CCNA Security 210-260 Official Cert Guide Premium Edition and Practice Test

Omar Santos is the technical leader for the Cisco Product Security Incident Response Team (PSIRT). He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products. Omar has been working with information technology and cybersecurity since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and for the U.S. government. Prior to his current role, he was a technical leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations. Omar is an active member of the security community, where he leads several industrywide initiatives and standards bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of several books and numerous white papers, articles, and security configuration guidelines and best practices. Omar has also delivered numerous technical presentations at many conferences and to Cisco customers and partners, in addition to many C-level executive presentations to many organizations. John Stuppi, CCIE No. 11154 (Security), is a technical leader in the Cisco Security Solutions (CSS) organization at Cisco, where he consults Cisco customers on protecting their network against existing and emerging cybersecurity threats. In this role, John is responsible for providing effective techniques using Cisco product capabilities to provide identification and mitigation solutions for Cisco customers who are concerned with current or expected security threats to their network environments. Current projects include helping customers leverage DNS and NetFlow data to identify and subsequently mitigate network-based threats. John has presented multiple times on various network security topics at Cisco Live, Black Hat, and other customer-facing cybersecurity conferences. In addition, John contributes to the Cisco Security Portal through the publication of white papers, security blog posts, and cyber risk report articles. Before joining Cisco, John worked as a network engineer for JPMorgan and then as a network security engineer at Time, Inc., with both positions based in New York City. John is also a CISSP (#25525) and holds an Information Systems Security (INFOSEC) professional certification. In addition, John has a BSEE from Lehigh University and an MBA from Rutgers University. John lives in Ocean Township, New Jersey (a.k.a. the "Jersey Shore") with his wife, two kids, and dog.

Introduction xxvi
Part I Fundamentals of Network Security
Chapter 1 Networking Security Concepts 3
"Do I Know This Already?" Quiz 3
Foundation Topics 6
Understanding Network and Information Security Basics 6
Network Security Objectives 6
Confidentiality, Integrity, and Availability 6
Cost-Benefit Analysis of Security 7
Classifying Assets 8
Classifying Vulnerabilities 10
Classifying Countermeasures 10
What Do We Do with the Risk? 11
Recognizing Current Network Threats 12
Potential Attackers 12
Attack Methods 13
Attack Vectors 14
Man-in-the-Middle Attacks 14
Other Miscellaneous Attack Methods 15
Applying Fundamental Security Principles to Network Design 16
Guidelines 16
Network Topologies 17
Network Security for a Virtual Environment 20
How It All Fits Together 22
Exam Preparation Tasks 23
Review All the Key Topics 23
Complete the Tables and Lists from Memory 23
Define Key Terms 23
Chapter 2 Common Security Threats 25
"Do I Know This Already?" Quiz 25
Foundation Topics 27
Network Security Threat Landscape 27
Distributed Denial-of-Service Attacks 27
Social Engineering Methods 28
Social Engineering Tactics 29
Defenses Against Social Engineering 29
Malware Identification Tools 30
Methods Available for Malware Identification 30
Data Loss and Exfiltration Methods 31
Summary 32
Exam Preparation Tasks 33
Review All the Key Topics 33
Complete the Tables and Lists from Memory 33
Define Key Terms 33
Part II Secure Access
Chapter 3 Implementing AAA in Cisco IOS 35
"Do I Know This Already?" Quiz 35
Foundation Topics 38
Cisco Secure ACS, RADIUS, and TACACS 38
Why Use Cisco ACS? 38
On What Platform Does ACS Run? 38
What Is ISE? 39
Protocols Used Between the ACS and the Router 39
Protocol Choices Between the ACS Server and the Client (the Router) 40
Configuring Routers to Interoperate with an ACS Server 41
Configuring the ACS Server to Interoperate with a Router 51
Verifying and Troubleshooting Router-to-ACS Server Interactions 60
Exam Preparation Tasks 67
Review All the Key Topics 67
Complete the Tables and Lists from Memory 67
Define Key Terms 67
Command Reference to Check Your Memory 67
Chapter 4 Bring Your Own Device (BYOD) 71
"Do I Know This Already?" Quiz 71
Foundation Topics 73
Bring Your Own Device Fundamentals 73
BYOD Architecture Framework 74
BYOD Solution Components 74
Mobile Device Management 76
MDM Deployment Options 76
On-Premise MDM Deployment 77
Cloud-Based MDM Deployment 78
Exam Preparation Tasks 80
Review All the Key Topics 80
Complete the Tables and Lists from Memory 80
Define Key Terms 80
Part III Virtual Private Networks (VPN)
Chapter 5 Fundamentals of VPN Technology and Cryptography 83
"Do I Know This Already?" Quiz 83
Foundation Topics 87
Understanding VPNs and Why We Use Them 87
What Is a VPN? 87
Types of VPNs 88
Two Main Types of VPNs 88
Main Benefits of VPNs 89
Confidentiality 89
Data Integrity 90
Authentication 90
Antireplay Protection 90
Cryptography Basic Components 91
Ciphers and Keys 91
Ciphers 91
Keys 92
Block and Stream Ciphers 92
Block Ciphers 92
Stream Ciphers 92
Symmetric and Asymmetric Algorithms 92
Symmetric 93
Asymmetric 93
Hashes 94
Hashed Message Authentication Code 95
Digital Signatures 95
Digital Signatures in Action 95
Key Management 96
Next-Generation Encryption Protocols 97
IPsec and SSL 97
IPsec 97
SSL 98
Public Key Infrastructure 99
Public and Private Key Pairs 99
RSA Algorithm, the Keys, and Digital Certificates 99
Who Has Keys and a Digital Certificate? 100
How Two Parties Exchange Public Keys 100
Creating a Digital Signature 100
Certificate Authorities 100
Root and Identity Certificates 101
Root Certificate 101
Identity Certificate 102
Using the Digital Certificates to Get the Peer's Public Key 103
X.500 and X.509v3 Certificates 103
Authenticating and Enrolling with the CA 104
Public Key Cryptography Standards 105
Simple Certificate Enrollment Protocol 105
Revoked Certificates 105
Uses for Digital Certificates 106
PKI Topologies 106
Single Root CA 107
Hierarchical CA with Subordinate CAs 107
Cross-Certifying CAs 107
Putting the Pieces of PKI to Work 107
ASA's Default Certificate 108
Viewing the Certificates in ASDM 108
Adding a New Root Certificate 109
Easier Method for Installing Both Root and Identity Certificates 111
Exam Preparation Tasks 116
Review All the Key Topics 116
Complete the Tables and Lists from Memory 117
Define Key Terms 117
Command Reference to Check Your Memory 117
Chapter 6 Fundamentals of IP Security 119
"Do I Know This Already?" Quiz 119
Foundation Topics 122
IPsec Concepts, Components, and Operations 122
The Goal of IPsec 122
The Internet Key Exchange (IKE) Protocol 123
The Play by Play for IPsec 124
Step 1: Negotiate the IKEv1 Phase 1 Tunnel 124
Step 2: Run the DH Key Exchange 125
Step 3: Authenticate the Peer 126
What About the User's Original Packet? 126
Leveraging What They Have Already Built 126
Now IPsec Can Protect the User's Packets 127
Traffic Before IPsec 127
Traffic After IPsec 127
Summary of the IPsec Story 128
Configuring and Verifying IPsec 129
Tools to Configure the Tunnels 129
Start with a Plan 129
Applying the Configuration 129
Viewing the CLI Equivalent at the Router 137
Completing and Verifying IPsec 139
Exam Preparation Tasks 146
Review All the Key Topics 146
Complete the Tables and Lists from Memory 146
Define Key Terms 146
Command Reference to Check Your Memory 147
Chapter 7 Implementing IPsec Site-to-Site VPNs 149
"Do I Know This Already?" Quiz 149
Foundation Topics 152
Planning and Preparing an IPsec Site-to-Site VPN 152
Customer Needs 152
Planning IKEv1 Phase 1 154
Planning IKEv1 Phase 2 154
Implementing and Verifying an IPsec Site-to-Site VPN in Cisco IOS Devices 155
Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS 164
Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA 179
Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA 193
Exam Preparation Tasks 199
Review All the Key Topics 199
Complete the Tables and Lists from Memory 199
Define Key Terms 199
Command Reference to Check Your Memory 199
Chapter 8 Implementing SSL VPNs Using Cisco ASA 203
"Do I Know This Already?" Quiz 203
Foundation Topics 206
Functions and Use of SSL for VPNs 206
Is IPsec Out of the Picture? 206
SSL and TLS Protocol Framework 207
The Play by Play of SSL for VPNs 207
SSL VPN Flavors 208
Configuring Clientless SSL VPNs on ASA 209
Using the SSL VPN Wizard 209
Digital Certificates 211
Accessing the Connection Profile 211
Authenticating Users 211
Logging In 215
Seeing the VPN Activity from the Server 217
Using the Cisco AnyConnect Secure Mobility Client 217
Types of SSL VPNs 218
Configuring the Cisco ASA to Terminate the Cisco AnyConnect Secure Mobility Client Connections 218
Groups, Connection Profiles, and Defaults 225
One Item with Three Different Names 226
Split Tunneling 227
Troubleshooting SSL VPN 228
Troubleshooting SSL Negotiations 228
Troubleshooting AnyConnect Client Issues 228
Initial Connectivity Issues 228
Traffic-Specific Issues 230
Exam Preparation Tasks 231
Review All the Key Topics 231
Complete the Tables and Lists from Memory 231
Define Key Terms 231
Part IV Secure Routing and Switching
Chapter 9 Securing Layer 2 Technologies 233
"Do I Know This Already?" Quiz 233
Foundation Topics 236
VLAN and Trunking Fundamentals 236
What Is a VLAN? 236
Trunking with 802.1Q 238
Following the Frame, Step by Step 239
The Native VLAN on a Trunk 239
So, What Do You Want to Be? (Asks the Port) 239
Inter-VLAN Routing 240
The Challenge of Using Physical Interfaces Only 240
Using Virtual "Sub" Interfaces 240
Spanning-Tree Fundamentals 241
Loops in Networks Are Usually Bad 241
The Life of a Loop 241
The Solution to the Layer 2 Loop 242
STP Is Wary of New Ports 245
Improving the Time Until Forwarding 245
Common Layer 2 Threats and How to Mitigate Them 246
Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 246
Layer 2 Best Practices 246
Do Not Allow Negotiations 247
Layer 2 Security Toolkit 248
Specific Layer 2 Mitigation for CCNA Security 248
BPDU Guard 248
Root Guard 249
Port Security 250
CDP and LLDP 251
DHCP Snooping 253
Dynamic ARP Inspection 254
Exam Preparation Tasks 257
Review All the Key Topics 257
Complete the Tables and Lists from Memory 258
Review the Port Security Video Included with This Book 258
Define Key Terms 258
Command Reference to Check Your Memory 258
Chapter 10 Network Foundation Protection 261
"Do I Know This Already?" Quiz 261
Foundation Topics 264
Using Network Foundation Protection to Secure Networks 264
The Importance of the Network Infrastructure 264
The Network Foundation Protection Framework 264
Interdependence 265
Implementing NFP 265
Understanding the Management Plane 266
First Things First 266
Best Practices for Securing the Management Plane 267
Understanding the Control Plane 268
Best Practices for Securing the Control Plane 268
Understanding the Data Plane 270
Best Practices for Protecting the Data Plane 271
Additional Data Plane Protection Mechanisms 271
Exam Preparation Tasks 272
Review All the Key Topics 272
Complete the Tables and Lists from Memory 272
Define Key Terms 272
Chapter 11 Securing the Management Plane on Cisco IOS Devices 275
"Do I Know This Already?" Quiz 275
Foundation Topics 278
Securing Management Traffic 278
What Is Management Traffic and the Management Plane? 278
Beyond the Blue Rollover Cable 278
Management Plane Best Practices 278
Password Recommendations 281
Using AAA to Verify Users 281
AAA Components 282
Options for Storing Usernames, Passwords, and Access Rules 282
Authorizing VPN Users 283
Router Access Authentication 284
The AAA Method List 285
Role-Based Access Control 286
Custom Privilege Levels 287
Limiting the Administrator by Assigning a View 287
Encrypted Management Protocols 287
Using Logging Files 288
Understanding NTP 289
Protecting Cisco IOS Files 289
Implementing Security Measures to Protect the Management Plane 290
Implementing Strong Passwords 290
User Authentication with AAA 292
Using the CLI to Troubleshoot AAA for Cisco Routers 296
RBAC Privilege Level/Parser View 301
Implementing Parser Views 303
SSH and HTTPS 305
Implementing Logging Features 308
Configuring Syslog Support 308
SNMP Features 310
Configuring NTP 313
Secure Copy Protocol 315
Securing the Cisco IOS Image and Configuration Files 315
Exam Preparation Tasks 317
Review All the Key Topics 317
Complete the Tables and Lists from Memory 318
Define Key Terms 318
Command Reference to Check Your Memory 318
Chapter 12 Securing the Data Plane in IPv6 321
"Do I Know This Already?" Quiz 321
Foundation Topics 324
Understanding and Configuring IPv6 324
Why IPv6? 324
The Format of an IPv6 Address 325
Understanding the Shortcuts 327
Did We Get an Extra Address? 327
IPv6 Address Types 327
Configuring IPv6 Routing 330
Moving to IPv6 331
Developing a Security Plan for IPv6 332
Best Practices Common to Both IPv4 and IPv6 332
Threats Common to Both IPv4 and IPv6 333
The Focus on IPv6 Security 334
New Potential Risks with IPv6 334
IPv6 Best Practices 336
IPv6 Access Control Lists 337
Exam Preparation Tasks 338
Review All the Key Topics 338
Complete the Tables and Lists from Memory 338
Define Key Terms 338
Command Reference to Check Your Memory 338
Chapter 13 Securing Routing Protocols and the Control Plane 341
"Do I Know This Already?" Quiz 341
Foundation Topics 344
Securing the Control Plane 344
Minimizing the Impact of Control Plane Traffic on the CPU 344
Control Plane Policing 346
Control Plane Protection 348
Securing Routing Protocols 348
Implement Routing Update Authentication on OSPF 348
Implement Routing Update Authentication on EIGRP 349
Implement Routing Update Authentication on RIP 350
Implement Routing Update Authentication on BGP 351
Exam Preparation Tasks 353
Review All the Key Topics 353
Complete the Tables and Lists from Memory 353
Define Key Terms 353
Part V Cisco Firewall Technologies and Intrusion Prevention System Technologies
Chapter 14 Understanding Firewall Fundamentals 355
"Do I Know This Already?" Quiz 355
Foundation Topics 358
Firewall Concepts and Technologies 358
Firewall Technologies 358
Objectives of a Good Firewall 358
Firewall Justifications 359
The Defense-in-Depth Approach 360
Firewall Methodologies 361
Static Packet Filtering 362
Application Layer Gateway 363
Stateful Packet Filtering 363
Application Inspection 364
Transparent Firewalls 365
Next-Generation Firewalls 365
Using Network Address Translation 366
NAT Is About Hiding or Changing the Truth About Source Addresses 366
Inside, Outside, Local, Global 367
Port Address Translation 368
NAT Options 369
Creating and Deploying Firewalls 370
Firewall Technologies 370
Firewall Design Considerations 370
Firewall Access Rules 371
Packet-Filtering Access Rule Structure 372
Firewall Rule Design Guidelines 372
Rule Implementation Consistency 373
Exam Preparation Tasks 375
Review All the Key Topics 375
Complete the Tables and Lists from Memory 375
Define Key Terms 375
Chapter 15 Implementing Cisco IOS Zone-Based Firewalls 377
"Do I Know This Already?" Quiz 377
Foundation Topics 379
Cisco IOS Zone-Based Firewalls 379
How Zone-Based Firewall Operates 379
Specific Features of Zone-Based Firewalls 379
Zones and Why We Need Pairs of Them 380
Putting the Pieces Together 381
Service Policies 382
The Self Zone 384
Configuring and Verifying Cisco IOS Zone-Based Firewalls 385
First Things First 385
Using CCP to Configure the Firewall 386
Verifying the Firewall 399
Verifying the Configuration from the Command Line 400
Implementing NAT in Addition to ZBF 404
Verifying Whether NAT Is Working 407
Exam Preparation Tasks 409
Review All the Key Topics 409
Complete the Tables and Lists from Memory 409
Define Key Terms 409
Command Reference to Check Your Memory 409
Chapter 16 Configuring Basic Firewall Policies on Cisco ASA 413
"Do I Know This Already?" Quiz 413
Foundation Topics 416
The ASA Appliance Family and Features 416
Meet the ASA Family 416
ASA Features and Services 417
ASA Firewall Fundamentals 419
ASA Security Levels 419
The Default Flow of Traffic 420
Tools to Manage the ASA 422
Initial Access 422
Packet Filtering on the ASA 422
Implementing a Packet-Filtering ACL 423
Modular Policy Framework 424
Where to Apply a Policy 425
Configuring the ASA 425
Beginning the Configuration 425
Getting to the ASDM GUI 433
Configuring the Interfaces 435
IP Addresses for Clients 443
Basic Routing to the Internet 444
NAT and PAT 445
Permitting Additional Access Through the Firewall 447
Using Packet Tracer to Verify Which Packets Are Allowed 449
Verifying the Policy of No Telnet 453
Exam Preparation Tasks 454
Review All the Key Topics 454
Complete the Tables and Lists from Memory 454
Define Key Terms 454
Command Reference to Check Your Memory 455
Chapter 17 Cisco IDS/IPS Fundamentals 457
"Do I Know This Already?" Quiz 457
Foundation Topics 460
IPS Versus IDS 460
What Sensors Do 460
Difference Between IPS and IDS 460
Sensor Platforms 462
True/False Negatives/Positives 463
Positive/Negative Terminology 463
Identifying Malicious Traffic on the Network 463
Signature-Based IPS/IDS 464
Policy-Based IPS/IDS 464
Anomaly-Based IPS/IDS 464
Reputation-Based IPS/IDS 464
When Sensors Detect Malicious Traffic 465
Controlling Which Actions the Sensors Should Take 467
Implementing Actions Based on the Risk Rating 468
Circumventing an IPS/IDS 468
Managing Signatures 469
Signature or Severity Levels 470
Monitoring and Managing Alarms and Alerts 471
Security Intelligence 471
IPS/IDS Best Practices 472
Cisco Next-Generation IPS Solutions 472
Exam Preparation Tasks 474
Review All the Key Topics 474
Complete the Tables and Lists from Memory 474
Define Key Terms 474
Part VI Content and Endpoint Security
Chapter 18 Mitigation Technologies for E-mail-Based and Web-Based Threats 477
"Do I Know This Already?" Quiz 477
Foundation Topics 479
Mitigation Technology for E-mail-Based Threats 479
E-mail-Based Threats 479
Cisco Cloud E-mail Security 479
Cisco Hybrid E-mail Security 480
Cisco E-mail Security Appliance 480
Cisco ESA Initial Configuration 483
Mitigation Technology for Web-Based Threats 486
Cisco CWS 486
Cisco WSA 487
Cisco Content Security Management Appliance 491
Exam Preparation Tasks 493
Review All the Key Topics 493
Complete the Tables and Lists from Memory 493
Define Key Terms 493
Command Reference to Check Your Memory 493
Chapter 19 Mitigation Technologies for Endpoint Threats 495
"Do I Know This Already?" Quiz 495
Foundation Topics 497
Antivirus and Antimalware Solutions 497
Personal Firewalls and Host Intrusion Prevention Systems 498
Advanced Malware Protection for Endpoints 499
Hardware and Software Encryption of Endpoint Data 500
E-mail Encryption 500
Encrypting Endpoint Data at Rest 501
Virtual Private Networks 501
Exam Preparation Tasks 503
Review All the Key Topics 503
Complete the Tables and Lists from Memory 503
Define Key Terms 503
Part VII Final Preparation
Chapter 20 Final Preparation 505
Tools for Final Preparation 505
Exam Engine and Questions on the CD 505
Install the Exam Engine 505
Activate and Download the Practice Exam 506
Activating Other Exams 506
Premium Edition 506
The Cisco Learning Network 507
Memory Tables 507
Chapter-Ending Review Tools 507
Study Plan 507
Recall the Facts 507
Practice Configurations 508
Using the Exam Engine 508
Part VIII Appendixes
Appendix A Answers to the "Do I Know This Already?" Quizzes 511
Appendix B CCNA Security 210-260 (IINS) Exam Updates 517
Glossary 521

On the CD
Glossary
Appendix C Memory Tables
Appendix D Memory Tables Answer Key
Appendix E Study Planner

9781587205668 TOC 8/14/2015