Showing posts with label Cisco Press. Show all posts

Jazib Frahim, CCIE No. 5459, Qiang Huang, CCIE No. 4937

Cisco Press

Contents at a Glance

Chapter 1 Introduction to Remote Access VPN Technologies
Chapter 2 SSL VPN Technology
Chapter 3 SSL VPN Design Considerations
Chapter 4 Cisco SSL VPN Family of Products
Chapter 5 SSL VPNs on Cisco ASA
Chapter 6 SSL VPNs on Cisco IOS Routers
Chapter 7 Management of SSL VPNs

e-books shop
SSL Remote Access VPNs

About the Authors
Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees. He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control,
Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.
Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco marketleading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the following: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshooting complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in
network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook, Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University.

About the Technical Reviewers
Pete Davis has been working with computers and networks since he was able to walk. By age 15, he was one of the youngest professional network engineers and one of the first employees at an Internet service provider. Pete implemented and maintained the systems and networks behind New England’s largest consumer Internet service provider, TIAC (The Internet Access Company). In 1997, Pete joined Shiva Corporation as a product specialist. Since 1998, Pete has been with Altiga Networks, a VPN concentrator manufacturer in Franklin, Massachusetts, that was acquired by Cisco on March 29, 2000. As product line manager, Pete is responsible for driving new VPN-related products and features. 
Dave Garneau is principal consultant and senior technical instructor at The Radix Group, Ltd., a consulting and training company based in Henderson, Nevada, and focusing on network security. As a consultant, he specializes in Cisco network security (including IronPort, now part of Cisco) and VPN technologies (both IPsec and SSL VPN). As an instructor, he has trained more than 2500 people in eight countries to earn certifications throughout the Cisco and IronPort certification programs. He has written lab guides used worldwide by authorized Cisco Learning Partners, as well as publishing papers related
to network security. Dave holds the following certifications: CCSP, CCNP, CCDP, CCSI, CCNA, CCDA, ICSP, ICSI, and CNE.

This book provides a complete guide to the SSL VPN technology and discusses its implementation on Cisco SSL VPN–capable devices. Design guidance is provided to assist you in implementing SSL VPNs in an existing network infrastructure. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices.
Toward the end of Chapters 5 and 6, common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

Who Should Read This Book?
This book serves as a guide for network professionals who want to implement the Cisco SSL VPN remote access solution in their network to allow users to access the corporate resources easily and safely. The book systematically walks you through the product or solution architecture, installation, configuration, deployment, monitoring, and troubleshooting the SSL VPN solution. Any network professional should be able to use this book as a guide to successfully deploy SSL VPN remote access solutions in their network. Requirements include a basic knowledge of TCP/IP and networking, familiarity with Cisco routers/firewalls and their command-line interface (CLI), and a general understanding of the overall SSL VPN solution.

How This Book Is Organized
Part I of this book includes Chapters 1 and 2, which provide an overview of the remote access VPN technologies and introduce the SSL VPN technology. The remainder of the book is divided into two parts.
Part II encompasses Chapters 3 and 4 and introduces the Cisco SSL VPN product lines, with guidance on different design considerations.
Part III encompasses Chapters 5 through 7 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the SSL VPN solution.
• Part I, “Introduction and Technology Overview,” includes the following chapters:
Chapter 1, “Introduction to Remote Access VPN Technologies”: This chapter covers the
remote access Virtual Private Network (VPN) technologies in detail. Protocols, such as the
Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding
(L2F), Layer 2 Tunneling Protocol (L2TP) over IPsec, and SSL VPN, are discussed to
provide readers with an overview of the available remote access VPN technologies.
Chapter 2, “SSL VPN Technology”: This chapter provides a technology overview of the building
blocks of SSL VPNs, including cryptographic algorithms, SSL and Transport Layer Security
(TLS), and common SSL VPN technologies.
• Part II, “SSL VPN Design Considerations and Cisco Solution Overview,” includes the following
chapters: Chapter 3, “SSL VPN Design Considerations”: This chapter discusses the common design best practices for planning and designing an SSL VPN solution. Chapter 4, “Cisco SSL VPN Family of Products”: This chapter discusses the SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS routers and provides product specifications that are focused on SSL VPNs.
• Part III, “Deploying Cisco SSL VPN Solutions,” includes the following chapters:
Chapter 5, “SSL VPNs on Cisco ASA”: This chapter provides details about the SSL VPN functionality in Cisco ASA. This chapter discusses clientless and full tunnel SSL VPN client implementations and focuses on Cisco Secure Desktop (CSD). This chapter also discusses the Host Scan feature that is used to collect posture information about end workstations. The dynamic
access policy (DAP) feature, its usage, and detailed configuration examples are also provided.
To reinforce learning, many different deployment scenarios are presented along with their configurations.
Chapter 6, “SSL VPNs on Cisco IOS Routers”: This chapter provides details about the SSL
VPN functionality in Cisco IOS routers. It begins by offering design guidance and then discusses
the configuration of SSL VPNs in greater detail. The configurations of clientless, thin
client, and AnyConnect Client modes are discussed. The second half of the chapter focuses on
Cisco Secure Desktop (CSD) and offers guidance in setting up CSD features. To reinforce
learning, two different deployment scenarios are presented along with their configurations.
Toward the end of this chapter, SSL VPN monitoring through SDM is also discussed.
Chapter 7, “Management of SSL VPNs”: This chapter discusses the central management of
SSL VPN devices using Cisco Security Manager.

Table of Contents
Introduction xviii
Chapter 1 Introduction to Remote Access VPN Technologies 3
Remote Access Technologies 5
IPsec 5
Software-Based VPN Clients 7
Hardware-Based VPN Clients 7
L2TP 9
L2TP over IPsec 11
Summary 14
Chapter 2 SSL VPN Technology 17
Cryptographic Building Blocks of SSL VPNs 17
Hashing and Message Integrity Authentication 17
Hashing 18
Message Authentication Code 18
Encryption 20
RC4 21
DES and 3DES 22
AES 22
Diffie-Hellman 23
RSA and DSA 24
Digital Signatures and Digital Certification 24
Digital Signatures 24
Public Key Infrastructure, Digital Certificates, and Certification 25
SSL and TLS 30
SSL and TLS History 30
SSL Protocols Overview 31
OSI Layer Placement and TCP/IP Protocol Support 31
SSL Record Protocol and Handshake Protocols 33
SSL Connection Setup 34
Application Data 42
Case Study: SSL Connection Setup 43
Reverse Proxy Technology 50
URL Mangling 52
Content Rewriting 53
Port-Forwarding Technology 55
Terminal Services 58
SSL VPN Tunnel Client 58
Summary 59
References 60
Chapter 3 SSL VPN Design Considerations 63
Not All Resource Access Methods Are Equal 63
User Authentication and Access Privilege Management 65
User Authentication 66
Choice of Authentication Servers 66
AAA Server Scalability and High Availability 67
AAA Server Scalability 67
AAA Server High Availability and Resiliency 68
Resource Access Privilege Management 68
Security Considerations 70
Security Threats 71
Lack of Security on Unmanaged Computers 71
Data Theft 71
Man-in-the-Middle Attacks 72
Web Application Attack 73
Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal
Network 73
Split Tunneling 73
Password Attacks 74
Security Risk Mitigation 74
Strong User Authentication and Password Policy 75
Choose Strong Cryptographic Algorithms 75
Session Timeout and Persistent Sessions 75
Endpoint Security Posture Assessment and Validation 75
VPN Session Data Protection 76
Techniques to Prevent Data Theft 76
Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and
Network Admission Control Technologies 77
Device Placement 78
Platform Options 79
Virtualization 79
High Availability 80
Performance and Scalability 81
Summary 82
References 82
Chapter 4 Cisco SSL VPN Family of Products 85
Overview of Cisco SSL VPN Product Portfolio 85
Cisco ASA 5500 Series 87
SSL VPN History on Cisco ASA 87
SSL VPN Specifications on Cisco ASA 88
SSL VPN Licenses on Cisco ASA 89
Cisco IOS Routers 90
SSL VPN History on Cisco IOS Routers 90
SSL VPN Licenses on Cisco IOS Routers 90
Summary 91
Chapter 5 SSL VPNs on Cisco ASA 93
SSL VPN Design Considerations 93
SSL VPN Prerequisites 95
SSL VPN Licenses 95
Client Operating System and Browser and Software Requirements 96
Infrastructure Requirements 97
Pre-SSL VPN Configuration Guide 97
Enrolling Digital Certificates (Recommended) 98
Step 1: Configuring a Trustpoint 98
Step 2: Obtaining a CA Certificate 99
Step 3: Obtaining an Identity Certificate 100
Setting Up ASDM 101
Uploading ASDM 102
Setting Up the Appliance 103
Accessing ASDM 104
Setting Up Tunnel and Group Policies 106
Configuring Group-Policies 107
Configuring a Tunnel Group 110
Setting Up User Authentication 110
Clientless SSL VPN Configuration Guide 114
Enabling Clientless SSL VPN on an Interface 116
Configuring SSL VPN Portal Customization 117
Logon Page 118
Portal Page 123
Logout Page 125
Portal Customization and User Group 126
Full Customization 129
Configuring Bookmarks 134
Configuring Websites 135
Configuring File Servers 137
Applying a Bookmark List to a Group Policy 139
Single Sign-On 140
Configuring Web-Type ACLs 141
Configuring Application Access 144
Configuring Port Forwarding 144
Configuring Smart Tunnels 147
Configuring Client-Server Plug-Ins 150
AnyConnect VPN Client Configuration Guide 152
Loading the SVC Package 154
Defining AnyConnect VPN Client Attributes 155
Enabling AnyConnect VPN Client Functionality 155
Defining a Pool of Addresses 156
Configuring Traffic Filters 159
Configuring a Tunnel Group 159
Advanced Full Tunnel Features 159
Split Tunneling 159
DNS and WINS Assignment 161
Keeping the SSL VPN Client Installed 162
Configuring DTLS 163
Cisco Secure Desktop 164
CSD Components 165
Secure Desktop Manager 165
Secure Desktop 165
Cache Cleaner 166
CSD Requirements 166
Supported Operating Systems 166
User Privileges 167
Supported Internet Browsers 167
Internet Browser Settings 167
CSD Architecture 168
Configuring CSD 169
Loading the CSD Package 169
Defining Prelogin Sequences 170
Host Scan 182
Host Scan Modules 183
Basic Host Scan 183
Endpoint Assessment 183
Advanced Endpoint Assessment 184
Configuring Host Scan 184
Setting Up Basic Host Scan 184
Enabling Endpoint Host Scan 186
Setting Up an Advanced Endpoint Host Scan 187
Dynamic Access Policies 189
DAP Architecture 190
DAP Records 191
DAP Selection Rules 191
DAP Configuration File 191
DAP Sequence of Events 191
Configuring DAP 192
Selecting a AAA Attribute 193
Selecting Endpoint Attributes 195
Defining Access Policies 197
Deployment Scenarios 205
AnyConnect Client with CSD and External Authentication 206
Step 1: Set Up CSD 207
Step 2: Set Up RADIUS for Authentication 207
Step 3: Configure AnyConnect SSL VPN 208
Clientless Connections with DAP 209
Step 1: Define Clientless Connections 210
Step 2: Configuring DAP 211
Monitoring and Troubleshooting SSL VPN 212
Monitoring SSL VPN 212
Troubleshooting SSL VPN 215
Troubleshooting SSL Negotiations 215
Troubleshooting AnyConnect Client Issues 215
Troubleshooting Clientless Issues 217
Troubleshooting CSD 219
Troubleshooting DAP 219
Summary 220
Chapter 6 SSL VPNs on Cisco IOS Routers 223
SSL VPN Design Considerations 223
IOS SSL VPN Prerequisites 225
IOS SSL VPN Configuration Guide 226
Configuring Pre-SSL VPN Setup 226
Setting Up User Authentication 226
Enrolling Digital Certificates (Recommended) 229
Loading SDM (Recommended) 232
Initial SSL VPN Configuration 235
Step 1: Setting Up an SSL VPN Gateway 237
Step 2: Setting Up an SSL VPN Context 239
Step 3: Configuring SSL VPN Look and Feel 241
Step 4: Configuring SSL VPN Group Policies 245
Advanced SSL VPN Features 247
Configuring Clientless SSL VPNs 247
Windows File Sharing 253
Configuring Application ACL 257
Thin Client SSL VPNs 259
Step 1: Defining Port-Forwarding Lists 261
Step 2: Mapping Port-Forwarding Lists to a Group Policy 262
AnyConnect SSL VPN Client 264
Step 1: Loading the AnyConnect Package 264
Step 2: Defining AnyConnect VPN Client Attributes 266
Cisco Secure Desktop 276
CSD Components 277
Secure Desktop Manager 277
Secure Desktop 277
Cache Cleaner 278
CSD Requirements 278
Supported Operating Systems 278
User Privileges 279
Supported Internet Browsers 279
Internet Browser Settings 279
CSD Architecture 280
Configuring CSD 281
Step 1: Loading the CSD Package 282
Step 2: Launching the CSD Package 283
Step 3: Defining Policies for Windows-Based Clients 283
Defining Policies for Windows CE 298
Defining Policies for the Mac and Linux Cache Cleaner 298
Deployment Scenarios 301
Clientless Connections with CSD 301
Step 1: User Authentication and DNS 302
Step 2: Set Up CSD 303
Step 3: Define Clientless Connections 303
AnyConnect Client and External Authentication 304
Step 1: Set Up RADIUS for Authentication 305
Step 2: Install the AnyConnect SSL VPN 306
Step 3: Configure AnyConnect SSL VPN Properties 306
Monitoring an SSL VPN in Cisco IOS 307
Summary 311
Chapter 7 Management of SSL VPNs 313
Multidevice Policy Provisioning 314
Device View and Policy View 314
Device View 314
Policy View 318
Use of Common Objects for Multidevice Management 320
Workflow Control and Role-Based Access Control 322
Workflow Control 323
Workflow Mode 324
Role-Based Administration 326
Native Mode 326
Cisco Secure ACS Integration Mode 327
Summary 331
References 331
Index 332


e-books shop

Purchase Now !
Just with Paypal

Product details
 2,00 USD
 369 p
 File Size
 12,701 KB
 File Type
 PDF format
 2008 Cisco Systems, Inc 

═════ ═════

David Hucaby

Cisco Press logo is a trademark of Cisco Systems, Inc.

Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA

We greatly appreciate your assistance.

Publisher Paul Boger
Associate Publisher Dave Dusthimer
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Jeff Brady
Executive Editor Brett Bartow
Managing Editor Patrick Kanouse
Senior Development Editor Christopher Cleveland
Project Editor Mandie Frank
Copy Editor Kevin Kent
Technical Editors Greg Abelar, Mark Macumber
Editorial Assistant Vanessa Evans
Designer Louisa Adair
Composition S4 Carlisle Publishing Services
Indexer Tim Wright
Proofreader Kathy Bidmen

e-books shop
Cisco ASA, PIX, & FWSM
Firewall Handbook, Second Edition

About the Author
David Hucaby, CCIE No. 4594, is a lead network engineer for the University of Kentucky,
where he works with health-care networks based on the Cisco Catalyst, ASA, FWSM, and VPN product lines. He was one of the beta reviewers of the ASA 8.0 operating system software. He has a B.S. and M.S. in electrical engineering from the University of Kentucky. He is the author of three other books from Cisco Press: CCNP BCMSN Official Exam Certification Guide, Cisco Field Manual: Router Configuration, and Cisco Field Manual: Catalyst Switch Configuration.
He lives in Kentucky with his wife, Marci, and two daughters.

About the Technical Reviewers
Greg Abelar has been an employee of Cisco since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco. Greg is the primary founder and project manager of the Cisco written CCIE Security exam. Greg is the author of the Cisco Press title Securing Your Business with Cisco ASA and PIX Firewalls and coauthor of Security Threat Mitigation and Response: Understanding Cisco Security MARS, and has been a technical editor for various Cisco Press security books.
Visit Greg's blogs:
Internet Security for the Home—
Enterprise Internet Security—

Mark Macumber is a systems engineer in the field sales organization for Cisco. Mark joined Cisco in 1999 working in the Network Service Provider Sales Division on Internet Service Provider networks and with telco DSL network designs. Since 2002, Mark has served in the large enterprise customer space working through customer designs for campus switching, WAN routing, unified communications, wireless, and security. Security products and architecture are Mark's current technical focus within the enterprise space. The Enterprise Security SE team learns and delivers content on Cisco security products such as firewalls, host/network based intrusion detection/prevention systems, AAA, security information management, network admission control, and SSL/IPSec VPN.

This book focuses on the complete product line of Cisco firewall hardware: the PIX and ASA
Security Appliance families and the Catalyst Firewall Services Module (FWSM). Of the many
sources of information and documentation about Cisco firewalls, very few provide a quick and
portable solution for networking professionals.

This book is designed to provide a quick and easy reference guide for all the features that can be
configured on any Cisco firewall. In essence, an entire bookshelf of firewall documentation,
along with other networking reference material, has been "squashed" into one handy volume.
This book covers only the features that can be used for stateful traffic inspection and overall
network security. Although Cisco firewalls can also support VPN functions, those subjects are
not covered here.

This book is based on the most current Cisco firewall software releases available at press time—ASA release 8.0(1) and FWSM release 3.2(1).

In the book, you will find ASA, PIX, and FWSM commands presented side-by-side for any
specific task. The command syntax is shown with a label indicating the type of software that is
running, according to the following convention:
• ASA— Refers to any platform that can run ASA release 7.0(1) or later. This can include
the ASA 5500 family, as well as the PIX 500 family. For example, even though a PIX
535 can run a specific build of the ASA 8.0(1) code, the commands are still labeled
"ASA" to follow the operating system being used.
• PIX— Refers to a PIX release 6.3.
• FWSM— Refers to FWSM release 3.1(1) or later.
If you are using an earlier version of software, you might find that the configuration commands
differ slightly.

With the advent of the ASA platform, Cisco began using different terminology: firewalls became
known as security appliances because of the rich security features within the software and
because of the modular nature of the ASA chassis. This new terminology has been incorporated
in this book where appropriate. However, the term firewall is still most applicable here because
this book deals with both security appliances and firewalls embedded within Catalyst switch
chassis. As you read this book, keep in mind that the terms firewall and security appliance are
used interchangeably.

How This Book Is Organized
This book is meant to be used as a tool in your day-to-day tasks as a network or security
administrator, engineer, consultant, or student. I have attempted to provide a thorough
explanation of many of the more complex firewall features. When you better understand how a
firewall works, you will find it much easier to configure and troubleshoot.
This book is divided into chapters that present quick facts, configuration steps, and explanations
of configuration options for each Cisco firewall feature. The chapters and appendixes are as
• Chapter 1, "Firewall Overview"— Describes how a Cisco firewall inspects traffic. It also
offers concise information about the various firewall models and their performance.
• Chapter 2, "Configuration Fundamentals"— Discusses the Cisco firewall user interfaces,
feature sets, and configuration methods.
• Chapter 3, "Building Connectivity"— Explains how to configure firewall interfaces,
routing, IP addressing services, and IP multicast support.
• Chapter 4, "Firewall Management"— Explains how to configure and maintain security
contexts, flash files, and configuration files; how to manage users; and how to monitor
firewalls with SNMP.
• Chapter 5, "Managing Firewall Users"— Covers the methods you can use to authenticate,
authorize, and maintain accounting records for a firewall's administrative and end users.
• Chapter 6, "Controlling Access Through the Firewall"— Describes the operation and
configuration of the transparent and routed firewall modes, as well as address translation.
Other topics include traffic shunning and threat detection.
• Chapter 7, "Inspecting Traffic"— Covers the Modular Policy Framework, which is used
to define security policies that identify and act on various types of traffic. The chapter
also discusses the application layer inspection engines that are used within security
policies, as well as content filtering.
• Chapter 8, "Increasing Firewall Availability with Failover"— Explains firewall failover
operation and configuration, offering high availability with a pair of firewalls operating
in tandem.
• Chapter 9, "Firewall Load Balancing"— Discusses how firewall load balancing works
and how it can be implemented in a production network to distribute traffic across many
firewalls in a firewall farm.
• Chapter 10, "Firewall Logging"— Explains how to configure a firewall to generate an
activity log, as well as how to analyze the log's contents.
• Chapter 11, "Verifying Firewall Operation"— Covers how to check a firewall's vital
signs to determine its health, how to verify its connectivity, and how to observe data that
is passing through it.
• Chapter 12, "ASA Modules"— Discusses the Security Services Modules (SSMs) that can
be added into an ASA chassis, along with their basic configuration and use.
• Appendix A, "Well-Known Protocol and Port Numbers"— Presents lists of well-known
IP protocol numbers, ICMP message types, and IP port numbers that are supported in
firewall configuration commands.
• Appendix B, "Security Appliance Logging Messages"— Provides a quick reference to
the many logging messages that can be generated from an ASA, PIX, or FWSM firewall.

How to Use This Book
The information in this book follows a quick-reference format. If you know what firewall feature
or technology you want to use, you can turn right to the section that deals with it. The main
sections are numbered with a quick-reference index that shows both the chapter and the section
(for example, 3-3 is Chapter 3, section 3). You'll also find shaded index tabs on each page, listing
the section number.

Feature Description
Each major section begins with a detailed explanation of or a bulleted list of quick facts about
the feature. Refer to this information to quickly learn or review how the feature works.
Configuration Steps
Each feature that is covered in a section includes the required and optional commands used for
common configuration. The difference is that the configuration steps are presented in an outline
format. If you follow the outline, you can configure a complex feature or technology. If you find
that you do not need a certain feature option, skip over that level in the outline.
In some sections, you will also find that each step in a configuration outline presents the
commands from multiple firewall platforms side-by-side in a concise manner. You can stay in
the same configuration section no matter what type or model of firewall you are dealing with.
Sample Configurations
Each section includes an example of how to implement the commands and their options.
Examples occur within the configuration steps, as well as at the end of a main section. I have
tried to present the examples with the commands listed in the order you would actually enter
them to follow the outline.
Many times, it is more difficult to study and understand a configuration example from an actual
firewall because the commands are displayed in a predefined order—not in the order you entered
them. Where possible, the examples have also been trimmed to show only the commands
presented in the section.
Displaying Information About a Feature
Each section includes plenty of information about the commands you can use to show
information about that firewall feature. I have tried to provide examples of this output to help
you interpret the same results on your firewall.

Today's networks are called upon to securely deliver data, voice, videoconferencing, wireless
communication, and much more to a wide variety of users, such as employees, suppliers,
partners, and customers. Securing the network has become a vital task to ensure this ubiquitous
connectivity is delivered without risking unauthorized access, misuse, or attacks on the network.
While a vast number of different security technologies are now being applied to the problem of
securing networks and endpoints, the long-proven and trusted firewall remains the central
component to any security deployment. It is the firewall that continues to act as the primary
gatekeeper, ensuring that all network traffic, from Layer 2 to Layer 7, is authorized and verified
as legitimate before it transits the network.

Many books on network security and firewalls settle for a discussion focused primarily on
concepts and theory. This book, however, goes well beyond these topics. It covers, in
tremendous detail, the information every network and security administrator needs to know when
configuring and managing market-leading firewall products from Cisco, including the PIX and
ASA Security Appliances and Catalyst Firewall Services Module. As the title suggests, this book
is really a handbook that provides in-depth explanations of the initial configuration and, perhaps
more importantly, the ongoing management of Cisco firewalls. It provides practical, day-to-day
guidance for how to successfully configure all aspects of the firewall, including topics such as
establishing access control policies, authorizing end users, leveraging high availability
deployments, and monitoring firewall health through a variety of management interfaces.
In addition to his role managing Cisco firewalls as a lead network engineer for the University of
Kentucky, the author, David Hucaby, CCIE, spent considerable time collaborating directly with
the Cisco engineering teams responsible for these products to ensure this book contains the most
in-depth, useful, and up-to-date information available anywhere. Keep this book handy—you
will find yourself referencing it often!
Jason W. Nolet
Vice President of Engineering
Security Technology Group
June 2007


e-books shop

Purchase Now !
Just with Paypal

Product details
 964 p
 File Size
 8,980 KB
 File Type
 PDF format
 2008 Cisco Systems, Inc 

═════ ═════

Michael Watkins . Kevin Wallace, CCIE No. 7945

Master the IINS 640-553 Exam with this Official Study Guide
Assess your Knowledge with Chapter-Opening Quizzes
Review Key Concept with Exam Preparation Tasks
Practice with Realistic Exam Questions on the CD-ROM

e-books shop
CCNA Security: Official Exam Certification Guide

About the Authors
Michael Watkins, CCNA/CCNP/CCVP/CCSP, is a full-time senior technical instructor
with SkillSoft Corporation. With 13 years of network management, training, and consulting
experience, he has worked with organizations such as Kraft Foods, Johnson and Johnson,
Raytheon, and the U.S. Air Force to help them implement and learn about the latest network
technologies. In addition to holding more than 20 industry certifications in the areas of
networking and programming technologies, he holds a bachelor of arts degree from Wabash College.

Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor working full time for
SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19
years of Cisco networking experience, he has been a network design specialist for the Walt
Disney World Resort and a network manager for Eastern Kentucky University. He holds
a bachelor of science degree in electrical engineering from the University of Kentucky.
He is also a CCVP, CCSP, CCNP, and CCDP, with multiple Cisco security and IP
communications specializations.

About the Technical Reviewers
Ryan Lindfield is an instructor and network administrator with Boson. He has more than
ten years of network administration experience. He has taught many courses designed for
CCNA, CCNP, and CCSP preparation, among others. He has written many practice exams
and study guides for various networking technologies. He also works as a consultant, where
among his tasks are installing and configuring Cisco routers, switches, VPNs, IDSs, and firewalls.

Anthony Sequeira, CCIE No. 15626, completed the CCIE in Routing and Switching in
January 2006. He is currently pursuing the CCIE in Security. For the past 15 years, he has
written and lectured to massive audiences about the latest in networking technologies. He
is currently a senior technical instructor and certified Cisco Systems instructor for SkillSoft.
He lives with his wife and daughter in Florida. When he is not reading about the latest Cisco
innovations, he is exploring the Florida skies in a Cessna

From Michael Watkins:
I want to thank the team at Cisco Press for their direction and support throughout the
writing process. For their support and encouragement throughout this process, I wish to
thank and acknowledge Tom Warrick and the instructor team at SkillSoft. I also wish to
thank Kevin Wallace, who brought his talent and experience to this project and was an
enormous help each step of the way.
Finally, I want to thank my family for their continued support through this project,
especially my children, Abigail, Matthew, and Addison, who are always an inspiration in all that I do.
From Kevin Wallace:
I wish to express my sincere thanks to the team at Cisco Press. You guys are a class act, and
I’m honored to be associated with you. Also, I give a huge thank-you to Michael Watkins
for inviting me to participate in writing this book.
On a personal note, I know all the good things in my life come from above, and I thank God
for those blessings. Also, my wife, Vivian, and my daughters, Sabrina and Stacie, have
become accustomed to seeing me attached to my laptop over the past few months. Thank

you for your love and support throughout this process.


Congratulations on your decision to pursue a Cisco Certification! If you’re reading far
enough to look at the introduction to this book, you likely already have a sense of what you
ultimately would like to achieve—the Cisco CCNA Security certification. Achieving Cisco
CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco
certifications are recognized throughout the networking industry as a rigorous test of a
candidate’s knowledge of and ability to work with Cisco technology. Through its quality
technologies, Cisco has garnered a significant market share in the router and switch
marketplace, with more than 80 percent market share in some markets. For many industries
and markets around the world, networking equals Cisco. Cisco certification will set you
apart from the crowd and allow you to display your knowledge as a networking security professional.

Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network
Associate (CCNA) certification, first offered in 1998.
With the introduction of the CCNA Security certification, Cisco has for the first time
provided an area of focus at the associate level. The CCNA Security certification is for
networking professionals who work with Cisco security technologies and who want to
demonstrate their mastery of core network security principles and technologies.

Format of the IINS Exam
The 640-553 IINS exam follows the same general format of other Cisco exams. When you
get to the testing center and check in, the proctor gives you some general instructions and
then takes you into a quiet room with a PC. When you’re at the PC, you have a few things
to do before the timer starts on your exam. For instance, you can take a sample quiz, just to
get accustomed to the PC and the testing engine. If you have user-level PC skills, you
should have no problems with the testing environment. Additionally, Chapter 16 points to
a Cisco website where you can see a demo of the actual Cisco test engine.
When you start the exam, you are asked a series of questions. You answer the question and
then move on to the next question. The exam engine does not let you go back and change
your answer. When you move on to the next question, that’s it for the earlier question.
The exam questions can be in one of the following formats:
Multiple-choice (MC)
Drag-and-drop (DND)
Simulated lab (Sim)
The first three types of questions are relatively common in many testing environments. The
multiple-choice format simply requires that you point and click a circle beside the correct
answer(s). Cisco traditionally tells you how many answers you need to choose, and the
testing software prevents you from choosing too many answers. Testlets are questions with
one general scenario, with multiple MC questions about the overall scenario. Drag-anddrop
questions require you to click and hold, move a button or icon to another area, and
release the mouse button to place the object somewhere else—typically in a list. For
example, to get the question correct, you might need to put a list of five things in the proper order.

The last two types both use a network simulator to ask questions. Interestingly, these two
types allow Cisco to assess two very different skills. Sim questions generally describe a
problem, and your task is to configure one or more routers and switches to fix the problem.
The exam then grades the question based on the configuration you changed or added.
Interestingly, Sim questions are the only questions that Cisco (to date) has openly
confirmed that partial credit is given for.

The Simlet questions may well be the most difficult style of question on the exams. Simlet
questions also use a network simulator, but instead of answering the question by changing
the configuration, the question includes one or more MC questions. The questions require
that you use the simulator to examine the current behavior of a network, interpreting the
output of any showcommands that you can remember to answer the question. Whereas Sim
questions require you to troubleshoot problems related to a configuration, Simlets require
you to analyze both working networks and networks with problems, correlating show
command output with your knowledge of networking theory and configuration commands.

What’s on the IINS Exam?
Cisco wants the public to know both the variety of topics and the kinds of knowledge and
skills that are required for each topic, for every Cisco certification exam. To that end, Cisco
publishes a set of exam topics for each exam. The topics list the specific subjects, such as
ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies
the kinds of skills required for that topic. For example, one topic might start with
“Describe...”, and another might begin with “Describe, configure, and troubleshoot...”. The
second objective clearly states that you need a thorough and deep understanding of that
topic. By listing the topics and skill level, Cisco helps you prepare for the exam.

Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the
posted exam topics for all its certification exams are guidelines. Cisco makes an effort to
keep the exam questions within the confines of the stated exam topics. I know from talking
to those involved that every question is analyzed to ensure that it fits within the stated exam topics.

About the 
As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This
book maps to these topic areas and provides some background material to give context and
to help you understand these topics.

This section lists this book’s variety of features. A number of basic features included in this
book are common to all Cisco Press Official Exam Certification Guides. These features are
designed to help you prepare to pass the official certification exam, as well as help you learn
relevant real-world concepts and procedures.

Objectives and Methods
The most important and somewhat obvious objective of this book is to help you pass the
640-553 IINS exam. In fact, if the primary objective of this book were different, the book’s
title would be misleading! However, the methods used in this book to help you pass the
exams are also designed to make you much more knowledgeable about how to do your job
This book uses several key methodologies to help you discover the exam topics on which
you need more review, to help you fully understand and remember those details, and to help
you prove to yourself that you have retained your knowledge of those topics. So, this book
does not try to help you pass the exams only by memorization, but by truly learning and
understanding the topics. The CCNA Security certification is the foundation of the
professional level Cisco certification in security, the CCSP, so it is important that this book
also help you truly learn the material. This book is designed to help you pass the CCNA
Security exam by using the following methods:
Helping you discover which exam topics you have not mastered
Providing explanations and information to fill in your knowledge gaps
Supplying exercises that enhance your ability to recall and deduce the answers to test questions
Providing practice exercises on the topics and the testing process via test questions on the CD

Book Features
To help you customize your study time using this book, the core chapters have several
features that help you make the best use of your time:
“Do I Know This Already?” quiz: Each chapter begins with a quiz that helps you
determine how much time you need to spend studying that chapter.
■ Foundation Topics: These are the core sections of each chapter. They explain the
protocols, concepts, and configuration for the topics in that chapter.
Exam Preparation Tasks: At the end of the “Foundation Topics” section of each
chapter, the “Exam Preparation Tasks” section lists a series of study activities that you
should do at the end of the chapter. Each chapter includes the activities that make the
most sense for studying the topics in that chapter.
— Review All the Key Topics: The Key Topic icon appears next to the most
important items in the “Foundation Topics” section of the chapter. The
Review All the Key Topics activity lists the Key Topics from the chapter,
along with their page numbers. Although the contents of the entire chapter
could be on the exam, you should definitely know the information listed in
each Key Topic, so you should review these.
— Complete the Tables and Lists from Memory: To help you memorize
some lists of facts, many of the more important lists and tables from the
chapter are included in a document on the CD. This document lists only
partial information, allowing you to complete the table or list
— Definition of Key Terms: Although the exam may be unlikely to ask a
question such as “Define this term,” the CCNA exams do require that you
learn and know a lot of networking terminology. This section lists the most
important terms from the chapter, asking you to write a short definition and
compare your answer to the glossary at the end of the book.
— Command Reference Tables: Some chapters cover a large number of
configuration and EXEC commands. These tables list and describe the
commands introduced in the chapter. For exam preparation, use these tables
for reference, but also read them when performing the Exam Preparation
Tasks to make sure you remember what all the commands do.
CD-based practice exam: The companion CD contains an exam engine (From Boson
software,, that includes two question databases. One database
has a copy of all the “Do I Know This Already?” quiz questions from the book, and the
other has unique exam-realistic questions. To further help you prepare for the exam,
you can take a simulated IINS exam using the CD.

How This Book Is Organized
This book contains 15 core chapters—Chapters 1 through 15. Chapter 16 includes some
preparation tips and suggestions for how to approach the exam. Each core chapter covers a
subset of the topics on the IINS exam. The core chapters are organized into parts. They
cover the following topics:
■ Part I: Network Security Concepts
— Chapter 1, “Understanding Network Security Principles”: This chapter
explains the need for network security and discusses the elements of a secure
network. Additionally, legal and ethical considerations are discussed. You are
also introduced to various threats targeting the security of your network.
— Chapter 2, “Developing a Secure Network”: This chapter explains
the day-to-day procedures for deploying, maintaining, and retiring
information security components. You are also provided with considerations
and principles for authoring a security policy, in addition to creating user
awareness of the security policy. Finally, this chapter describes the Cisco
Self-Defending Network, which is Cisco’s vision for security systems.
— Chapter 3, “Defending the Perimeter”: This chapter describes methods of
securely accessing a router prompt for purposes of administration.
Additionally, you are given an overview of the Cisco Integrated Services
Router (ISR) line of routers. In this chapter you also examine the Cisco
Security Device Manager (SDM) interface. The graphical interface provided
by SDM allows administrators to configure a variety of router features using
a collection of wizards, which use best-practice recommendations from the
Cisco Technical Assistance Center (TAC).
— Chapter 4, “Configuring AAA”: This chapter explores the uses of AAA,
including the components that make it up, as well as the steps necessary to
successfully configure AAA using the local database. The role of Cisco ACS
is also examined as it relates to configuring AAA, including a discussion of
working with both RADIUS and TACACS+.
— Chapter 5, “Securing the Router”: This chapter discusses various router
services that attackers might target. To help you harden the security of a
router, this chapter also describes the AutoSecure feature and Cisco SDM’s
One-Step Lockdown feature. Next the chapter focuses on securing and
monitoring router access using syslog, SSH, and SNMPv3 technologies.
Finally, this chapter distinguishes between in-band and out-of-band network
management and how to use Cisco SDM to configure a variety of
management and monitoring features.
■ Part II: Constructing a Secure Infrastructure
— Chapter 6, “Securing Layer 2 Devices”: This chapter explains how Cisco
Catalyst switches can be configured to mitigate several common Layer 2
attacks. Then you are introduced to how Cisco Identity-Based Networking
Services (IBNS) uses IEEE 802.1x, RADIUS, and Extensible Authentication
Protocol (EAP) technologies to selectively allow access to network resources
based on user credentials.
— Chapter 7, “Implementing Endpoint Security”: This chapter examines a
variety of threats faced by endpoints in a network environment and introduces
a series of techniques that can be used to help safeguard systems from
common operating system vulnerabilities. This chapter also explores various
Cisco-specific technologies that may be used to defend endpoints from a
variety of attacks. Specifically, technologies such as IronPort, the Cisco NAC
Appliance, and the Cisco Security Agent are discussed.
— Chapter 8, “Providing SAN Security”: This chapter outlines the basics of
SAN operation and looks at the benefits that a SAN brings to the enterprise
as a whole. A variety of security mechanisms, such as LUN masking, SAN
zoning, and port authentication, are also explored as steps that may be taken
to safeguard data in a SAN environment.
— Chapter 9, “Exploring Secure Voice Solutions”: This chapter introduces
you to voice over IP (VoIP) networks. You learn what business benefits VoIP
offers, in addition to the components and protocols that support the
transmission of packetized voice across a data network. You are made aware
of specific threats targeting a VoIP network. Some threats (such as toll fraud)
are found in traditional telephony networks, but others are specific to VoIP
Finally, this chapter identifies specific actions you can take to increase the
security of VoIP networks. For example, you will consider how to use
firewalls and VPNs to protect voice networks and how to harden the security
of Cisco IP Phones and voice servers.
— Chapter 10, “Using Cisco IOS Firewalls to Defend the Network”: This
chapter begins by exploring the evolution of firewall technology and the role
of firewalls in constructing an overall network defense. This chapter also
examines how to use access control lists (ACL) to construct a static packetfiltering
mechanism for the enterprise environment. Finally, zone-based
firewalls are discussed because they represent a significant advance in firewall
technology. Their role in defending the network is examined.
— Chapter 11, “Using Cisco IOS IPS to Secure the Network”: This chapter
distinguishes between intrusion detection and intrusion prevention. Various
Intrusion Prevention System (IPS) appliances are introduced, and the concept
of signatures is discussed. Also, this chapter examines how to configure a
Cisco IOS router to act as an IPS sensor, as opposed to using, for example, a
dedicated IPS appliance. Specifically, the configuration discussed uses a
wizard available in the Cisco SDM interface.
■ Part III: Extending Security and Availability with Cryptography and VPNs
— Chapter 12, “Designing a Cryptographic Solution”: This chapter initially
explores the basics of cryptographic services and looks at their evolution.
This chapter also examines the use of symmetric encryption, including a
variety of symmetric algorithms such as DES, 3DES, AES, SEAL, and
various Rivest ciphers. This chapter concludes with a discussion of the
encryption process and what makes for a strong, trustworthy encryption algorithm.
— Chapter 13, “Implementing Digital Signatures”: This chapter begins with
a look at hash algorithms and explores their construction and usage. This
includes a discussion of their relative strengths and weaknesses in practical
application. The components that make up a digital signature are also
explored in depth, along with a discussion of their application as a means of
proving a message’s authenticity.
— Chapter 14, “Exploring PKI and Asymmetric Encryption”: This chapter
looks at the use of asymmetric algorithms in a PKI and examines the features
and capabilities of RSA specifically. The Diffie-Hellman (DH) algorithm is
also discussed, as to how it is used for key exchange. This chapter also
explores the makeup of the PKI infrastructure and discusses the various
components and topologies that may be employed.
— Chapter 15, “Building a Site-to-Site IPsec VPN Solution”: This chapter
introduces you to an IPsec virtual private network (VPN) and its components.
Additionally, you explore specific devices in the Cisco VPN product family.
Then you are presented with Cisco best-practice recommendations for VPNs.
This chapter then walks you through the process of configuring an IPsec siteto-
site VPN on an IOS router, using both the command-line interface and the
Cisco Security Device Manager (SDM) interface.
■ Part IV: Final Preparation
— Chapter 16, “Final Preparation”: This chapter identifies tools for final
exam preparation and helps you develop an effective study plan.
■ Part V: Appendixes
—Appendix A, “Answers to the ‘Do I Know This Already?’ Questions”:
Includes the answers to all the questions from Chapters 1 through 15.
— Appendix B, “Glossary”: The glossary contains definitions of all the terms
listed in the “Definition of Key Terms” section at the conclusion of Chapters 1 through 15.
— Appendix C, “CCNA Security Exam Updates: Version 1.0”: This
appendix provides instructions for finding updates to the exam and this book when and if they occur.
— Appendix D, “Memory Tables”: This CD-only appendix contains the key
tables and lists from each chapter, with some of the contents removed. You
can print this appendix and, as a memory exercise, complete the tables and
lists. The goal is to help you memorize facts that can be useful on the exams.
This appendix is available in PDF format on the CD; it is not in the printed book.
— Appendix E, “Memory Tables Answer Key”: This CD-only appendix
contains the answer key for the memory tables in Appendix D. This appendix
is available in PDF format on the CD; it is not in the printed book.


e-books shop

Purchase Now !
Just with Paypal

Product details
 File Size
 14,561 KB
 776 p
 File Type
 PDF format
 2008 Cisco Systems, Inc 

Contents at a Glance
Foreword xxvi
Introduction xxvii
Part I Network Security Concepts
Chapter 1 Understanding Network Security Principles 5
Chapter 2 Developing a Secure Network 45
Chapter 3 Defending the Perimeter 77
Chapter 4 Configuring AAA 111
Chapter 5 Securing the Router 155
Part II Constructing a Secure Infrastructure
Chapter 6 Securing Layer 2 Devices 207
Chapter 7 Implementing Endpoint Security 251
Chapter 8 Providing SAN Security 279
Chapter 9 Exploring Secure Voice Solutions 297
Chapter 10 Using Cisco IOS Firewalls to Defend the Network 319
Chapter 11 Using Cisco IOS IPS to Secure the Network 385
Part III Extending Security and 
Availability with Cryptography and VPNs
Chapter 12 Designing a Cryptographic Solution 429
Chapter 13 Implementing Digital Signatures 463
Chapter 14 Exploring PKI and Asymmetric Encryption 491
Chapter 15 Building a Site-to-Site IPsec VPN Solution 523
Part IV Final Preparation
Chapter 16 Final Preparation 577
Part V Appendixes
Appendix A Answers to “Do I Know This Already?” Questions 585
Appendix B Glossary 595
Appendix C CCNA Security Exam Updates: Version 1.0 617
Appendix D Memory Tables (CD only)
Appendix E Memory Tables Answer Key (CD only)
Index 620

Table of Contents
Foreword xxvi
Introduction xxvii
Part I Network Security Concepts 3
Chapter 1 Understanding Network Security Principles
“Do I Know This Already?” Quiz 5
Foundation Topics 9
Exploring Security Fundamentals 9
Why Network Security Is a Necessity 9
Types of Threats 9
Scope of the Challenge 10
Nonsecured Custom Applications 11
The Three Primary Goals of Network Security 12
Confidentiality 12
Integrity 12
Availability 13
Categorizing Data 13
Classification Models 13
Classification Roles 15
Controls in a Security Solution 16
Responding to a Security Incident 17
Legal and Ethical Ramifications 18
Legal Issues to Consider 19
Understanding the Methods of Network Attacks 20
Vulnerabilities 20
Potential Attackers 21
The Mind-set of a Hacker 23
Defense in Depth 24
Understanding IP Spoofing 27
Launching a Remote IP Spoofing Attack with IP Source Routing 28
Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack 29
Protecting Against an IP Spoofing Attack 30
Understanding Confidentiality Attacks 31
Understanding Integrity Attacks 33
Understanding Availability Attacks 36
Best-Practice Recommendations 40
Exam Preparation Tasks 41
Review All the Key Topics 41
Complete the Tables and Lists from Memory 42
Definition of Key Terms 42
Chapter 2 Developing a Secure Network
“Do I Know This Already?” Quiz 45
Foundation Topics 49
Increasing Operations Security 49
System Development Life Cycle 49
Initiation 49
Acquisition and Development 49
Implementation 50
Operations and Maintenance 50
Disposition 51
Operations Security Overview 51
Evaluating Network Security 52
Nmap 54
Disaster Recovery Considerations 55
Types of Disruptions 56
Types of Backup Sites 56
Constructing a Comprehensive Network Security Policy 57
Security Policy Fundamentals 57
Security Policy Components 58
Governing Policy 58
Technical Policies 58
End-User Policies 59
More-Detailed Documents 59
Security Policy Responsibilities 59
Risk Analysis, Management, and Avoidance 60
Quantitative Analysis 60
Qualitative Analysis 61
Risk Analysis Benefits 61
Risk Analysis Example: Threat Identification 61
Managing and Avoiding Risk 62
Factors Contributing to a Secure Network Design 62
Design Assumptions 63
Minimizing Privileges 63
Simplicity Versus Complexity 64
User Awareness and Training 64
Creating a Cisco Self-Defending Network 66
Evolving Security Threats 66
Constructing a Cisco Self-Defending Network 67
Cisco Security Management Suite 69
Cisco Integrated Security Products 70
Exam Preparation Tasks 74
Review All the Key Topics 74
Complete the Tables and Lists from Memory 75
Definition of Key Terms 75
Chapter 3 Defending the Perimeter
“Do I Know This Already?” Quiz 77
Foundation Topics 81
ISR Overview and Providing Secure Administrative Access 81
IOS Security Features 81
Cisco Integrated Services Routers 81
Cisco 800 Series 82
Cisco 1800 Series 83
Cisco 2800 Series 84
Cisco 3800 Series 84
ISR Enhanced Features 85
Password-Protecting a Router 86
Limiting the Number of Failed Login Attempts 92
Setting a Login Inactivity Timer 92
Configuring Privilege Levels 93
Creating Command-Line Interface Views 93
Protecting Router Files 95
Enabling Cisco IOS Login Enhancements for Virtual Connections 96
Creating a Banner Message 98
Cisco Security Device Manager Overview 99
Introducing SDM 99
Preparing to Launch Cisco SDM 101
Exploring the Cisco SDM Interface 102
Exam Preparation Tasks 106
Review All the Key Topics 106
Complete the Tables and Lists from Memory 106
Definition of Key Terms 106
Command Reference to Check Your Memory 107
Chapter 4 Configuring AAA
“Do I Know This Already?” Quiz 111
Foundation Topics 115
Configuring AAA Using the Local User Database 115
Authentication, Authorization, and Accounting 115
AAA for Cisco Routers 115
Router Access Authentication 116
Using AAA to Configure Local User Database Authentication 117
Defining a Method List 119
Setting AAA Authentication for Login 120
Configuring AAA Authentication on Serial Interfaces Running PPP 121
Using the aaa authentication enable default Command 122
Implementing the aaa authorization Command 122
Working with the aaa accounting Command 124
Using the CLI to Troubleshoot AAA for Cisco Routers 126
Using Cisco SDM to Configure AAA 127
Configuring AAA Using Cisco Secure ACS 128
Overview of Cisco Secure ACS for Windows 129
Additional Features of Cisco Secure ACS 4.0 for Windows 130
Cisco Secure ACS 4.0 for Windows Installation 132
Overview of TACACS+ and RADIUS 137
TACACS+ Authentication 138
Command Authorization with TACACS+ 140
TACACS+ Attributes 140
Authentication and Authorization with RADIUS 141
RADIUS Message Types 142
RADIUS Attributes 142
Features of RADIUS 143
Configuring TACACS+ 144
Using the CLI to Configure AAA Login Authentication on Cisco Routers 144
Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM 146
Defining the AAA Servers 147
Exam Preparation Tasks 149
Review All the Key Topics 149
Complete the Tables and Lists from Memory 150
Definition of Key Terms 150
Command Reference to Check Your Memory 150
Chapter 5 Securing the Router
“Do I Know This Already?” Quiz 155
Foundation Topics 158
Locking Down the Router 158
Identifying Potentially Vulnerable Router Interfaces and Services 158
Locking Down a Cisco IOS Router 160
AutoSecure 161
Cisco SDM One-Step Lockdown 166
Using Secure Management and Reporting 171
Planning for Secure Management and Reporting 172
Secure Management and Reporting Architecture 172
Configuring Syslog Support 175
Securing Management Traffic with SNMPv3 179
Enabling Secure Shell on a Router 183
Using Cisco SDM to Configure Management Features 185
Configuring Syslog Logging with Cisco SDM 186
Configuring SNMP with Cisco SDM 190
Configuring NTP with Cisco SDM 194
Configuring SSH with Cisco SDM 196
Exam Preparation Tasks 201
Review All the Key Topics 201
Complete the Tables and Lists from Memory 201
Definition of Key Terms 202
Command Reference to Check Your Memory 202
Part II Constructing a Secure Infrastructure 205
Chapter 6 Securing Layer 2 Devices
“Do I Know This Already?” Quiz 207
Foundation Topics 211
Defending Against Layer 2 Attacks 211
Review of Layer 2 Switch Operation 211
Basic Approaches to Protecting Layer 2 Switches 212
Preventing VLAN Hopping 213
Switch Spoofing 213
Double Tagging 214
Protecting Against an STP Attack 215
Combating DHCP Server Spoofing 218
Using Dynamic ARP Inspection 220
Mitigating CAM Table Overflow Attacks 222
Spoofing MAC Addresses 223
Additional Cisco Catalyst Switch Security Features 225
Using the SPAN Feature with IDS 226
Enforcing Security Policies with VACLs 226
Isolating Traffic Within a VLAN Using Private VLANs 227
Traffic Policing 228
Notifying Network Managers of CAM Table Updates 228
Port Security Configuration 228
Configuration Recommendations 231
Cisco Identity-Based Networking Services 232
Introduction to Cisco IBNS 232
Overview of IEEE 802.1x 234
Extensible Authentication Protocols 236
EAP-MD5 236
PEAP (MS-CHAPv2) 238
Combining IEEE 802.1x with Port Security Features 239
Using IEEE 802.1x for VLAN Assignment 240
Configuring and Monitoring IEEE 802.1x 243
Exam Preparation Tasks 246
Review All the Key Topics 246
Complete the Tables and Lists from Memory 246
Definition of Key Terms 247
Command Reference to Check Your Memory 247
Chapter 7 Implementing Endpoint Security
“Do I Know This Already?” Quiz 251
Foundation Topics 254
Examining Endpoint Security 254
Defining Endpoint Security 254
Examining Operating System Vulnerabilities 255
Examining Application Vulnerabilities 257
Understanding the Threat of Buffer Overflows 258
Buffer Overflow Defined 259
The Anatomy of a Buffer Overflow Exploit 259
Understanding the Types of Buffer Overflows 260
Additional Forms of Attack 261
Securing Endpoints with Cisco Technologies 265
Understanding IronPort 265
The Architecture Behind IronPort 266
Examining the Cisco NAC Appliance 266
Working with the Cisco Security Agent 268
Understanding Cisco Security Agent Interceptors 269
Examining Attack Response with the Cisco Security Agent 272
Best Practices for Securing Endpoints 273
Application Guidelines 274
Apply Application Protection Methods 274
Exam Preparation Tasks 276
Review All the Key Topics 276
Complete the Tables and Lists from Memory 277
Definition of Key Terms 277
Chapter 8 Providing SAN Security
“Do I Know This Already?” Quiz 279
Foundation Topics 282
Overview of SAN Operations 282
Fundamentals of SANs 282
Organizational Benefits of SAN Usage 283
Understanding SAN Basics 284
Fundamentals of SAN Security 285
Classes of SAN Attacks 286
Implementing SAN Security Techniques 287
Using LUN Masking to Defend Against Attacks 287
Examining SAN Zoning Strategies 288
Examining Soft and Hard Zoning 288
Understanding World Wide Names 289
Defining Virtual SANs 290
Combining VSANs and Zones 291
Identifying Port Authentication Protocols 292
Understanding DHCHAP 292
CHAP in Securing SAN Devices 292
Working with Fibre Channel Authentication Protocol 292
Understanding Fibre Channel Password Authentication Protocol 293
Assuring Data Confidentiality in SANs 293
Incorporating Encapsulating Security Payload (ESP) 294
Providing Security with Fibre Channel Security Protocol 294
Exam Preparation Tasks 295
Review All the Key Topics 295
Complete the Tables and Lists from Memory 295
Definition of Key Terms 295
Chapter 9 Exploring Secure Voice Solutions
“Do I Know This Already?” Quiz 297
Foundation Topics 301
Defining Voice Fundamentals 301
Defining VoIP 301
The Need for VoIP 302
VoIP Network Components 303
VoIP Protocols 305
Identifying Common Voice Vulnerabilities 307
Attacks Targeting Endpoints 307
VoIP Spam 308
Vishing and Toll Fraud 308
SIP Attack Targets 309
Securing a VoIP Network 310
Protecting a VoIP Network with Auxiliary VLANs 310
Protecting a VoIP Network with Security Appliances 311
Hardening Voice Endpoints and Application Servers 313
Summary of Voice Attack Mitigation Techniques 316
Exam Preparation Tasks 317
Review All the Key Topics 317
Complete the Tables and Lists from Memory 317
Definition of Key Terms 317
Chapter 10 Using Cisco IOS Firewalls to Defend the Network
“Do I Know This Already?” Quiz 319
Foundation Topics 323
Exploring Firewall Technology 323
The Role of Firewalls in Defending Networks 323
The Advance of Firewall Technology 325
Transparent Firewalls 326
Application Layer Firewalls 327
Benefits of Using Application Layer Firewalls 329
Working with Application Layer Firewalls 330
Application Firewall Limitations 332
Static Packet-Filtering Firewalls 333
Stateful Packet-Filtering Firewalls 335
Stateful Packet Filtering and the State Table 335
Disadvantages of Stateful Filtering 336
Uses of Stateful Packet-Filtering Firewalls 337
Application Inspection Firewalls 338
Application Inspection Firewall Operation 340
Effective Use of an Application Inspection Firewall 341
Overview of the Cisco ASA Adaptive Security Appliance 342
The Role of Firewalls in a Layered Defense Strategy 343
Creating an Effective Firewall Policy 345
Using ACLs to Construct Static Packet Filters 347
The Basics of ACLs 348
Cisco ACL Configuration 349
Working with Turbo ACLs 350
Developing ACLs 351
Using the CLI to Apply ACLs to the Router Interface 352
Considerations When Creating ACLs 353
Filtering Traffic with ACLs 354
Preventing IP Spoofing with ACLs 357
Restricting ICMP Traffic with ACLs 358
Configuring ACLs to Filter Router Service Traffic 360
vty Filtering 360
SNMP Service Filtering 361
RIPv2 Route Filtering 361
Grouping ACL Functions 362
Implementing a Cisco IOS Zone-Based Firewall 364
Understanding Cisco IOS Firewalls 364
Traffic Filtering 365
Traffic Inspection 366
The Role of Alerts and Audit Trails 366
Classic Firewall Process 367
SPI and CBAC 368
Examining the Principles Behind Zone-Based Firewalls 369
Changes to Firewall Configuration 370
Zone Membership Rules 371
Understanding Security Zones 373
Zones and Inspection 373
Security Zone Restrictions 373
Working with Zone Pairs 375
Security Zone Firewall Policies 376
Class Maps 378
Verifying Zone-Based Firewall Configuration 379
Exam Preparation Tasks 380
Review All the Key Topics 380
Complete the Tables and Lists from Memory 381
Definition of Key Terms 381
Command Reference to Check Your Memory 382
Chapter 11 Using Cisco IOS IPS to Secure the Network
“Do I Know This Already?” Quiz 385
Foundation Topics 388
Examining IPS Technologies 388
IDS Versus IPS 388
IDS and IPS Device Categories 389
Detection Methods 389
Network-Based Versus Host-Based IPS 391
Deploying Network-Based and Host-Based Solutions 394
IDS and IPS Appliances 395
Cisco IDS 4215 Sensor 396
Cisco IPS 4240 Sensor 397
Cisco IPS 4255 Sensor 397
Cisco IPS 4260 Sensor 397
Signatures 398
Exploit Signatures 398
Connection Signatures 399
String Signatures 399
Denial-of-Service Signatures 399
Signature Definition Files 399
Alarms 400
Using SDM to Configure Cisco IOS IPS 401
Launching the Intrusion Prevention Wizard 401
IPS Policies Wizard 404
Creating IPS Rules 410
Manipulating Global IPS Settings 417
Signature Configuration 419
Exam Preparation Tasks 425
Review All the Key Topics 425
Complete the Tables and Lists from Memory 425
Definition of Key Terms 425
Part III Extending Security and 
Availability with Cryptography and VPNs 427
Chapter 12 Designing a Cryptographic Solution
“Do I Know This Already?” Quiz 429
Foundation Topics 433
Introducing Cryptographic Services 433
Understanding Cryptology 433
Cryptography Through the Ages 434
The Substitution Cipher 434
The Vigenère Cipher 435
Transposition Ciphers 436
Working with the One-Time Pad 436
The Encryption Process 437
Cryptanalysis 438
Understanding the Features of Encryption Algorithms 440
Symmetric and Asymmetric Encryption Algorithms 441
Encryption Algorithms and Keys 441
Symmetric Encryption Algorithms 441
Asymmetric Encryption Algorithms 443
The Difference Between Block and Stream Ciphers 444
Block Ciphers 444
Stream Ciphers 445
Exploring Symmetric Encryption 445
Functionality of Symmetric Encryption Algorithms 446
Key Lengths 446
Features and Functions of DES 447
Working with the DES Key 447
Modes of Operation for DES 447
Working with DES Stream Cipher Modes 449
Usage Guidelines for Working with DES 449
Understanding How 3DES Works 450
Encrypting with 3DES 450
AES 451
The Rijndael Cipher 451
Comparing AES and 3DES 451
Availability of AES in the Cisco Product Line 452
SEAL 452
SEAL Restrictions 452
The Rivest Ciphers 452
Understanding Security Algorithms 453
Selecting an Encryption Algorithm 453
Understanding Cryptographic Hashes 455
Working with Hashing 455
Designing Key Management 456
Components of Key Management 456
Understanding Keyspaces 456
Issues Related to Key Length 457
SSL VPNs 458
Establishing an SSL Tunnel 459
Exam Preparation Tasks 460
Review All the Key Topics 460
Complete the Tables and Lists from Memory 461
Definition of Key Terms 461
Chapter 13 Implementing Digital Signatures
“Do I Know This Already?” Quiz 463
Foundation Topics 466
Examining Hash Algorithms 466
Exploring Hash Algorithms and HMACs 466
Anatomy of a Hash Function 467
Application of Hash Functions 467
Cryptographic Hash Functions 468
Application of Cryptographic Hashes 469
HMAC Explained 470
MD5 Features and Functionality 471
Origins of MD5 472
Vulnerabilities of MD5 473
Usage of MD5 475
SHA-1 Features and Functionality 475
Overview of SHA-1 476
Vulnerabilities of SHA-1 477
Usage of SHA-1 478
Using Digital Signatures 478
Understanding Digital Signatures 480
Digital Signature Scheme 483
Authentication and Integrity 483
Examining RSA Signatures 483
Exploring the History of RSA 484
Understanding How RSA Works 484
Encrypting and Decrypting Messages with RSA 485
Signing Messages with RSA 485
Vulnerabilities of RSA 486
Exploring the Digital Signature Standard 487
Using the DSA Algorithm 487
Exam Preparation Tasks 488
Review All the Key Topics 488
Complete the Tables and Lists from Memory 489
Definition of Key Terms 489
Chapter 14 Exploring PKI and Asymmetric Encryption
“Do I Know This Already?” Quiz 491
Foundation Topics 494
Understanding Asymmetric Algorithms 494
Exploring Asymmetric Encryption Algorithms 494
Using Public-Key Encryption to Achieve Confidentiality 495
Providing Authentication with a Public Key 496
Understanding the Features of the RSA Algorithm 497
Working with RSA Digital Signatures 498
Guidelines for Working with RSA 499
Examining the Features of the Diffie-Hellman Key Exchange Algorithm 499
Steps of the Diffie-Hellman Key Exchange Algorithm 500
Working with a PKI 500
Examining the Principles Behind a PKI 501
Understanding PKI Terminology 501
Components of a PKI 501
Classes of Certificates 502
Examining the PKI Topology of a Single Root CA 502
Examining the PKI Topology of Hierarchical CAs 503
Examining the PKI Topology of Cross-Certified CAs 505
Understanding PKI Usage and Keys 506
Working with PKI Server Offload 506
Understanding PKI Standards 507
Understanding X.509v3 507
Understanding Public Key Cryptography Standards (PKCS) 508
Understanding Simple Certificate Enrollment Protocol (SCEP) 510
Exploring the Role of Certificate Authorities and Registration Authorities
in a PKI 511
Examining Identity Management 512
Retrieving the CA Certificate 513
Understanding the Certificate Enrollment Process 513
Examining Authentication Using Certificates 514
Examining Features of Digital Certificates and CAs 515
Understanding the Caveats of Using a PKI 516
Understanding How Certificates Are Employed 517
Exam Preparation Tasks 519
Review All the Key Topics 519
Complete the Tables and Lists from Memory 519
Definition of Key Terms 520
Chapter 15 Building a Site-to-Site IPsec VPN Solution
“Do I Know This Already?” Quiz 523
Foundation Topics 527
Exploring the Basics of IPsec 527
Introducing Site-to-Site VPNs 527
Overview of IPsec 529
IKE Modes and Phases 529
Authentication Header and Encapsulating Security Payload 531
Cisco VPN Product Offerings 533
Cisco VPN-Enabled Routers and Switches 533
Cisco VPN 3000 Series Concentrators 535
Cisco ASA 5500 Series Appliances 536
Cisco 500 Series PIX Security Appliances 538
Hardware Acceleration Modules 538
VPN Design Considerations and Recommendations 539
Best-Practice Recommendations for Identity and IPsec Access Control 540
Best-Practice Recommendations for IPsec 540
Best-Practice Recommendations for Network Address Translation 541
Best-Practice Recommendations for Selecting a Single-Purpose Versus
Multipurpose Device 541
Constructing an IPsec Site-to-Site VPN 542
The Five Steps in the Life of an IPsec Site-to-Site VPN 542
The Five Steps of Configuring an IPsec Site-to-Site VPN 543
Configuring an IKE Phase 1 Tunnel 543
Configuring an IKE Phase 2 Tunnel 545
Applying Crypto Maps 546
Using Cisco SDM to Configure IPsec on a Site-to-Site VPN 548
Introduction to the Cisco SDM VPN Wizard 548
Quick Setup 549
Step-by-Step Setup 559
Configuring Connection Settings 559
Selecting an IKE Proposal 561
Selecting a Transform Set 562
Selecting Traffic to Protect in the IPsec Tunnel 563
Applying the Generated Configuration 566
Monitoring the Configuration 569
Exam Preparation Tasks 571
Review All the Key Topics 571
Complete the Tables and Lists from Memory 571
Definition of Key Terms 572
Command Reference to Check Your Memory 572
Part IV Final Preparation 589
Chapter 16 Final Preparation
Exam Engine and Questions on the CD 577
Install the Software from the CD 578
Activate and Download the Practice Exam 578
Activating Other Exams 579
Study Plan 579
Recall the Facts 580
Use the Exam Engine 580
Choosing Study or Simulation Mode 580
Passing Scores for the IINS Exam 581
Part V Appendixes 583
Appendix A Answers to “Do I Know This Already?” Questions 585
Appendix B Glossary 595
Appendix C CCNA Security Exam Updates: Version 1.0 617
Appendix D Memory Tables (CD only)
Appendix E Memory Tables Answer Key (CD only)
Index 620


═════ ═════

Loading... Protection Status