CCNA Security Exam Cram (Exam IINS 640-553)

Eric Stewart is a self-employed network security contractor who finds his home in Ottawa, Canada. Trained as a computer engineer at the Royal Military College, and later in computer science and economics at Carleton University, Eric has over 20 years of experience in the information technology field–the last 12 years focusing primarily on Cisco Systems routers, switches, VPN concentrators, and security appliances. He likes to divide his time evenly between his two great loves in the field: teaching and doing! The majority of Eric’s consulting work has been in the implementation of major security infrastructure initiatives and architectural reviews with the Canadian Federal Government, working at such departments as Foreign Affairs and International Trade (DFAIT) and the Canadian Air Transport Security Authority (CATSA). A Cisco Certified Systems Instructor (CCSI), he especially enjoys imparting the joy that he takes in his work to his students, as he will often be found enthusiastically teaching Cisco CCNA, CCNP, and CCSP curriculum to students throughout North America and the world.   His previous work with Cisco Press has been as the development editor for two titles, Authorized CCDA Self-Study Guide: Designing for Cisco Internetwork Solutions (DESGN) (Exam 640-863) and Router Security Strategies: Securing IP Network Traffic Planes.   Eric has a lovely wife, Carol Ann, who is an accomplished music teacher, as well as two teenage children, Scott and Meaghan.

Introduction... 1

    Organization and Elements of This Book. 1

    Contacting the Author.. 4

Self Assessment... 5

    Who Is a CCNA Security?.. 5

    The Ideal CCNA Security Candidate. 6

    Put Yourself to the Test.. 8

    Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security).. 10

    Strategy for Using This Exam Cram. 12

Part I: Network Security Architecture

Chapter 1: Network Insecurity... 15

    Exploring Network Security Basics and the Need for Network Security.. 16

        The Threats.. 16

        Other Reasons for Network Insecurity 18

        The CIA Triad.. 18

        Data Classification.. 21

        Security Controls.. 22

        Incident Response.. 25

        Laws and Ethics.. 26

    Exploring the Taxonomy of Network Attacks. 29

        Adversaries.. 30

        How Do Hackers Think?. 32

        Concepts of Defense in Depth. 32

        IP Spoofing Attacks.. 34

        Attacks Against Confidentiality. 36

        Attacks Against Integrity. 38

        Attacks Against Availability. 42

    Best Practices to Thwart Network Attacks. 45

        Administrative Controls. 45

        Technical Controls.. 46

        Physical Controls.. 46

    Exam Prep Questions.. 47

    Answers to Exam Prep Questions. 50

Chapter 2: Building a Secure Network Using Security Controls. 51

    Defining Operations Security Needs. 52

        Cisco System Development Life Cycle for Secure Networks 52

        Operations Security Principles. 54

        Network Security Testing. 55

        Disaster Recovery and Business Continuity Planning 59

    Establishing a Comprehensive Network Security Policy 61

        Defining Assets.. 62

        The Need for a Security Policy. 63

        Policies.. 64

        Standards, Guidelines, and Procedures 65

        Who Is Responsible for the Security Policy? 66

        Risk Management.. 67

            Principles of Secure Network Design 70

    Examining Cisco’s Model of the Self-Defending Network 73

        Where Is the Network Perimeter?. 73

        Building a Cisco Self-Defending Network 74

        Components of the Cisco Self-Defending Network 75

        Cisco Integrated Security Portfolio. 79

    Exam Prep Questions.. 81

    Answers to Exam Prep Questions. 84

Part II: Perimeter Security

Chapter 3: Security at the Network Perimeter.. 87

    Cisco IOS Security Features.. 88

        Where Do You Deploy an IOS Router? 88

        Cisco ISR Family and Features. 90

    Securing Administrative Access to Cisco Routers 91

        Review Line Interfaces. 92

        Password Best Practices. 94

        Configuring Passwords. 94

        Setting Multiple Privilege Levels. 97

        Configuring Role-Based Access to the CLI 98

        Configuring the Cisco IOS Resilient Configuration Feature 101

        Protecting Virtual Logins from Attack 102

        Configuring Banner Messages. 104

    Introducing Cisco SDM.. 105

        Files Required to Run Cisco SDM from the Router 106

        Using Cisco SDM Express. 107

        Launching Cisco SDM. 108

        Cisco SDM Smart Wizards. 110

        Advanced Configuration with SDM. 111

        Cisco SDM Monitor Mode. 113

    Configuring Local Database AAA on a Cisco Router 114

        Authentication, Authorization, and Accounting (AAA) 114

        Two Reasons for Implementing AAA on Cisco Routers 114

        Cisco’s Implementation of AAA for Cisco Routers 115

        Tasks to Configure Local Database AAA on a Cisco Router 116

        Additional Local Database AAA CLI Commands 120

    Configuring External AAA on a Cisco Router Using
Cisco Secure ACS.. 121

        Why Use Cisco Secure ACS?. 123

        Cisco Secure ACS Features. 123

        Cisco Secure ACS for Windows Installation Requirements 124

        Cisco Secure ACS Solution Engine and Cisco Secure
ACS Express 5.0 Comparison. 125

        TACACS+ or RADIUS?. 125

        Prerequisites for Cisco Secure ACS 126

        Three Main Tasks for Setting Up External AAA 127

        Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+.. 140

        AAA Configuration Snapshot. 141

    Exam Prep Questions.. 142

    Answers to Exam Prep Questions. 145

Chapter 4: Implementing Secure Management and Hardening the Router 147

    Planning for Secure Management and Reporting 148

        What to Log.. 149

        How to Log.. 150

        Reference Architecture for Secure Management and Reporting.. 151

        Secure Management and Reporting Guidelines 153

        Logging with Syslog.. 153

        Cisco Security MARS. 154

        Where to Send Log Messages. 154

        Log Message Levels. 155

        Log Message Format. 156

        Enabling Syslog Logging in SDM. 156

        Using SNMP.. 157

        Configuring the SSH Daemon. 161

        Configuring Time Features. 165

    Using Cisco SDM and CLI Tools to Lock Down the Router 167

        Router Services and Interface Vulnerabilities 167

        Performing a Security Audit. 172

    Exam Prep Questions.. 180

    Answers to Exam Prep Questions. 182

Part III: Augmenting Depth of Defense     

Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185

    Examining and Defining Firewall Technologies 187

        What Is a Firewall?.. 188

        Characteristics of a Firewall. 189

        Firewall Advantages.. 189

        Firewall Disadvantages. 190

        Role of Firewalls in a Layered Defense Strategy 190

        Types of Firewalls.. 190

        Cisco Family of Firewalls. 201

        Firewall Implementation Best Practices 202

    Creating Static Packet Filters with ACLs. 203

        Threat Mitigation with ACLs. 203

        Inbound Versus Outbound. 203

        Identifying ACLs.. 205

        ACL Examples Using the CLI. 205

        ACL Guidelines.. 208

        Using the Cisco SDM to Configure ACLs 209

        Using ACLs to Filter Network Services 212

        Using ACLs to Mitigate IP Address Spoofing Attacks 213

        Using ACLs to Filter Other Common Services 216

    Cisco Zone-Based Policy Firewall Fundamentals 218

        Advantages of ZPF.. 220

        Features of ZPF.. 221

        ZPF Actions.. 221

        Zone Behavior.. 221

        Using the Cisco SDM Basic Firewall Wizard to
Configure ZPF.. 224

        Manually Configuring ZPF with the Cisco SDM 233

        Monitoring ZPF.. 238

    Exam Prep Questions.. 241

    Answers to Exam Prep Questions. 244

Chapter 6: Introducing Cryptographic Services.. 245

    Cryptology Overview.. 246

        Cryptanalysis.. 249

        Encryption Algorithm (Cipher) Desirable Features 251

        Symmetric Key Versus Asymmetric Key
Encryption Algorithms.. 251

        Block Versus Stream Ciphers. 254

        Which Encryption Algorithm Do I Choose? 255

        Cryptographic Hashing Algorithms. 256

        Principles of Key Management. 256

        Other Key Considerations. 257

        SSL VPNs.. 259

    Exploring Symmetric Key Encryption. 261

        DES... 263

        3DES.. 264

        AES... 265

        SEAL.. 266

        Rivest Ciphers (RC).. 267

    Exploring Cryptographic Hashing Algorithms and Digital Signatures.. 268

        HMACs.. 270

        Message Digest 5 (MD5). 271

        Secure Hashing Algorithm 1 (SHA-1) 272

        Digital Signatures.. 272

    Exploring Asymmetric Key Encryption and Public Key Infrastructure.. 275

        Encryption with Asymmetric Keys. 276

        Authentication with Asymmetric Keys 277

        Public Key Infrastructure Overview. 277

        PKI Topologies.. 278

        PKI and Usage Keys. 279

        PKI Server Offload and Registration Authorities (RAs) 280

        PKI Standards.. 280

        Certificate Enrollment Process. 282

        Certificate-Based Authentication. 283

        Certificate Applications. 284

    Exam Prep Questions.. 286

    Answers to Exam Prep Questions. 289

Chapter 7: Virtual Private Networks with IPsec.. 291

    Overview of VPN Technology.. 292

        Cisco VPN Products. 293

        VPN Benefits.. 293

        Site-to-Site VPNs.. 294

        Remote-Access VPNs. 295

        Cisco IOS SSL VPN. 296

        Cisco VPN Product Positioning. 297

        VPN Clients.. 299

        Hardware-Accelerated Encryption. 300

        IPsec Compared to SSL. 301

    Conceptualizing a Site-to-Site IPsec VPN. 302

        IPsec Components.. 302

        IPsec Strengths.. 306

        Constructing a VPN: Putting it Together 307

    Implementing IPsec on a Site-to-Site VPN Using the CLI 315

        Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN.. 315

        Step 2: Create ISAKMP (IKE Phase I) Policy Set(s) 316

        Step 3: Configure IPsec Transform Set(s) 318

        Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN.. 319

        Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface).. 320

        Verifying and Troubleshooting the IPsec VPN Using the CLI.. 321

    Implementing IPsec on a Site-to-Site VPN Using Cisco SDM 325

        Site-to-Site VPN Wizard Using Quick Setup 325

        Site-to-Site VPN Wizard Using Step-by-Step Setup 329

    Exam Prep Questions.. 337

    Answers to Exam Prep Questions. 339

Chapter 8: Network Security Using Cisco IOS IPS. 341

    Exploring IPS Technologies.. 342

        IDS Versus IPS.. 342

        IDS and IPS Categories. 343

        IPS Attack Responses. 347

        Event Management and Monitoring. 349

        Host IPS.. 351

        Network IPS.. 354

        HIPS and Network IPS Comparison 355

        Cisco IPS Appliances. 356

        IDS and IPS Signatures. 357

        Signature Alarms.. 359

        Best Practices for IPS Configuration 360

    Implementing Cisco IOS IPS.. 362

        Cisco IOS IPS Feature Blend. 362

        Cisco IOS IPS Primary Benefits. 362

        Cisco IOS IPS Signature Integration 363

        Configuring Cisco IOS IPS with the Cisco SDM 364

        Cisco IOS IPS CLI Configuration. 377

        Configuring IPS Signatures. 378

        SDEE and Syslog Logging Protocol Support 381

        Verifying IOS IPS Operation. 384

    Exam Prep Questions.. 387

    Answers to Exam Prep Questions. 390

Part IV: Security Inside the Perimeter     

Chapter 9: Introduction to Endpoint, SAN, and Voice Security. 395

    Introducing Endpoint Security. 396

        Cisco’s Host Security Strategy. 397

        Securing Software.. 397

        Endpoint Attacks.. 399

        Cisco Solutions to Secure Systems and Thwart Endpoint Attacks.. 403

        Endpoint Best Practices. 407

    Exploring SAN Security.. 407

        SAN Advantages.. 407

        SAN Technologies.. 408

        SAN Address Vulnerabilities. 408

        Virtual SANs (VSANs). 409

        SAN Security Strategies. 409

    Exploring Voice Security.. 411

        VoIP Components.. 411

        Threats to VoIP Endpoints. 413

        Fraud... 414

        SIP Vulnerabilities.. 414

        Mitigating VoIP Hacking. 415

    Exam Prep Questions.. 418

    Answers to Exam Prep Questions. 420

Chapter 10: Protecting Switch Infrastructure.. 421

    VLAN Hopping Attacks.. 422

        VLAN Hopping by Rogue Trunk. 423

        VLAN Hopping by Double-Tagging. 424

    STP Manipulation Attack.. 425

        STP Manipulation Attack Mitigation: Portfast 426

        STP Manipulation Attack Mitigation: BPDU Guard 427

        STP Manipulation Attack Mitigation: Root Guard 428

    CAM Table Overflow Attack.. 428

        CAM Table Overflow Attack Mitigation: Port Security 429

    MAC Address Spoofing Attack. 429

        MAC Address Spoofing Attack Mitigation: Port Security 429

    Configuring Port Security.. 429

        Port Security Basic Settings. 430

        Port Security Optional Settings. 430

        Port Security Verification. 433

    Miscellaneous Switch Security Features. 434

        Intrusion Notification.. 434

        Switched Port Analyzer (SPAN). 435

        Storm Control.. 436

    Switch Security Best Practices. 438

    Exam Prep Questions.. 439

    Answers to Exam Prep Questions. 440

Part V: Practice Exams and Answers     

Practice Exam 1... 443

Answers to Practice Exam 1.. 461

Practice Exam 2... 471

Answers to Practice Exam 2.. 487

Part VI: Appendixes      

Appendix A: What’s on the CD-ROM.. 499

Appendix B: Need to Know More?... 503

TOC, 0789738007, 10/3/08