Transcription
CCNA SecurityOfficial Exam Certification GuideMichael WatkinsKevin Wallace, CCIE No. 7945Cisco Press800 East 96th StreetIndianapolis, IN 46240 USA
iiCCNA Security Official Exam Certification GuideMichael WatkinsKevin Wallace, CCIE No. 7945Copyright 2008 Cisco Systems, Inc.Published by:Cisco Press800 East 96th StreetIndianapolis, IN 46240 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic ormechanical, including photocopying, recording, or by any information storage and retrieval system, without writtenpermission from the publisher, except for the inclusion of brief quotations in a review.Printed in the United States of AmericaSeventh Printing June 2011Library of Congress Cataloging-in-Publication data is on file.ISBN-13: 978-1-58720-220-9ISBN-10: 1-58720-220-4Warning and DisclaimerThis book is designed to provide the information necessary to be successful on the Cisco IINS (640-553) exam. Everyeffort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied.The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neitherliability nor responsibility to any person or entity with respect to any loss or damages arising from the informationcontained in this book or from the use of the discs or programs that may accompany it.The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of any trademark or service mark.
iiiCorporate and Government SalesCisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. Formore information, please contact:U.S. Corporate and Government Sales1-800-382-3419 corpsales@pearsontechgroup.comFor sales outside of the U.S. please contact:International Salesinternational@pearsontechgroup.comFeedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is craftedwith care and precision, undergoing rigorous development that involves the unique expertise of members of the professional technical community.Reader feedback is a natural continuation of this process. If you have any comments about how we could improve thequality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please be sure to include the book title and ISBN in your message.We greatly appreciate your assistance.Publisher: Paul BogerCisco Press Program Manager: Jeff BradyAssociate Publisher: Dave DusthimerCopy Editor: Gayle JohnsonExecutive Editor: Brett BartowTechnical Editors: Ryan Lindfield and Anthony SequeiraManaging Editor: Patrick KanouseDevelopment Editor: Andrew CuppSenior Project Editor: Tonya SimpsonEditorial Assistant: Vanessa EvansBook and Cover Designer: Louisa AdairComposition: Mark ShirarIndexers: Tim Wright and Heather McNeilProofreader: Debbie Williams
ivAbout the AuthorsMichael Watkins, CCNA/CCNP/CCVP/CCSP, is a full-time senior technical instructorwith SkillSoft Corporation. With 13 years of network management, training, and consultingexperience, he has worked with organizations such as Kraft Foods, Johnson and Johnson,Raytheon, and the U.S. Air Force to help them implement and learn about the latest networktechnologies. In addition to holding more than 20 industry certifications in the areas ofnetworking and programming technologies, he holds a bachelor of arts degree from WabashCollege.Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor working full time forSkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19years of Cisco networking experience, he has been a network design specialist for the WaltDisney World Resort and a network manager for Eastern Kentucky University. He holdsa bachelor of science degree in electrical engineering from the University of Kentucky.He is also a CCVP, CCSP, CCNP, and CCDP, with multiple Cisco security and IPcommunications specializations.About the Technical ReviewersRyan Lindfield is an instructor and network administrator with Boson. He has more thanten years of network administration experience. He has taught many courses designed forCCNA, CCNP, and CCSP preparation, among others. He has written many practice examsand study guides for various networking technologies. He also works as a consultant, whereamong his tasks are installing and configuring Cisco routers, switches, VPNs, IDSs, andfirewalls.Anthony Sequeira, CCIE No. 15626, completed the CCIE in Routing and Switching inJanuary 2006. He is currently pursuing the CCIE in Security. For the past 15 years, he haswritten and lectured to massive audiences about the latest in networking technologies. Heis currently a senior technical instructor and certified Cisco Systems instructor for SkillSoft.He lives with his wife and daughter in Florida. When he is not reading about the latest Ciscoinnovations, he is exploring the Florida skies in a Cessna.
vDedicationsFor their support and encouragement throughout this process, I dedicate my contribution tothis book to my family.—MichaelI dedicate my contribution to this book to my best friend (and wife of 14 years), Vivian.—KevinAcknowledgmentsFrom Michael Watkins:I want to thank the team at Cisco Press for their direction and support throughout thewriting process. For their support and encouragement throughout this process, I wish tothank and acknowledge Tom Warrick and the instructor team at SkillSoft. I also wish tothank Kevin Wallace, who brought his talent and experience to this project and was anenormous help each step of the way.Finally, I want to thank my family for their continued support through this project,especially my children, Abigail, Matthew, and Addison, who are always an inspiration inall that I do.From Kevin Wallace:I wish to express my sincere thanks to the team at Cisco Press. You guys are a class act, andI’m honored to be associated with you. Also, I give a huge thank-you to Michael Watkinsfor inviting me to participate in writing this book.On a personal note, I know all the good things in my life come from above, and I thank Godfor those blessings. Also, my wife, Vivian, and my daughters, Sabrina and Stacie, havebecome accustomed to seeing me attached to my laptop over the past few months. Thankyou for your love and support throughout this process.
viThis Book Is Safari EnabledThe Safari Enabled icon on the cover of your favorite technology book meansthe book is available through Safari Bookshelf. When you buy this book, you getfree access to the online edition for 45 days.Safari Bookshelf is an electronic reference library that lets you easily searchthousands of technical books, find code samples, download chapters, and accesstechnical information whenever and wherever you need it.To gain 45-day Safari Enabled access to this book: Go to http://www.informit.com/onlineedition. Complete the brief registration form. Enter the coupon code 35C1-WTME-WMIT-F7ED-JNPYIf you have difficulty registering on Safari Bookshelf or accessing the onlineedition, please e-mail customer-service@safaribooksonline.com.
viiContents at a GlanceForeword xxviIntroduction xxviiPart INetwork Security Concepts3Chapter 1Understanding Network Security PrinciplesChapter 2Developing a Secure NetworkChapter 3Defending the PerimeterChapter 4Configuring AAAChapter 5Securing the Router54577111155Part II Constructing a Secure Infrastructure205Chapter 6Securing Layer 2 Devices207Chapter 7Implementing Endpoint SecurityChapter 8Providing SAN SecurityChapter 9Exploring Secure Voice Solutions251279297Chapter 10 Using Cisco IOS Firewalls to Defend the NetworkChapter 11 Using Cisco IOS IPS to Secure the Network319385Part III Extending Security and Availability with Cryptography and VPNsChapter 12 Designing a Cryptographic SolutionChapter 13 Implementing Digital Signatures429463Chapter 14 Exploring PKI and Asymmetric Encryption491Chapter 15 Building a Site-to-Site IPsec VPN Solution523Part IV Final Preparation589Chapter 16 Final PreparationPart V Appendixes577583Appendix AAnswers to “Do I Know This Already?” QuestionsAppendix BGlossaryAppendix CCCNA Security Exam Updates: Version 1.0Appendix DMemory TablesAppendix EMemory Tables Answer KeyIndex620595(CD only)(CD only)617585427
viiiContentsForeword xxviIntroduction xxviiPart INetwork Security ConceptsChapter 13Understanding Network Security Principles5“Do I Know This Already?” Quiz 5Foundation Topics 9Exploring Security Fundamentals 9Why Network Security Is a Necessity 9Types of Threats 9Scope of the Challenge 10Nonsecured Custom Applications 11The Three Primary Goals of Network Security 12Confidentiality 12Integrity 12Availability 13Categorizing Data 13Classification Models 13Classification Roles 15Controls in a Security Solution 16Responding to a Security Incident 17Legal and Ethical Ramifications 18Legal Issues to Consider 19Understanding the Methods of Network Attacks 20Vulnerabilities 20Potential Attackers 21The Mind-set of a Hacker 23Defense in Depth 24Understanding IP Spoofing 27Launching a Remote IP Spoofing Attack with IP Source Routing 28Launching a Local IP Spoofing Attack Using a Man-in-the-Middle AttackProtecting Against an IP Spoofing Attack 30Understanding Confidentiality Attacks 31Understanding Integrity Attacks 33Understanding Availability Attacks 36Best-Practice Recommendations 40Exam Preparation Tasks 41Review All the Key Topics 41Complete the Tables and Lists from Memory 42Definition of Key Terms 4229
ixChapter 2Developing a Secure Network45“Do I Know This Already?” Quiz 45Foundation Topics 49Increasing Operations Security 49System Development Life Cycle 49Initiation 49Acquisition and Development 49Implementation 50Operations and Maintenance 50Disposition 51Operations Security Overview 51Evaluating Network Security 52Nmap 54Disaster Recovery Considerations 55Types of Disruptions 56Types of Backup Sites 56Constructing a Comprehensive Network Security Policy 57Security Policy Fundamentals 57Security Policy Components 58Governing Policy 58Technical Policies 58End-User Policies 59More-Detailed Documents 59Security Policy Responsibilities 59Risk Analysis, Management, and Avoidance 60Quantitative Analysis 60Qualitative Analysis 61Risk Analysis Benefits 61Risk Analysis Example: Threat Identification 61Managing and Avoiding Risk 62Factors Contributing to a Secure Network Design 62Design Assumptions 63Minimizing Privileges 63Simplicity Versus Complexity 64User Awareness and Training 64Creating a Cisco Self-Defending Network 66Evolving Security Threats 66Constructing a Cisco Self-Defending Network 67Cisco Security Management Suite 69Cisco Integrated Security Products 70Exam Preparation Tasks 74Review All the Key Topics 74
xComplete the Tables and Lists from MemoryDefinition of Key Terms 75Chapter 3Defending the Perimeter7577“Do I Know This Already?” Quiz 77Foundation Topics 81ISR Overview and Providing Secure Administrative Access 81IOS Security Features 81Cisco Integrated Services Routers 81Cisco 800 Series 82Cisco 1800 Series 83Cisco 2800 Series 84Cisco 3800 Series 84ISR Enhanced Features 85Password-Protecting a Router 86Limiting the Number of Failed Login Attempts 92Setting a Login Inactivity Timer 92Configuring Privilege Levels 93Creating Command-Line Interface Views 93Protecting Router Files 95Enabling Cisco IOS Login Enhancements for Virtual ConnectionsCreating a Banner Message 98Cisco Security Device Manager Overview 99Introducing SDM 99Preparing to Launch Cisco SDM 101Exploring the Cisco SDM Interface 102Exam Preparation Tasks 106Review All the Key Topics 106Complete the Tables and Lists from Memory 106Definition of Key Terms 106Command Reference to Check Your Memory 107Chapter 4Configuring AAA96111“Do I Know This Already?” Quiz 111Foundation Topics 115Configuring AAA Using the Local User Database 115Authentication, Authorization, and Accounting 115AAA for Cisco Routers 115Router Access Authentication 116Using AAA to Configure Local User Database Authentication 117Defining a Method List 119Setting AAA Authentication for Login 120Configuring AAA Authentication on Serial Interfaces Running PPPUsing the aaa authentication enable default Command 122121
xiImplementing the aaa authorization Command 122Working with the aaa accounting Command 124Using the CLI to Troubleshoot AAA for Cisco Routers 126Using Cisco SDM to Configure AAA 127Configuring AAA Using Cisco Secure ACS 128Overview of Cisco Secure ACS for Windows 129Additional Features of Cisco Secure ACS 4.0 for Windows 130Cisco Secure ACS 4.0 for Windows Installation 132Overview of TACACS and RADIUS 137TACACS Authentication 138Command Authorization with TACACS 140TACACS Attributes 140Authentication and Authorization with RADIUS 141RADIUS Message Types 142RADIUS Attributes 142Features of RADIUS 143Configuring TACACS 144Using the CLI to Configure AAA Login Authentication on Cisco Routers 144Configuring Cisco Routers to Use TACACS Using the Cisco SDM 146Defining the AAA Servers 147Exam Preparation Tasks 149Review All the Key Topics 149Complete the Tables and Lists from Memory 150Definition of Key Terms 150Command Reference to Check Your Memory 150Chapter 5Securing the Router155“Do I Know This Already?” Quiz 155Foundation Topics 158Locking Down the Router 158Identifying Potentially Vulnerable Router Interfaces and ServicesLocking Down a Cisco IOS Router 160AutoSecure 161Cisco SDM One-Step Lockdown 166Using Secure Management and Reporting 171Planning for Secure Management and Reporting 172Secure Management and Reporting Architecture 172Configuring Syslog Support 175Securing Management Traffic with SNMPv3 179Enabling Secure Shell on a Router 183Using Cisco SDM to Configure Management Features 185Configuring Syslog Logging with Cisco SDM 186Configuring SNMP with Cisco SDM 190Configuring NTP with Cisco SDM 194Configuring SSH with Cisco SDM 196158
xiiExam Preparation Tasks 201Review All the Key Topics 201Complete the Tables and Lists from Memory 201Definition of Key Terms 202Command Reference to Check Your Memory 202Part II Constructing a Secure InfrastructureChapter 6Securing Layer 2 Devices205207“Do I Know This Already?” Quiz 207Foundation Topics 211Defending Against Layer 2 Attacks 211Review of Layer 2 Switch Operation 211Basic Approaches to Protecting Layer 2 Switches 212Preventing VLAN Hopping 213Switch Spoofing 213Double Tagging 214Protecting Against an STP Attack 215Combating DHCP Server Spoofing 218Using Dynamic ARP Inspection 220Mitigating CAM Table Overflow Attacks 222Spoofing MAC Addresses 223Additional Cisco Catalyst Switch Security Features 225Using the SPAN Feature with IDS 226Enforcing Security Policies with VACLs 226Isolating Traffic Within a VLAN Using Private VLANs 227Traffic Policing 228Notifying Network Managers of CAM Table Updates 228Port Security Configuration 228Configuration Recommendations 231Cisco Identity-Based Networking Services 232Introduction to Cisco IBNS 232Overview of IEEE 802.1x 234Extensible Authentication Protocols 236EAP-MD5 236EAP-TLS 236PEAP (MS-CHAPv2) 238EAP-FAST 239Combining IEEE 802.1x with Port Security Features 239Using IEEE 802.1x for VLAN Assignment 240Configuring and Monitoring IEEE 802.1x 243Exam Preparation Tasks 246Review All the Key Topics 246Complete the Tables and Lists from Memory 246Definition of Key Terms 247Command Reference to Check Your Memory 247
xiiiChapter 7Implementing Endpoint Security251“Do I Know This Already?” Quiz 251Foundation Topics 254Examining Endpoint Security 254Defining Endpoint Security 254Examining Operating System Vulnerabilities 255Examining Application Vulnerabilities 257Understanding the Threat of Buffer Overflows 258Buffer Overflow Defined 259The Anatomy of a Buffer Overflow Exploit 259Understanding the Types of Buffer Overflows 260Additional Forms of Attack 261Securing Endpoints with Cisco Technologies 265Understanding IronPort 265The Architecture Behind IronPort 266Examining the Cisco NAC Appliance 266Working with the Cisco Security Agent 268Understanding Cisco Security Agent Interceptors 269Examining Attack Response with the Cisco Security AgentBest Practices for Securing Endpoints 273Application Guidelines 274Apply Application Protection Methods 274Exam Preparation Tasks 276Review All the Key Topics 276Complete the Tables and Lists from Memory 277Definition of Key Terms 277Chapter 8Providing SAN Security279“Do I Know This Already?” Quiz 279Foundation Topics 282Overview of SAN Operations 282Fundamentals of SANs 282Organizational Benefits of SAN Usage 283Understanding SAN Basics 284Fundamentals of SAN Security 285Classes of SAN Attacks 286Implementing SAN Security Techniques 287Using LUN Masking to Defend Against AttacksExamining SAN Zoning Strategies 288Examining Soft and Hard Zoning 288Understanding World Wide Names 289Defining Virtual SANs 290Combining VSANs and Zones 291287272
xivIdentifying Port Authentication Protocols 292Understanding DHCHAP 292CHAP in Securing SAN Devices 292Working with Fibre Channel Authentication Protocol 292Understanding Fibre Channel Password Authentication Protocol 293Assuring Data Confidentiality in SANs 293Incorporating Encapsulating Security Payload (ESP) 294Providing Security with Fibre Channel Security Protocol 294Exam Preparation Tasks 295Review All the Key Topics 295Complete the Tables and Lists from Memory 295Definition of Key Terms 295Chapter 9Exploring Secure Voice Solutions297“Do I Know This Already?” Quiz 297Foundation Topics 301Defining Voice Fundamentals 301Defining VoIP 301The Need for VoIP 302VoIP Network Components 303VoIP Protocols 305Identifying Common Voice Vulnerabilities 307Attacks Targeting Endpoints 307VoIP Spam 308Vishing and Toll Fraud 308SIP Attack Targets 309Securing a VoIP Network 310Protecting a VoIP Network with Auxiliary VLANs 310Protecting a VoIP Network with Security Appliances 311Hardening Voice Endpoints and Application Servers 313Summary of Voice Attack Mitigation Techniques 316Exam Preparation Tasks 317Review All the Key Topics 317Complete the Tables and Lists from Memory 317Definition of Key Terms 317Chapter 10 Using Cisco IOS Firewalls to Defend the Network“Do I Know This Already?” Quiz 319Foundation Topics 323Exploring Firewall Technology 323The Role of Firewalls in Defending NetworksThe Advance of Firewall Technology 325Transparent Firewalls 326Application Layer Firewalls 327323319
xvBenefits of Using Application Layer Firewalls 329Working with Application Layer Firewalls 330Application Firewall Limitations 332Static Packet-Filtering Firewalls 333Stateful Packet-Filtering Firewalls 335Stateful Packet Filtering and the State Table 335Disadvantages of Stateful Filtering 336Uses of Stateful Packet-Filtering Firewalls 337Application Inspection Firewalls 338Application Inspection Firewall Operation 340Effective Use of an Application Inspection Firewall 341Overview of the Cisco ASA Adaptive Security Appliance 342The Role of Firewalls in a Layered Defense Strategy 343Creating an Effective Firewall Policy 345Using ACLs to Construct Static Packet Filters 347The Basics of ACLs 348Cisco ACL Configuration 349Working with Turbo ACLs 350Developing ACLs 351Using the CLI to Apply ACLs to the Router Interface 352Considerations When Creating ACLs 353Filtering Traffic with ACLs 354Preventing IP Spoofing with ACLs 357Restricting ICMP Traffic with ACLs 358Configuring ACLs to Filter Router Service Traffic 360vty Filtering 360SNMP Service Filtering 361RIPv2 Route Filtering 361Grouping ACL Functions 362Implementing a Cisco IOS Zone-Based Firewall 364Understanding Cisco IOS Firewalls 364Traffic Filtering 365Traffic Inspection 366The Role of Alerts and Audit Trails 366Classic Firewall Process 367SPI and CBAC 368Examining the Principles Behind Zone-Based Firewalls 369Changes to Firewall Configuration 370Zone Membership Rules 371Understanding Security Zones 373Zones and Inspection 373Security Zone Restrictions 373Working with Zone Pairs 375Security Zone Firewall Policies 376Class Maps 378
xviVerifying Zone-Based Firewall Configuration 379Exam Preparation Tasks 380Review All the Key Topics 380Complete the Tables and Lists from Memory 381Definition of Key Terms 381Command Reference to Check Your Memory 382Chapter 11 Using Cisco IOS IPS to Secure the Network385“Do I Know This Already?” Quiz 385Foundation Topics 388Examining IPS Technologies 388IDS Versus IPS 388IDS and IPS Device Categories 389Detection Methods 389Network-Based Versus Host-Based IPS 391Deploying Network-Based and Host-Based SolutionsIDS and IPS Appliances 395Cisco IDS 4215 Sensor 396Cisco IPS 4240 Sensor 397Cisco IPS 4255 Sensor 397Cisco IPS 4260 Sensor 397Signatures 398Exploit Signatures 398Connection Signatures 399String Signatures 399Denial-of-Service Signatures 399Signature Definition Files 399Alarms 400Using SDM to Configure Cisco IOS IPS 401Launching the Intrusion Prevention Wizard 401IPS Policies Wizard 404Creating IPS Rules 410Manipulating Global IPS Settings 417Signature Configuration 419Exam Preparation Tasks 425Review All the Key Topics 425Complete the Tables and Lists from Memory 425Definition of Key Terms 425394
xviiPart III Extending Security and Availability with Cryptography and VPNsChapter 12 Designing a Cryptographic Solution429“Do I Know This Already?” Quiz 429Foundation Topics 433Introducing Cryptographic Services 433Understanding Cryptology 433Cryptography Through the Ages 434The Substitution Cipher 434The Vigenère Cipher 435Transposition Ciphers 436Working with the One-Time Pad 436The Encryption Process 437Cryptanalysis 438Understanding the Features of Encryption AlgorithmsSymmetric and Asymmetric Encryption Algorithms 441Encryption Algorithms and Keys 441Symmetric Encryption Algorithms 441Asymmetric Encryption Algorithms 443The Difference Between Block and Stream Ciphers 444Block Ciphers 444Stream Ciphers 445Exploring Symmetric Encryption 445Functionality of Symmetric Encryption Algorithms 446Key Lengths 446Features and Functions of DES 447Working with the DES Key 447Modes of Operation for DES 447Working with DES Stream Cipher Modes 449Usage Guidelines for Working with DES 449Understanding How 3DES Works 450Encrypting with 3DES 450AES 451The Rijndael Cipher 451Comparing AES and 3DES 451Availability of AES in the Cisco Product Line 452SEAL 452SEAL Restrictions 452The Rivest Ciphers 452Understanding Security Algorithms 453Selecting an Encryption Algorithm 453Understanding Cryptographic Hashes 455Working with Hashing 455440427
xviiiDesigning Key Management 456Components of Key Management 456Understanding Keyspaces 456Issues Related to Key Length 457SSL VPNs 458Establishing an SSL Tunnel 459Exam Preparation Tasks 460Review All the Key Topics 460Complete the Tables and Lists from Memory 461Definition of Key Terms 461Chapter 13 Implementing Digital Signatures463“Do I Know This Already?” Quiz 463Foundation Topics 466Examining Hash Algorithms 466Exploring Hash Algorithms and HMACs 466Anatomy of a Hash Function 467Application of Hash Functions 467Cryptographic Hash Functions 468Application of Cryptographic Hashes 469HMAC Explained 470MD5 Features and Functionality 471Origins of MD5 472Vulnerabilities of MD5 473Usage of MD5 475SHA-1 Features and Functionality 475Overview of SHA-1 476Vulnerabilities of SHA-1 477Usage of SHA-1 478Using Digital Signatures 478Understanding Digital Signatures 480Digital Signature Scheme 483Authentication and Integrity 483Examining RSA Signatures 483Exploring the History of RSA 484Understanding How RSA Works 484Encrypting and Decrypting Messages with RSASigning Messages with RSA 485Vulnerabilities of RSA 486Exploring the Digital Signature Standard 487Using the DSA Algorithm 487Exam Preparation Tasks 488Review All the Key Topics 488Complete the Tables and Lists from Memory 489Definition of Key Terms 489485
xixChapter 14 Exploring PKI and Asymmetric Encryption491“Do I Know This Already?” Quiz 491Foundation Topics 494Understanding Asymmetric Algorithms 494Exploring Asymmetric Encryption Algorithms 494Using Public-Key Encryption to Achieve Confidentiality 495Providing Authentication with a Public Key 496Understanding the Features of the RSA Algorithm 497Working with RSA Digital Signatures 498Guidelines for Working with RSA 499Examining the Features of the Diffie-Hellman Key Exchange Algorithm 499Steps of the Diffie-Hellman Key Exchange Algorithm 500Working with a PKI 500Examining the Principles Behind a PKI 501Understanding PKI Terminology 501Components of a PKI 501Classes of Certificates 502Examining the PKI Topology of a Single Root CA 502Examining the PKI Topology of Hierarchical CAs 503Examining the PKI Topology of Cross-Certified CAs 505Understanding PKI Usage and Keys 506Working with PKI Server Offload 506Understanding PKI Standards 507Understanding X.509v3 507Understanding Public Key Cryptography Standards (PKCS) 508Understanding Simple Certificate Enrollment Protocol (SCEP) 510Exploring the Role of Certificate Authorities and Registration Authoritiesin a PKI 511Examining Identity Management 512Retrieving the CA Certificate 513Understanding the Certificate Enrollment Process 513Examining Authentication Using Certificates 514Examining Features of Digital Certificates and CAs 515Understanding the Caveats of Using a PKI 516Understanding How Certificates Are Employed 517Exam Preparation Tasks 519Review All the Key Topics 519Complete the Tables and Lists from Memory 519Definition of Key Terms 520Chapter 15 Building a Site-to-Site IPsec VPN Solution“Do I Know This Already?” QuizFoundation Topics 527523523
xxExploring the Basics of IPsec 527Introducing Site-to-Site VPNs 527Overview of IPsec 529IKE Modes and Phases 529Authentication Header and Encapsulating Security Payload 531Cisco VPN Product Offerings 533Cisco VPN-Enabled Routers and Switches 533Cisco VPN 3000 Series Concentrators 535Cisco ASA 5500 Series Appliances 536Cisco 500 Series PIX Security Appliances 538Hardware Acceleration Modules 538VPN Design Considerations and Recommendations 539Best-Practice Recommendations for Identity and IPsec Access Control 540Best-Practice Recommendations for IPsec 540Best-Practice Recommendations for Network Address Translation 541Best-Practice Recommendations for Selecting a Single-Purpose VersusMultipurpose Device 541Constructing an IPsec Site-to-Site VPN 542The Five Steps in the Life of an IPsec Site-to-Site VPN 542The Five Steps of Configuring an IPsec Site-to-Site VPN 543Configuring an IKE Phase 1 Tunnel 543Configuring an IKE Phase 2 Tunnel 545Applying Crypto Maps 546Using Cisco SDM to Configure IPsec on a Site-to-Site VPN 548Introduction to the Cisco SDM VPN Wizard 548Quick Setup 549Step-by-Step Setup 559Configuring Connection Settings 559Selecting an IKE Proposal 561Selecting a Transform Set 562Selecting Traffic to Protect in the IPsec Tunnel 563Applying the Generated Configuration 566Monitoring the Configuration 569Exam Preparation Tasks 571Review All the Key Topics 571Complete the Tables and Lists from Memory 571Definition of Key Terms 572Command Reference to Check Your Memory 572
xxiPart IV Final Preparation589Chapter 16 Final Preparation577Exam Engine and Questions on the CD 577Install the Software from the CD 578Activate and Download the Practice Exam 578Activating Other Exams 579Study Plan 579Recall the Facts 580Use the Exam Engine 580Choosing Study or Simulation Mode 580Passing Scores for the IINS Exam 581Part V Appendixes583Appendix AAnswers to “Do I Know This Already?” QuestionsAppendix BGlossaryAppendix CCCNA Security Exam Updates: Version 1.0Appendix DMemory TablesAppendix EMemory Tables Answer KeyIndex620595(CD only)(CD only)617585
xxiiIcons Used in This BookRouterModemIOS Routerwith FirewallFeature SetSwitchPCPSTN NetworkIPsec-ProtectedTunnelServerDial-Up LinkNetworkManagementStation (NMS)IDS/IPSSensorData NetworkVPNTerminationDeviceIEEE 802.1x-EnabledSwitchAdaptive SecurityAppliance (ASA)/PIXHeadquartersRemoteOfficeIPVAnalogPhoneWAN co NACAppliancePhysical SAN IslandVPNConcentratorPBXIP PhoneAccess GatewayFirewallCiscoMDS 9000Cisco UnifiedCommunicationsManagerServerProtected byCisco SecurityAgentASA DeviceGenericFirewallShared MediaHubManagement Center forCisco Security Agentwith Internal or ExternalDatabaseSSL Tunnel
xxiiiCommand Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes theseconventions as follows: Bold indicates commands and keywords that are entered literally as shown. In actualconfiguration examples and output (not general command syntax), bold indicatescommands that the user enters (such as a show command). Italic indicates arguments for which you supply actual values. Vertical bars ( ) separate alternative, mutually exclusive elements. Square brackets ([ ]) indicate an optional element. Braces ({ }) indicate a required choice. Braces within brackets ([{ }]) indicate a required choice within an optional element.
xxivForewordCCNA Security Official Exam Certification Guide is an excellent self-study resource for theCisco IINS (640-553) exam. Passing the IINS exam validates the knowledge and skillsrequired to successfully secure Cisco network devices.Gaining certification in Cisco technology is key to the continuing educational developmentof today’s networking professional. Through certification programs, Cisco validates theskills and expertise required to effectively manage the modern enterprise network.Cisco Press exam certificati
CCNA Security Official Exam Certification Guide Michael Watkins Kevin Wallace, CCIE No. 7945. ii . and study guides for various networking technologies. He also works as a consultant, w
