits and Drawbacks of IPS/IDS Sensors 250 Types of IDS and IPS Sensors 250 IPS Signatures 254 Configuring IOS IPS 259 Summary 273 Exam Essentials 273 Written Lab 274 Hands-on Lab 274 Hands-on Lab 8.1: Configuring an IPS Policy Using Cisco SDM 274 Review Questions 275 Answers to Review Questions 278 Answers to Written Lab 280 Chapter 9 Understanding Cryptographic Solutions 281 Introduction to Cryptography 282 Caesar s Cipher 282 Vigenère Cipher 284

Study Guide. Robert Schmidt Dane Charlton

Study Guide. Robert Schmidt Dane Charlton Study Guide Study Guide Robert Schmidt Dane Charlton Senior Acquisitions Editor: Kenyon Brown Development Editor: Candace English Technical Editors: Eric Biller and Brian Atkinson Production Editor: Christine