Transcription
CCNP SecuritySECURE 642-637Official Cert GuideSean WilkinsFranklin H. Smith IIICisco Press800 East 96th StreetIndianapolis,IN 46240
xCCNPSecurity SECURE642-637 Official Cert GuideContentsIntroductionPart IChapter1xxxiiiNetworkSecurity TechnologiesNetworkSecurity Fundamentals"Do I Know ThisFoundationDefiningBuildingOverview3Already?" Quiz37TopicsNetworkSecuritySecure NetworksCisco SAFE9SCF Basics9SAFE/SCF Architecture77Principles12SAFE/SCF Network Foundation Protection(NFP)14of Understanding of Computers or Networks30SAFE/SCF DesignSAFEExamChapter 2Blueprints15UsagePreparationNetwork17Security Threats"Do r Know ThisFoundation14Already?" Quiz2124TopicsVulnerabilities2124Self-imposed Network VulnerabilitiesIntruder MotivationsLackIntruding fo r CuriosityIntruding for30Fun and Pride3030Intruding for Revenge31Intruding for ProfitIntruding for Political PurposesTypesof Network AttacksReconnaissance AttacksAccess AttacksDoS AttacksExamChapter3323536Network Foundation Protection"Do I Know ady?" QuizOverview3942Overview of DeviceFunctionality Planes4239
XIControl PlaneData Plane4344Management Plane45Identifying Network FoundationIdentifying4DeploymentCiscoCatalyst SwitchesCiscoIntegratedCiscoSupporting Management ComponentsExamChapterProtectionNetwork Foundation Protection FeatureandSolutions57FoundationCAM50Hopping AttacksFlooding Attacks57SpoofingTypes60606163Spanning Tree Protocol (STP) Spoofing AttacksDHCP Starvation AttacksDHCP Server SpoofingARP Spoofing6767PortConfigurationPortSecurity71IP Source Guard80Identity-Based Networking91(IBNS)"Do I Know e VLANs (PVLAN)802.1X and Cisco7475SnoopingDynamic ARP InspectionChapter 56767Root Guard, BPDU Guard, and PortFastExamAlready?" Quiz9194TopicsIdentity-Based Networking Services (IBNS) andOverviewIEEE 802.1x94IBNS and 802.1x Enhancements and Features802.1x6366Switched Data Plane Security TechnologiesDHCPSecurity60TopicsMAC Address49Switched Data PlaneAlready?" QuizSwitched Data Plane AttackVLAN(ISR)53Implementing"Do I Know ThisAvailability48Services 548
CCNPSecuritySECURE 642-637 Official Cert Guide978 02.lx Inter workingExtensible Authentication ProtocolEAP over LAN (EAPOL)EAP MessagePort States9899Exchange100Port Authentication Host ModesEAPTypeSelection101102EA P-Message D igest A Igo rith m5Protected EAP Transport Layer Security104EAP-Tunneled Transport Layer Security104EAP-Flexible Authentication via Secure TunnelingExamChapter 6PreparationImplementingand"Do I Know ThisFoundationConfiguringBasic 802.1X112Plan Basic 802.1XGathering InputDeploymentParametersDeployment IOS Software 802.1X115FunctionalityConfigure and Verify121Cisco ACS for 21122122Cisco Secure Services Client 802.1X128Task 1: Create the CSSCTask 2: CreateTasks 3 and 4:a(Optional)Configure theConnectionConfiguration ProfileWired NetworkAuthentication ModeTask 5:114115ScenarioBasic 802.1XConfigure theSupplicantSoftware115Configuration ChoicesConfigurationIOS114General Deployment lready?" QuizTopicsDeployment105106131Profile128128Tune 802.1X Timers and130Inner and Outer EAP Modefor the
XiilTask 6: Choose theforTaskLoginAuthenticationCredentials to Be Used1327: Create the CSSC tion StatusVerify Authentication134Operations134Successful AuthenticationVerify133134Loginand Troubleshoot 802.1 XVerifyPackageonAAA Server135135Verify Guest/Restricted VLAN Assignment802.1X Readiness Check135Unresponsive Supplicant135Failed Authentication: RADIUSConfigurationFailed Authentication: Bad nd"Do I Know ThisFoundationPlan theTopicsConfiguringAdvanced 802.1X143of Cisco Advanced 802.IX Authentication143143Gathering Input ParametersDeployment TasksDeployment144Choices144Configure and Verify EAP-TLS AuthenticationComponents andCisco Secure ACSEAP-TLS with 802.1XConfiguration ChoicesTask 4:147Certificate Authority CertificatesIdentity CertificateanConfigure Support of EAP-TLSonAllonthe Cisco Secure ACSonthe Cisco Secure149(Optional) ConfigureWindows NativeTask 6:Server147ACS ServerTask 5:145147ConfigureServerTasks146Configure RADIUSClientsCisco IOS146Task 2: Install Identity andTask 3:on145ConfigurationConfiguration ScenarioTask 1:139139Already?" QuizDeploymentFeatures135Issues135EAP-TLS SupportSupplicantUsingthe(Optional) Configure EAP-TLS Support Using theServices Client (CSSC)Microsoft151Supplicant152Cisco Secure
xivCCNPSecuritySECURE 642-637 Official Cert GuideImplementation ng153Configuration153User and Machine AuthenticationConfiguringScenarioConfigurationTask 1: InstallClientsIdentity154154andCertificate Authority Certificates onACS ServeronCisco Secure155Configure Support of Machine AuthenticationConfigure Support of Machine AuthenticationWindows Native 802.1X SupplicantTask 5:onCisco SecureonMicrosoft156ACS ServerTask 4:All155Task 2: Configure Support of EAP-TLSTask 3:153User and Machine Authentication Tasks156(Optional) Configure Machine Authentication Support Using(CSSC) Supplicant 157the Cisco Secure Services ClientTask 6:(Optional) Configure Additional User Support UsingSupplicant 158the CiscoSecure Services Client (CSSC)GuidelinesImplementationFeatureSupportVLAN and ACLDeployingDeployingVLANConfiguration ChoicesConfigureAuthorizationTask 2:IOS159159159160Cisco IOSSoftware802.1X Authenticator160(Optional) ConfigureSecure ACSTask 3:Assignmentand ACL Assignment TasksConfiguration ScenarioTask 1:158158VLAN AssignmentonCisco161(Optional) Configure and Prepare for ACL Assignment onSoftwa re Switch 162CiscoTask 4: (Optional) Configure ACL Assignment on Cisco Secure ACSServer162Verification of VLAN andSoftware CLI 164Verification ofVLAN and ACLSecure ACSConfigurePoliciesCiscoandACLAssignmentwith Cisco IOSAssignment onCisco165VerifyCisco Secure ACS MAC Address165Catalyst IOS Software MAC AuthenticationBypass (MAB) 165Exception
XVConfigurationTasksConfigurationScenarioTasks 1 and 2:Configure MAC Authentication Bypassand ACS166166Verification of erify Web168168AuthenticationSwitches and Cisco Secure ACSConfigurationTasksConfigurationScenarioTask hTask 2:Cisco IOS Software LAN169169Configureonthe SwitchConfigureWeb Authenticationonthe Cisco upport MultipleMultiple Hosts Support GuidelinesConfiguring Support of MultipleConfiguring Fail-Open PoliciesConfiguringCritical PortsResolve 802.1X CompatibilityWake-on-LAN (WOL)Non-802.1X IP PhonesHostson aSingleSingle174174176Issues176176177Preboot Execution Environment (PXE)177178PreparationPart IICisco IOS Foundation Security SolutionsChapter 8Implementing and Configuring Cisco IOS RoutedData Plane SecurityFoundation183Already?" QuizIPTopicsSpoofing183186Routed Data Plane Attack Types186186Slow-Path DenialTraffic FloodingRouted Data Planeof Service186187Security TechnologiesAccess Control Lists(ACL)187Port172172Hosts on aConfiguring Open Authentication"Do I Know This169171Web AuthenticationExamon168Web AuthenticationACS ServerUserthe Switchon167187Port172
CCNPSecuritySECURE 642-637 Official Cert GuideFlexible PacketFlexible NetFlow203Unicast Reverse PathExamChapter9PreparationImplementingForwarding (Unicast RPF)Cisco IOS Control219"Do I Know ThisAlready?" QuizFoundation Topics222Slow-Path Denial of ServiceRouting ProtocolSpoofingChapter 10(CPPr)226Protocol AuthenticationPreparation"Do I Know This232237Implementing and ConfiguringPlane Security245Foundation222222Policing (CoPP)Control Plane ProtectionExam222222Security TechnologiesControl PlaneRouting219222Control Plane Attack TypesControl PlaneCisco IOS ManagementAlready?" Quiz245248TopicsManagement Plane Attack Types248Management Plane Security TechnologiesBasicSSHCPU256and MemoryThresholdingPlane ProtectionAutoSecure2632612 62Digitally Signed Cisco SoftwareChapter11248254Managemen tExam248Management Security and PrivilegesSNMPPreparation265267Implementing and Configuring275(NAT)Network AddressTranslation"Do I Know ThisFoundationTopicsAlready?" Quiz278Network Address TranslationStatic NAT ExampleDynamic209212ConfiguringandPlane Security196MatchingNAT280Example2802782 75
andPolicy FirewallZones/Security ZonesZone ortMap ConfigurationsChapter 302Policy Map ConfigurationZone Pair298298Map ConfigurationZone295299TransparentParameterPolicy Firewalls298TopicsZone-BasedClassZone-BasedThis Already?" Quiz"Do I KnowFoundation287309ConfigurationApplication Mapping (PAM) ConfigurationZone-BasedLayerURL 3ImplementingSystem (IPS)andConfiguringConfigurationIOS Intrusion PreventionAlready?" QuizConfiguration Choices,Parameters333336TopicsBasic Procedures, andRequired Input336Intrusion Detection and Prevention with SignaturesSensor AccuracyChoosingaCisco IOS IPS Sensor PlatformSoftware-Based337339SensorDeployment Tasks340340Hardware-Based Sensor340341Deployment GuidelinesDeploying310312333"Do I Know ThisFoundationFirewall342Cisco IOS Software IPS Signature PoliciesConfiguration Tasks342342295
xviiiCCNP Security SECURE 642-637 Official Cert ines347Tuning CiscoIOS Software IPSEvent RiskOverviewRating SystemEvent Risk Rating CalculationEvent Risk RatingSignatureEvent Action OverridesSignatureEvent Action FiltersConfiguration(SEAF)350355Cisco IOS Software IPS cenarioTask 1; InstallMonitoring356Signature UpdateLicense356357357Cisco IOS Software IPS EventsEvent GenerationCisco IME Minimum SystemConfiguration 358Cisco IME FeaturesTask 2: Add the Cisco IOSVerification355356Software IPSCisco IOS360Software IPSSensor to Cisco IMEVerification:Verification:IME Events362363Troubleshooting ResourceUseAdditional Debug CommandsPreparation363365365366Introduction to Cisco IOS Site-to-Site Security Solutions"Do I Know ThisFoundation TopicsChoosean361362Local EventsCisco IOS Software IPS Sensor14UpdatesConfigure Automatic Signature tion GuidelinesExam349(SEAO)355VerificationTask 2:348348349ExampleConfiguration Tasks347SignaturesAlready?" Quiz3 69372Appropriate VPN LAN Topology372369
XIXInput Parameters for Choosing theBest VPN LANTopology373General Deployment Guidelines for Choosing the Best VPN LANTopologyChoosean373TechnologyVPN WANAppropriateInput Parameters for Choosingthe Best VPN WANGeneralDeployment Guidelines for ChoosingTechnology 376Core Features of IPsec VPNIPsecSecurityInternet KeyTechnologyAssociations377IKE Main andAggressive378Encapsulating Security Payload378IPsecthe Best VPN WAN376Cryptographic ControlsSecurity AssociationsAlgorithm Choices374377ModeChoose Appropriate VPNTechnology3 77Exchange (IKE)IPsec Phases373379379379General Deployment Guidelines for ChoosingControls forDesignExamChapter 15andaSite-to-Site VPNCryptographicImplementation ng VTI-Based Site-to-Site IPsec VPNs"Do I Know ThisFoundationPlanaAlready?" Quiz387390TopicsCisco IOS Software VTI-Based Site-to-Site VPNVirtual 3393Deployment GuidelinesConfiguring BasicCisco IOSIKESoftware rioIKE PSK-Based Policies394394395395(Optional) ConfigureTasks 2 and 3: Generate andEach Peer393393PeeringConfigurationTask 1:390390InterfacesInput Parameterson387anIKEonEach PeerConfigure Authentication396Verify Local IKE SessionsPolicy396395Credentials
XXCCNP Security SECURE 642-637 Official Cert GuideVerifyLocal IKE PoliciesVerifySuccessful PhaseaImplementation3961397Troubleshooting IKE PeeringTroubleshooting FlowConfiguringDefault397397Static Point-to-Point IPsec VTI TunnelsCisco onfigurationScenarioIPsecTransform399anTask 2:(Optional) Configurean IPsecTask 3:ConfigureanTaskConfigureaIKEPolicyEach PeerTransformProfileIPsec ProtectionVirtual TunnelonApply the Protection ProfileImplementation GuidelinesTunnel Status andTroubleshooting FlowConfigure cInterfaces403403404404ConfigureTask 2:(Optional) Configure anTask 3:ConfigureIKE Peeringana405IPsecIPsec ProtectionVirtualRemote Peer toImplementation GuidelinesTransform SetProfileTemplate InterfaceaVirtualVerify Tunnel Status on the HubExam Preparation401401Task sk 5:399Point-to-Point IPsec VTI TunnelsConfigurationTask 4:399400the Tunneltoand Virtual AccessTemplatesSetInterface (VTI)Task 6; Configure Routing into the VTI TunnelVerify398399(Optional) ConfigureTask 5:398Sets398Task 1:4:397ExchangeGuidelines405405406Template Interface406407407408Part IIICisco IOS Threat Detection and ControlChapter 16Deploying Scalable Authentication in Site-to-Site IPsec VPNs"Do I Know ThisFoundation TopicsDescribe theAlready?" Quiz411414Concept ofaPublicKeyInfrastructureManual Key Exchange with Verification414414411
XXITrusted Introducing414Public Key Infrastructure: Certificate AuthoritiesX.509Identity CertificateCertificateRevocationUsing Certificates inCheckingDeploymen tSteps420421Deployment GuidelinesConfigure, Verify, andCertificate ServeraBasic Cisco IOS Software421ConfigurationScenarioTask 1: CreateanTask 2: CreateaRSAPK1421TroubleshootConfiguration Tasks e th
CCNPSecurity SECURE642-637 Official CertGuide SeanWilkins FranklinH.SmithIII CiscoPress 800East 96th Street Indianapolis, IN 46240
