CCNA Security Official Exam Certification Guide

Overview

CCNA Security

Official Exam Certification Guide

  • Master the IINS 640-553 exam with this official study guide
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with Exam Preparation Tasks
  • Practice with realistic exam questions on the CD-ROM

CCNA Security Official Exam Certification ...

See more details below
Hardcover (CD-ROM Included)
$44.84
BN.com price
(Save 10%)$49.99 List Price
Other sellers (Hardcover)
  • All (6) from $4.50   
  • New (2) from $50.00   
  • Used (4) from $4.50   
Sending request ...

Overview

CCNA Security

Official Exam Certification Guide

  • Master the IINS 640-553 exam with this official study guide
  • Assess your knowledge with chapter-opening quizzes
  • Review key concepts with Exam Preparation Tasks
  • Practice with realistic exam questions on the CD-ROM

CCNA Security Official Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the CCNA® Security IINS exam. Senior security instructors Michael Watkins and Kevin Wallace share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNA Security Official Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks sections help drill you on key concepts you must know thoroughly.

The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a topic-by-topic basis, presenting question-by-question remediation to the text and laying out a complete study plan for review.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

CCNA Security Official Exam Certification Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

Michael Watkins, CCNA/CCNP®/CCVP®/CCSP®, is a full-time senior technical instructor with SkillSoft Corporation. With 13 years of network management, training, and consulting experience, Michael has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the United States Air Force to help them implement and learn the latest network technologies.

Kevin Wallace, CCIE® No. 7945, is a certified Cisco instructor working full time for SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19 years of Cisco networking experience, Kevin has been a network design specialist for the Walt Disney World Resort and a network manager for Eastern Kentucky University. Kevin also is a CCVP, CCSP, CCNP, and CCDP with multiple Cisco security and IP communications specializations.

The official study guide helps you master all the topics on the IINS exam, including

  • Network security threats
  • Security policies
  • Network perimeter defense
  • AAA configuration
  • Router security
  • Switch security
  • Endpoint security
  • SAN security
  • VoIP security
  • IOS firewalls
  • Cisco IOS® IPS
  • Cryptography
  • Digital signatures
  • PKI and asymmetric encryption
  • IPsec VPNs

This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

Category: Cisco Press—Cisco Certification

Covers: IINS exam 640-553

Read More Show Less

Product Details

  • ISBN-13: 9781587202209
  • Publisher: Cisco Press
  • Publication date: 6/17/2008
  • Series: Exam Certification Guide Series
  • Edition description: CD-ROM Included
  • Pages: 637
  • Sales rank: 1,005,415
  • Product dimensions: 7.50 (w) x 9.10 (h) x 1.60 (d)

Meet the Author

Michael Watkins, CCNA/CCNP/CCVP/CCSP, is a full-time senior technical instructor with SkillSoft Corporation. With 13 years of network management, training, and consulting experience, he has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the U.S. Air Force to help them implement and learn about the latest network technologies. In addition to holding more than 20 industry certifications in the areas of networking and programming technologies, he holds a bachelor of arts degree from Wabash College.

Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor working full time for SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19 years of Cisco networking experience, he has been a network design specialist for the Walt Disney World Resort and a network manager for Eastern Kentucky University. He holds a bachelor of science degree in electrical engineering from the University of Kentucky. He is also a CCVP, CCSP, CCNP, and CCDP, with multiple Cisco security and IP communications specializations.

Read More Show Less

Read an Excerpt

IntroductionIntroduction

Congratulations on your decision to pursue a Cisco Certification! If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve—the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with Cisco technology. Through its quality technologies, Cisco has garnered a significant market share in the router and switch marketplace, with more than 80 percent market share in some markets. For many industries and markets around the world, networking equals Cisco. Cisco certification will set you apart from the crowd and allow you to display your knowledge as a networking security professional.

Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network Associate (CCNA) certification, first offered in 1998.

With the introduction of the CCNA Security certification, Cisco has for the first time provided an area of focus at the associate level. The CCNA Security certification is for networking professionals who work with Cisco security technologies and who want to demonstrate their mastery of core network security principles and technologies.Format of the IINS Exam

The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're atthe PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing environment. Additionally, Chapter 16 points to a Cisco website where you can see a demo of the actual Cisco test engine.

When you start the exam, you are asked a series of questions. You answer the question and then move on to the next question. The exam engine does not let you go back and change your answer. When you move on to the next question, that's it for the earlier question.

The exam questions can be in one of the following formats:

  • Multiple-choice (MC)

  • Testlet

  • Drag-and-drop (DND)

  • Simulated lab (Sim)

  • Simlet

The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a button or icon to another area, and release the mouse button to place the object somewhere else—typically in a list. For example, to get the question correct, you might need to put a list of five things in the proper order.

The last two types both use a network simulator to ask questions. Interestingly, these two types allow Cisco to assess two very different skills. Sim questions generally describe a problem, and your task is to configure one or more routers and switches to fix the problem. The exam then grades the question based on the configuration you changed or added. Interestingly, Sim questions are the only questions that Cisco (to date) has openly confirmed that partial credit is given for.

The Simlet questions may well be the most difficult style of question on the exams. Simlet questions also use a network simulator, but instead of answering the question by changing the configuration, the question includes one or more MC questions. The questions require that you use the simulator to examine the current behavior of a network, interpreting the output of any show commands that you can remember to answer the question. Whereas Sim questions require you to troubleshoot problems related to a configuration, Simlets require you to analyze both working networks and networks with problems, correlating show command output with your knowledge of networking theory and configuration commands.What's on the IINS Exam?

Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with "Describe...", and another might begin with "Describe, configure, and troubleshoot...". The second objective clearly states that you need a thorough and deep understanding of that topic. By listing the topics and skill level, Cisco helps you prepare for the exam.

Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the posted exam topics for all its certification exams are guidelines. Cisco makes an effort to keep the exam questions within the confines of the stated exam topics. I know from talking to those involved that every question is analyzed to ensure that it fits within the stated exam topics.IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com (http://www.cisco.com/go/certification). If Cisco later adds exam topics, you may go to http://www.ciscopress.com and download additional information about the newly added topics.

Table I-1Å@640-553 IINS Exam Topics

Reference Number

Exam Topic

Book Part(s) Where Topic Is Covered

1.0

Describe the security threats facing modern network infrastructures

 

1.1

Describe and mitigate the common threats to the physical installation

I

1.2

Describe and list mitigation methods for common network attacks

I

1.3

Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks

II

1.4

Describe the main activities in each phase of a secure network lifecycle

I

1.5

Explain how to meet the security needs of a typical enterprise with a comprehensive security policy

I

1.6

Describe the Cisco Self Defending Network architecture

I

1.7

Describe the Cisco security family of products and their interactions

I, II, III

2.0

Secure Cisco routers

 

2.1

Secure Cisco routers using the SDM Security Audit feature

I

2.2

Use the One-Step Lockdown feature in SDM to secure a Cisco router

I

2.3

Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

I

2.4

Secure administrative access to Cisco routers by configuring multiple privilege levels

I

2.5

Secure administrative access to Cisco routers by configuring role based CLI

I

2.6

Secure the Cisco IOS image and configuration file

I

3.0

Implement AAA on Cisco routers using local router database and external ACS

 

3.1

Explain the functions and importance of AAA

I

3.2

Describe the features of TACACS+ and RADIUS AAA protocols

I

3.3

Configure AAA authentication

I

3.4

Configure AAA authorization

I

3.5

Configure AAA accounting

I

4.0

Mitigate threats to Cisco routers and networks using ACLs

 

4.1

Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets

II

4.2

Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI

II

4.3

Configure IP ACLs to prevent IP address spoofing using CLI

II

4.4

Discuss the caveats to be considered when building ACLs

II

5.0

Implement secure network management and reporting

 

5.1

Describe the factors to be considered when planning for secure management and reporting of network devices

I

5.2

Use CLI and SDM to configure SSH on Cisco routers to enable secured management access

I

5.3

Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server

I

5.4

Describe SNMPv3 and NTPv3

I

6.0

Mitigate common Layer 2 attacks

 

6.1

Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features

II

7.0

Implement the Cisco IOS firewall feature set using SDM

 

7.1

Describe the operational strengths and weaknesses of the different firewall technologies

II

7.2

Explain stateful firewall operations and the function of the state table

II

7.3

Implement Zone Based Firewall using SDM

II

8.0

Implement the Cisco IOS IPS feature set using SDM

 

8.1

Define network based vs. host based intrusion detection and prevention

II

8.2

Explain IPS technologies, attack responses, and monitoring options

II

8.3

Enable and verify Cisco IOS IPS operations using SDM

II

9.0

Implement site-to-site VPNs on Cisco Routers using SDM

 

9.1

Explain the different methods used in cryptography

III

9.2

Explain IKE protocol functionality and phases

III

9.3

Describe the building blocks of IPSec and the security functions it provides

III

9.4

Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM

III

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course: Implementing Cisco IOS Network Security (IINSv1.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward passing the 640-553 IINS exam.About the CCNA Security Official Exam Certification Guide

As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics.

This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn relevant real-world concepts and procedures.Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading! However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job.

This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. So, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics. The CCNA Security certification is the foundation of the professional level Cisco certification in security, the CCSP, so it is important that this book also help you truly learn the material. This book is designed to help you pass the CCNA Security exam by using the following methods:

  • Helping you discover which exam topics you have not mastered

  • Providing explanations and information to fill in your knowledge gaps

  • Supplying exercises that enhance your ability to recall and deduce the answers to test questions

  • Providing practice exercises on the topics and the testing process via test questions on the CD

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:

  • "Do I Know This Already?" quiz: Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter.

  • Foundation Topics: These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter.

  • Exam Preparation Tasks: At the end of the "Foundation Topics" section of each chapter, the "Exam Preparation Tasks" section lists a series of study activities that you should do at the end of the chapter. Each chapter includes the activities that make the most sense for studying the topics in that chapter.


Review All the Key Topics
: The Key Topic icon appears next to the most important items in the "Foundation Topics" section of the chapter. The Review All the Key Topics activity lists the Key Topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each Key Topic, so you should review these.

— Complete the Tables and Lists from Memory: To help you memorize some lists of facts, many of the more important lists and tables from the chapter are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list.

— Definition of Key Terms: Although the exam may be unlikely to ask a question such as "Define this term," the CCNA exams do require that you learn and know a lot of networking terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.

— Command Reference Tables: Some chapters cover a large number of configuration and EXEC commands. These tables list and describe the commands introduced in the chapter. For exam preparation, use these tables for reference, but also read them when performing the Exam Preparation Tasks to make sure you remember what all the commands do.

  • CD-based practice exam: The companion CD contains an exam engine (From Boson software, http://www.boson.com), that includes two question databases. One database has a copy of all the "Do I Know This Already?" quiz questions from the book, and the other has unique exam-realistic questions. To further help you prepare for the exam, you can take a simulated IINS exam using the CD.

How This Book Is Organized

This book contains 15 core chapters—Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics:

  • Part I: Network Security Concepts

— Chapter 1, "Understanding Network Security Principles": This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. You are also introduced to various threats targeting the security of your network.

— Chapter 2, "Developing a Secure Network": This chapter explains the day-to-day procedures for deploying, maintaining, and retiring information security components. You are also provided with considerations and principles for authoring a security policy, in addition to creating user awareness of the security policy. Finally, this chapter describes the Cisco Self-Defending Network, which is Cisco's vision for security systems.

— Chapter 3, "Defending the Perimeter": This chapter describes methods of securely accessing a router prompt for purposes of administration. Additionally, you are given an overview of the Cisco Integrated Services Router (ISR) line of routers. In this chapter you also examine the Cisco Security Device Manager (SDM) interface. The graphical interface provided by SDM allows administrators to configure a variety of router features using a collection of wizards, which use best-practice recommendations from the Cisco Technical Assistance Center (TAC).

— Chapter 4, "Configuring AAA": This chapter explores the uses of AAA, including the components that make it up, as well as the steps necessary to successfully configure AAA using the local database. The role of Cisco ACS is also examined as it relates to configuring AAA, including a discussion of working with both RADIUS and TACACS+.

— Chapter 5, "Securing the Router": This chapter discusses various router services that attackers might target. To help you harden the security of a router, this chapter also describes the AutoSecure feature and Cisco SDM's One-Step Lockdown feature. Next the chapter focuses on securing and monitoring router access using syslog, SSH, and SNMPv3 technologies. Finally, this chapter distinguishes between in-band and out-of-band network management and how to use Cisco SDM to configure a variety of management and monitoring features.

  • Part II: Constructing a Secure Infrastructure

— Chapter 6, "Securing Layer 2 Devices": This chapter explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Then you are introduced to how Cisco Identity-Based Networking Services (IBNS) uses IEEE 802.1x, RADIUS, and Extensible Authentication Protocol (EAP) technologies to selectively allow access to network resources based on user credentials.

— Chapter 7, "Implementing Endpoint Security": This chapter examines a variety of threats faced by endpoints in a network environment and introduces a series of techniques that can be used to help safeguard systems from common operating system vulnerabilities. This chapter also explores various Cisco-specific technologies that may be used to defend endpoints from a variety of attacks. Specifically, technologies such as IronPort, the Cisco NAC Appliance, and the Cisco Security Agent are discussed.

— Chapter 8, "Providing SAN Security": This chapter outlines the basics of SAN operation and looks at the benefits that a SAN brings to the enterprise as a whole. A variety of security mechanisms, such as LUN masking, SAN zoning, and port authentication, are also explored as steps that may be taken to safeguard data in a SAN environment.

— Chapter 9, "Exploring Secure Voice Solutions": This chapter introduces you to voice over IP (VoIP) networks. You learn what business benefits VoIP offers, in addition to the components and protocols that support the transmission of packetized voice across a data network. You are made aware of specific threats targeting a VoIP network. Some threats (such as toll fraud) are found in traditional telephony networks, but others are specific to VoIP. Finally, this chapter identifies specific actions you can take to increase the security of VoIP networks. For example, you will consider how to use firewalls and VPNs to protect voice networks and how to harden the security of Cisco IP Phones and voice servers.

— Chapter 10, "Using Cisco IOS Firewalls to Defend the Network": This chapter begins by exploring the evolution of firewall technology and the role of firewalls in constructing an overall network defense. This chapter also examines how to use access control lists (ACL) to construct a static packet-filtering mechanism for the enterprise environment. Finally, zone-based firewalls are discussed because they represent a significant advance in firewall technology. Their role in defending the network is examined.

— Chapter 11, "Using Cisco IOS IPS to Secure the Network": This chapter distinguishes between intrusion detection and intrusion prevention. Various Intrusion Prevention System (IPS) appliances are introduced, and the concept of signatures is discussed. Also, this chapter examines how to configure a Cisco IOS router to act as an IPS sensor, as opposed to using, for example, a dedicated IPS appliance. Specifically, the configuration discussed uses a wizard available in the Cisco SDM interface.

  • Part III: Extending Security and Availability with Cryptography and VPNs

— Chapter 12, "Designing a Cryptographic Solution": This chapter initially explores the basics of cryptographic services and looks at their evolution. This chapter also examines the use of symmetric encryption, including a variety of symmetric algorithms such as DES, 3DES, AES, SEAL, and various Rivest ciphers. This chapter concludes with a discussion of the encryption process and what makes for a strong, trustworthy encryption algorithm.

— Chapter 13, "Implementing Digital Signatures": This chapter begins with a look at hash algorithms and explores their construction and usage. This includes a discussion of their relative strengths and weaknesses in practical application. The components that make up a digital signature are also explored in depth, along with a discussion of their application as a means of proving a message's authenticity.

— Chapter 14, "Exploring PKI and Asymmetric Encryption": This chapter looks at the use of asymmetric algorithms in a PKI and examines the features and capabilities of RSA specifically. The Diffie-Hellman (DH) algorithm is also discussed, as to how it is used for key exchange. This chapter also explores the makeup of the PKI infrastructure and discusses the various components and topologies that may be employed.

— Chapter 15, "Building a Site-to-Site IPsec VPN Solution":

This chapter introduces you to an IPsec virtual private network (VPN) and its components. Additionally, you explore specific devices in the Cisco VPN product family. Then you are presented with Cisco best-practice recommendations for VPNs. This chapter then walks you through the process of configuring an IPsec site-to-site VPN on an IOS router, using both the command-line interface and the Cisco Security Device Manager (SDM) interface.

  • Part IV: Final Preparation

— Chapter 16, "Final Preparation": This chapter identifies tools for final exam preparation and helps you develop an effective study plan.

  • Part V: Appendixes

— Appendix A, "Answers to the 'Do I Know This Already?' Questions": Includes the answers to all the questions from Chapters 1 through 15.

— Appendix B, "Glossary": The glossary contains definitions of all the terms listed in the "Definition of Key Terms" section at the conclusion of Chapters 1 through 15.

— Appendix C, "CCNA Security Exam Updates: Version 1.0": This appendix provides instructions for finding updates to the exam and this book when and if they occur.

— Appendix D, "Memory Tables": This CD-only appendix contains the key tables and lists from each chapter, with some of the contents removed. You can print this appendix and, as a memory exercise, complete the tables and lists. The goal is to help you memorize facts that can be useful on the exams. This appendix is available in PDF format on the CD; it is not in the printed book.

— Appendix E, "Memory Tables Answer Key": This CD-only appendix contains the answer key for the memory tables in Appendix D. This appendix is available in PDF format on the CD; it is not in the printed book.

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward—read each chapter in succession, and follow the study suggestions in Chapter 16, "Final Preparation."

For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a "Do I Know This Already?" quiz. If you get all the quiz questions correct, or you miss just one question, you may want to skip to the end of the chapter and the "Exam Preparation Tasks" section, and do those activities. Figure I-1 shows the overall plan.

Figure I-1
How to Approach Each Chapter of This Book

When you have completed Chapters 1 through 15, you can use Chapter 16 for exam preparation guidance. That chapter includes the following suggestions:

  • Check http://www.ciscopress.com for the latest copy of Appendix C, which may include additional topics for study.

  • Repeat the tasks in all the chapters' "Exam Preparation Tasks" chapter-ending section.

  • Review all DIKTA questions using the exam engine.

  • Practice for the exam using the exam engine.

This book is broken into parts and chapters that address the key areas of the IINS exam. Each chapter begins with a series of "Do I Know This Already?" questions. You should work through these to get a sense of your current knowledge of the subject matter being discussed. Each chapter contains memory tables that you should work through. At the end of each chapter is a list of all the key topics, as well as terms central to the topic. It is a good idea to focus on these key topic areas and to be familiar with all the terms listed in each chapter. After you have completed this book, you may further prepare for the exam and test your knowledge by working through the practice exam on the CD. Tracking your score on the practice exam and noting areas of weakness will allow you to review these areas in the text to further solidify your knowledge before the actual IINS exam.For More Information

If you have any comments about this book, you can submit them at http://www.ciscopress.com. Just go to the website, click Contact Us, and enter your message.

Cisco might occasionally make changes that affect the CCNA Security certification. You should always check http://www.cisco.com/go/certification for the latest details.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Foreword

Introduction

Part I Network Security Concepts

Chapter 1 Understanding Network Security Principles

“Do I Know This Already?” Quiz

Foundation Topics

Exploring Security Fundamentals

Why Network Security Is a Necessity

Types of Threats

Scope of the Challenge

Nonsecured Custom Applications

The Three Primary Goals of Network Security

Confidentiality

Integrity

Availability

Categorizing Data

Classification Models

Classification Roles

Controls in a Security Solution

Responding to a Security Incident

Legal and Ethical Ramifications

Legal Issues to Consider

Understanding the Methods of Network Attacks

Vulnerabilities

Potential Attackers

The Mind-set of a Hacker

Defense in Depth

Understanding IP Spoofing

Launching a Remote IP Spoofing Attack with IP Source Routing

Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack

Protecting Against an IP Spoofing Attack

Understanding Confidentiality Attacks

Understanding Integrity Attacks

Understanding Availability Attacks

Best-Practice Recommendations

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 2 Developing a Secure Network

“Do I Know This Already?” Quiz

Foundation Topics

Increasing Operations Security

System Development Life Cycle 49

Initiation 49

Acquisition and Development 49

Implementation 50

Operations and Maintenance 50

Disposition 51

Operations Security Overview 51

Evaluating Network Security 52

Nmap 54

Disaster Recovery Considerations 55

Types of Disruptions 56

Types of Backup Sites 56

Constructing a Comprehensive Network Security Policy 57

Security Policy Fundamentals 57

Security Policy Components 58

Governing Policy 58

Technical Policies 58

End-User Policies 59

More-Detailed Documents 59

Security Policy Responsibilities 59

Risk Analysis, Management, and Avoidance 60

Quantitative Analysis 60

Qualitative Analysis 61

Risk Analysis Benefits 61

Risk Analysis Example: Threat Identification 61

Managing and Avoiding Risk 62

Factors Contributing to a Secure Network Design 62

Design Assumptions 63

Minimizing Privileges 63

Simplicity Versus Complexity 64

User Awareness and Training 64

Creating a Cisco Self-Defending Network 66

Evolving Security Threats 66

Constructing a Cisco Self-Defending Network 67

Cisco Security Management Suite 69

Cisco Integrated Security Products 70

Exam Preparation Tasks 74

Review All the Key Topics 74

Complete the Tables and Lists from Memory 75

Definition of Key Terms 75

Chapter 3 Defending the Perimeter 77

“Do I Know This Already?” Quiz 77

Foundation Topics 81

ISR Overview and Providing Secure Administrative Access 81

IOS Security Features 81

Cisco Integrated Services Routers 81

Cisco 800 Series 82

Cisco 1800 Series 83

Cisco 2800 Series 84

Cisco 3800 Series 84

ISR Enhanced Features 85

Password-Protecting a Router 86

Limiting the Number of Failed Login Attempts 92

Setting a Login Inactivity Timer 92

Configuring Privilege Levels 93

Creating Command-Line Interface Views 93

Protecting Router Files 95

Enabling Cisco IOS Login Enhancements for Virtual Connections 96

Creating a Banner Message 98

Cisco Security Device Manager Overview 99

Introducing SDM 99

Preparing to Launch Cisco SDM

Exploring the Cisco SDM Interface

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Chapter 4 Configuring AAA

“Do I Know This Already?” Quiz

Foundation Topics

Configuring AAA Using the Local User Database

Authentication, Authorization, and Accounting

AAA for Cisco Routers

Router Access Authentication

Using AAA to Configure Local User Database Authentication

Defining a Method List

Setting AAA Authentication for Login

Configuring AAA Authentication on Serial Interfaces Running PPP

Using the aaa authentication enable default Command

Implementing the aaa authorization Command

Working with the aaa accounting Command

Using the CLI to Troubleshoot AAA for Cisco Routers

Using Cisco SDM to Configure AAA

Configuring AAA Using Cisco Secure ACS

Overview of Cisco Secure ACS for Windows

Additional Features of Cisco Secure ACS 4.0 for Windows

Cisco Secure ACS 4.0 for Windows Installation

Overview of TACACS+ and RADIUS

TACACS+ Authentication

Command Authorization with TACACS+

TACACS+ Attributes

Authentication and Authorization with RADIUS

RADIUS Message Types

RADIUS Attributes

Features of RADIUS

Configuring TACACS+

Using the CLI to Configure AAA Login Authentication on Cisco Routers

Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM

Defining the AAA Servers

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Chapter 5 Securing the Router

“Do I Know This Already?” Quiz

Foundation Topics

Locking Down the Router

Identifying Potentially Vulnerable Router Interfaces and Services

Locking Down a Cisco IOS Router

AutoSecure

Cisco SDM One-Step Lockdown

Using Secure Management and Reporting

Planning for Secure Management and Reporting

Secure Management and Reporting Architecture

Configuring Syslog Support

Securing Management Traffic with SNMPv3

Enabling Secure Shell on a Router

Using Cisco SDM to Configure Management Features

Configuring Syslog Logging with Cisco SDM

Configuring SNMP with Cisco SDM

Configuring NTP with Cisco SDM

Configuring SSH with Cisco SDM

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Part II Constructing a Secure Infrastructure

Chapter 6 Securing Layer 2 Devices

“Do I Know This Already?” Quiz

Foundation Topics

Defending Against Layer 2 Attacks

Review of Layer 2 Switch Operation

Basic Approaches to Protecting Layer 2 Switches

Preventing VLAN Hopping

Switch Spoofing

Double Tagging

Protecting Against an STP Attack

Combating DHCP Server Spoofing

Using Dynamic ARP Inspection

Mitigating CAM Table Overflow Attacks

Spoofing MAC Addresses

Additional Cisco Catalyst Switch Security Features

Using the SPAN Feature with IDS

Enforcing Security Policies with VACLs

Isolating Traffic Within a VLAN Using Private VLANs

Traffic Policing

Notifying Network Managers of CAM Table Updates

Port Security Configuration

Configuration Recommendations

Cisco Identity-Based Networking Services

Introduction to Cisco IBNS

Overview of IEEE 802.1x

Extensible Authentication Protocols

EAP-MD5

EAP-TLS

PEAP (MS-CHAPv2)

EAP-FAST

Combining IEEE 802.1x with Port Security Features

Using IEEE 802.1x for VLAN Assignment

Configuring and Monitoring IEEE 802.1x

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Chapter 7 Implementing Endpoint Security

“Do I Know This Already?” Quiz

Foundation Topics

Examining Endpoint Security

Defining Endpoint Security

Examining Operating System Vulnerabilities

Examining Application Vulnerabilities

Understanding the Threat of Buffer Overflows

Buffer Overflow Defined

The Anatomy of a Buffer Overflow Exploit

Understanding the Types of Buffer Overflows

Additional Forms of Attack

Securing Endpoints with Cisco Technologies

Understanding IronPort

The Architecture Behind IronPort

Examining the Cisco NAC Appliance

Working with the Cisco Security Agent

Understanding Cisco Security Agent Interceptors

Examining Attack Response with the Cisco Security Agent

Best Practices for Securing Endpoints

Application Guidelines

Apply Application Protection Methods

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 8 Providing SAN Security

“Do I Know This Already?” Quiz

Foundation Topics

Overview of SAN Operations

Fundamentals of SANs

Organizational Benefits of SAN Usage

Understanding SAN Basics

Fundamentals of SAN Security

Classes of SAN Attacks

Implementing SAN Security Techniques

Using LUN Masking to Defend Against Attacks

Examining SAN Zoning Strategies

Examining Soft and Hard Zoning

Understanding World Wide Names

Defining Virtual SANs

Combining VSANs and Zones

Identifying Port Authentication Protocols

Understanding DHCHAP

CHAP in Securing SAN Devices

Working with Fibre Channel Authentication Protocol

Understanding Fibre Channel Password Authentication Protocol

Assuring Data Confidentiality in SANs

Incorporating Encapsulating Security Payload (ESP)

Providing Security with Fibre Channel Security Protocol

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 9 Exploring Secure Voice Solutions

“Do I Know This Already?” Quiz

Foundation Topics

Defining Voice Fundamentals

Defining VoIP

The Need for VoIP

VoIP Network Components

VoIP Protocols

Identifying Common Voice Vulnerabilities

Attacks Targeting Endpoints

VoIP Spam

Vishing and Toll Fraud

SIP Attack Targets

Securing a VoIP Network

Protecting a VoIP Network with Auxiliary VLANs

Protecting a VoIP Network with Security Appliances

Hardening Voice Endpoints and Application Servers

Summary of Voice Attack Mitigation Techniques

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 10 Using Cisco IOS Firewalls to Defend the Network

“Do I Know This Already?” Quiz

Foundation Topics

Exploring Firewall Technology

The Role of Firewalls in Defending Networks

The Advance of Firewall Technology

Transparent Firewalls

Application Layer Firewalls

Benefits of Using Application Layer Firewalls

Working with Application Layer Firewalls

Application Firewall Limitations

Static Packet-Filtering Firewalls

Stateful Packet-Filtering Firewalls

Stateful Packet Filtering and the State Table

Disadvantages of Stateful Filtering

Uses of Stateful Packet-Filtering Firewalls

Application Inspection Firewalls

Application Inspection Firewall Operation

Effective Use of an Application Inspection Firewall

Overview of the Cisco ASA Adaptive Security Appliance

The Role of Firewalls in a Layered Defense Strategy

Creating an Effective Firewall Policy

Using ACLs to Construct Static Packet Filters

The Basics of ACLs

Cisco ACL Configuration

Working with Turbo ACLs

Developing ACLs

Using the CLI to Apply ACLs to the Router Interface

Considerations When Creating ACLs

Filtering Traffic with ACLs

Preventing IP Spoofing with ACLs

Restricting ICMP Traffic with ACLs

Configuring ACLs to Filter Router Service Traffic

vty Filtering

SNMP Service Filtering

RIPv2 Route Filtering

Grouping ACL Functions

Implementing a Cisco IOS Zone-Based Firewall

Understanding Cisco IOS Firewalls

Traffic Filtering

Traffic Inspection

The Role of Alerts and Audit Trails

Classic Firewall Process

SPI and CBAC

Examining the Principles Behind Zone-Based Firewalls

Changes to Firewall Configuration

Zone Membership Rules

Understanding Security Zones

Zones and Inspection

Security Zone Restrictions

Working with Zone Pairs

Security Zone Firewall Policies

Class Maps

Verifying Zone-Based Firewall Configuration

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Chapter 11 Using Cisco IOS IPS to Secure the Network

“Do I Know This Already?” Quiz

Foundation Topics

Examining IPS Technologies

IDS Versus IPS

IDS and IPS Device Categories

Detection Methods

Network-Based Versus Host-Based IPS

Deploying Network-Based and Host-Based Solutions

IDS and IPS Appliances

Cisco IDS 4215 Sensor

Cisco IPS 4240 Sensor

Cisco IPS 4255 Sensor

Cisco IPS 4260 Sensor

Signatures

Exploit Signatures

Connection Signatures

String Signatures

Denial-of-Service Signatures

Signature Definition Files

Alarms

Using SDM to Configure Cisco IOS IPS

Launching the Intrusion Prevention Wizard

IPS Policies Wizard

Creating IPS Rules

Manipulating Global IPS Settings

Signature Configuration

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Part III Extending Security and Availability with Cryptography and VPNs

Chapter 12 Designing a Cryptographic Solution

“Do I Know This Already?” Quiz

Foundation Topics

Introducing Cryptographic Services

Understanding Cryptology

Cryptography Through the Ages

The Substitution Cipher

The Vigenère Cipher

Transposition Ciphers

Working with the One-Time Pad

The Encryption Process

Cryptanalysis

Understanding the Features of Encryption Algorithms

Symmetric and Asymmetric Encryption Algorithms

Encryption Algorithms and Keys

Symmetric Encryption Algorithms

Asymmetric Encryption Algorithms

The Difference Between Block and Stream Ciphers

Block Ciphers

Stream Ciphers

Exploring Symmetric Encryption

Functionality of Symmetric Encryption Algorithms

Key Lengths

Features and Functions of DES

Working with the DES Key

Modes of Operation for DES

Working with DES Stream Cipher Modes

Usage Guidelines for Working with DES

Understanding How 3DES Works

Encrypting with 3DES

AES

The Rijndael Cipher

Comparing AES and 3DES

Availability of AES in the Cisco Product Line

SEAL

SEAL Restrictions

The Rivest Ciphers

Understanding Security Algorithms

Selecting an Encryption Algorithm

Understanding Cryptographic Hashes

Working with Hashing

Designing Key Management

Components of Key Management

Understanding Keyspaces

Issues Related to Key Length

SSL VPNs

Establishing an SSL Tunnel

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 13 Implementing Digital Signatures

“Do I Know This Already?” Quiz

Foundation Topics

Examining Hash Algorithms

Exploring Hash Algorithms and HMACs

Anatomy of a Hash Function

Application of Hash Functions

Cryptographic Hash Functions

Application of Cryptographic Hashes

HMAC Explained

MD5 Features and Functionality

Origins of MD5

Vulnerabilities of MD5

Usage of MD5

SHA-1 Features and Functionality

Overview of SHA-1

Vulnerabilities of SHA-1

Usage of SHA-1

Using Digital Signatures

Understanding Digital Signatures

Digital Signature Scheme

Authentication and Integrity

Examining RSA Signatures

Exploring the History of RSA

Understanding How RSA Works

Encrypting and Decrypting Messages with RSA

Signing Messages with RSA

Vulnerabilities of RSA

Exploring the Digital Signature Standard

Using the DSA Algorithm

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 14 Exploring PKI and Asymmetric Encryption

“Do I Know This Already?” Quiz

Foundation Topics

Understanding Asymmetric Algorithms

Exploring Asymmetric Encryption Algorithms

Using Public-Key Encryption to Achieve Confidentiality

Providing Authentication with a Public Key

Understanding the Features of the RSA Algorithm

Working with RSA Digital Signatures

Guidelines for Working with RSA

Examining the Features of the Diffie-Hellman Key Exchange Algorithm

Steps of the Diffie-Hellman Key Exchange Algorithm

Working with a PKI

Examining the Principles Behind a PKI

Understanding PKI Terminology

Components of a PKI

Classes of Certificates

Examining the PKI Topology of a Single Root CA

Examining the PKI Topology of Hierarchical CAs

Examining the PKI Topology of Cross-Certified CAs

Understanding PKI Usage and Keys

Working with PKI Server Offload

Understanding PKI Standards

Understanding X.509v3

Understanding Public Key Cryptography Standards (PKCS)

Understanding Simple Certificate Enrollment Protocol (SCEP)

Exploring the Role of Certificate Authorities and Registration Authorities in a PKI

Examining Identity Management

Retrieving the CA Certificate

Understanding the Certificate Enrollment Process

Examining Authentication Using Certificates

Examining Features of Digital Certificates and CAs

Understanding the Caveats of Using a PKI

Understanding How Certificates Are Employed

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Chapter 15 Building a Site-to-Site IPsec VPN Solution

“Do I Know This Already?” Quiz

Foundation Topics

Exploring the Basics of IPsec

Introducing Site-to-Site VPNs

Overview of IPsec

IKE Modes and Phases

Authentication Header and Encapsulating Security Payload

Cisco VPN Product Offerings

Cisco VPN-Enabled Routers and Switches

Cisco VPN 3000 Series Concentrators

Cisco ASA 5500 Series Appliances

Cisco 500 Series PIX Security Appliances

Hardware Acceleration Modules

VPN Design Considerations and Recommendations

Best-Practice Recommendations for Identity and IPsec Access Control

Best-Practice Recommendations for IPsec

Best-Practice Recommendations for Network Address Translation

Best-Practice Recommendations for Selecting a Single-Purpose Versus

Multipurpose Device

Constructing an IPsec Site-to-Site VPN

The Five Steps in the Life of an IPsec Site-to-Site VPN

The Five Steps of Configuring an IPsec Site-to-Site VPN

Configuring an IKE Phase 1 Tunnel

Configuring an IKE Phase 2 Tunnel

Applying Crypto Maps

Using Cisco SDM to Configure IPsec on a Site-to-Site VPN

Introduction to the Cisco SDM VPN Wizard

Quick Setup

Step-by-Step Setup

Configuring Connection Settings

Selecting an IKE Proposal

Selecting a Transform Set

Selecting Traffic to Protect in the IPsec Tunnel

Applying the Generated Configuration

Monitoring the Configuration

Exam Preparation Tasks

Review All the Key Topics

Complete the Tables and Lists from Memory

Definition of Key Terms

Command Reference to Check Your Memory

Part IV Final Preparation

Chapter 16 Final Preparation

Exam Engine and Questions on the CD

Install the Software from the CD

Activate and Download the Practice Exam

Activating Other Exams

Study Plan

Recall the Facts

Use the Exam Engine

Choosing Study or Simulation Mode

Passing Scores for the IINS Exam

Part V Appendixes

Appendix A Answers to “Do I Know This Already?” Questions

Appendix B Glossary

Appendix C CCNA Security Exam Updates: Version 1.0

Appendix D Memory Tables (CD only)

Appendix E Memory Tables Answer Key (CD only)

1587202204 TOC 5/19/2008

Read More Show Less

Preface

Introduction

Congratulations on your decision to pursue a Cisco Certification! If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve—the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with Cisco technology. Through its quality technologies, Cisco has garnered a significant market share in the router and switch marketplace, with more than 80 percent market share in some markets. For many industries and markets around the world, networking equals Cisco. Cisco certification will set you apart from the crowd and allow you to display your knowledge as a networking security professional.

Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network Associate (CCNA) certification, first offered in 1998.

With the introduction of the CCNA Security certification, Cisco has for the first time provided an area of focus at the associate level. The CCNA Security certification is for networking professionals who work with Cisco security technologies and who want to demonstrate their mastery of core network security principles and technologies.

Format of the IINS Exam

The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing environment. Additionally, Chapter 16 points to a Cisco website where you can see a demo of the actual Cisco test engine.

When you start the exam, you are asked a series of questions. You answer the question and then move on to the next question. The exam engine does not let you go back and change your answer. When you move on to the next question, that's it for the earlier question.

The exam questions can be in one of the following formats:

  • Multiple-choice (MC)
  • Testlet
  • Drag-and-drop (DND)
  • Simulated lab (Sim)
  • Simlet

The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a button or icon to another area, and release the mouse button to place the object somewhere else—typically in a list. For example, to get the question correct, you might need to put a list of five things in the proper order.

The last two types both use a network simulator to ask questions. Interestingly, these two types allow Cisco to assess two very different skills. Sim questions generally describe a problem, and your task is to configure one or more routers and switches to fix the problem. The exam then grades the question based on the configuration you changed or added. Interestingly, Sim questions are the only questions that Cisco (to date) has openly confirmed that partial credit is given for.

The Simlet questions may well be the most difficult style of question on the exams. Simlet questions also use a network simulator, but instead of answering the question by changing the configuration, the question includes one or more MC questions. The questions require that you use the simulator to examine the current behavior of a network, interpreting the output of any show commands that you can remember to answer the question. Whereas Sim questions require you to troubleshoot problems related to a configuration, Simlets require you to analyze both working networks and networks with problems, correlating show command output with your knowledge of networking theory and configuration commands.

What's on the IINS Exam?

Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with "Describe...", and another might begin with "Describe, configure, and troubleshoot...". The second objective clearly states that you need a thorough and deep understanding of that topic. By listing the topics and skill level, Cisco helps you prepare for the exam.

Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the posted exam topics for all its certification exams are guidelines. Cisco makes an effort to keep the exam questions within the confines of the stated exam topics. I know from talking to those involved that every question is analyzed to ensure that it fits within the stated exam topics.

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com (http://www.cisco.com/go/certification). If Cisco later adds exam topics, you may go to http://www.ciscopress.com and download additional information about the newly added topics.

Table I-1Å@640-553 IINS Exam Topics

Reference Number

Exam Topic

Book Part(s) Where Topic Is Covered

1.0

Describe the security threats facing modern network infrastructures

1.1

Describe and mitigate the common threats to the physical installation

I

1.2

Describe and list mitigation methods for common network attacks

I

1.3

Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks

II

1.4

Describe the main activities in each phase of a secure network lifecycle

I

1.5

Explain how to meet the security needs of a typical enterprise with a comprehensive security policy

I

1.6

Describe the Cisco Self Defending Network architecture

I

1.7

Describe the Cisco security family of products and their interactions

I, II, III

2.0

Secure Cisco routers

2.1

Secure Cisco routers using the SDM Security Audit feature

I

2.2

Use the One-Step Lockdown feature in SDM to secure a Cisco router

I

2.3

Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

I

2.4

Secure administrative access to Cisco routers by configuring multiple privilege levels

I

2.5

Secure administrative access to Cisco routers by configuring role based CLI

I

2.6

Secure the Cisco IOS image and configuration file

I

3.0

Implement AAA on Cisco routers using local router database and external ACS

3.1

Explain the functions and importance of AAA

I

3.2

Describe the features of TACACS+ and RADIUS AAA protocols

I

3.3

Configure AAA authentication

I

3.4

Configure AAA authorization

I

3.5

Configure AAA accounting

I

4.0

Mitigate threats to Cisco routers and networks using ACLs

4.1

Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets

II

4.2

Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI

II

4.3

Configure IP ACLs to prevent IP address spoofing using CLI

II

4.4

Discuss the caveats to be considered when building ACLs

II

5.0

Implement secure network management and reporting

5.1

Describe the factors to be considered when planning for secure management and reporting of network devices

I

5.2

Use CLI and SDM to configure SSH on Cisco routers to enable secured management access

I

5.3

Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server

I

5.4

Describe SNMPv3 and NTPv3

I

6.0

Mitigate common Layer 2 attacks

6.1

Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features

II

7.0

Implement the Cisco IOS firewall feature set using SDM

7.1

Describe the operational strengths and weaknesses of the different firewall technologies

II

7.2

Explain stateful firewall operations and the function of the state table

II

7.3

Implement Zone Based Firewall using SDM

II

8.0

Implement the Cisco IOS IPS feature set using SDM

8.1

Define network based vs. host based intrusion detection and prevention

II

8.2

Explain IPS technologies, attack responses, and monitoring options

II

8.3

Enable and verify Cisco IOS IPS operations using SDM

II

9.0

Implement site-to-site VPNs on Cisco Routers using SDM

9.1

Explain the different methods used in cryptography

III

9.2

Explain IKE protocol functionality and phases

III

9.3

Describe the building blocks of IPSec and the security functions it provides

III

9.4

Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM

III

IINS Course Outlines

Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course: Implementing Cisco IOS Network Security (IINSv1.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward passing the 640-553 IINS exam.

About the CCNA Security Official Exam Certification Guide

As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics.

This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn relevant real-world concepts and procedures.

Objectives and Methods

The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading! However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job.

This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. So, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics. The CCNA Security certification is the foundation of the professional level Cisco certification in security, the CCSP, so it is important that this book also help you truly learn the material. This book is designed to help you pass the CCNA Security exam by using the following methods:

  • Helping you discover which exam topics you have not mastered
  • Providing explanations and information to fill in your knowledge gaps
  • Supplying exercises that enhance your ability to recall and deduce the answers to test questions
  • Providing practice exercises on the topics and the testing process via test questions on the CD

Book Features

To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:

  • "Do I Know This Already?" quiz: Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter.
  • Foundation Topics: These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter.
  • Exam Preparation Tasks: At the end of the "Foundation Topics" section of each chapter, the "Exam Preparation Tasks" section lists a series of study activities that you should do at the end of the chapter. Each chapter includes the activities that make the most sense for studying the topics in that chapter.
  • — Review All the Key Topics: The Key Topic icon appears next to the most important items in the "Foundation Topics" section of the chapter. The Review All the Key Topics activity lists the Key Topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each Key Topic, so you should review these.

    — Complete the Tables and Lists from Memory: To help you memorize some lists of facts, many of the more important lists and tables from the chapter are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list.

    — Definition of Key Terms: Although the exam may be unlikely to ask a question such as "Define this term," the CCNA exams do require that you learn and know a lot of networking terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.

    — Command Reference Tables: Some chapters cover a large number of configuration and EXEC commands. These tables list and describe the commands introduced in the chapter. For exam preparation, use these tables for reference, but also read them when performing the Exam Preparation Tasks to make sure you remember what all the commands do.

  • CD-based practice exam: The companion CD contains an exam engine (From Boson software, http://www.boson.com), that includes two question databases. One database has a copy of all the "Do I Know This Already?" quiz questions from the book, and the other has unique exam-realistic questions. To further help you prepare for the exam, you can take a simulated IINS exam using the CD.

How This Book Is Organized

This book contains 15 core chapters—Chapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics:

  • Part I: Network Security Concepts
  • — Chapter 1, "Understanding Network Security Principles": This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. You are also introduced to various threats targeting the security of your network.

    — Chapter 2, "Developing a Secure Network": This chapter explains the day-to-day procedures for deploying, maintaining, and retiring information security components. You are also provided with considerations and principles for authoring a security policy, in addition to creating user awareness of the security policy. Finally, this chapter describes the Cisco Self-Defending Network, which is Cisco's vision for security systems.

    — Chapter 3, "Defending the Perimeter": This chapter describes methods of securely accessing a router prompt for purposes of administration. Additionally, you are given an overview of the Cisco Integrated Services Router (ISR) line of routers. In this chapter you also examine the Cisco Security Device Manager (SDM) interface. The graphical interface provided by SDM allows administrators to configure a variety of router features using a collection of wizards, which use best-practice recommendations from the Cisco Technical Assistance Center (TAC).

    — Chapter 4, "Configuring AAA": This chapter explores the uses of AAA, including the components that make it up, as well as the steps necessary to successfully configure AAA using the local database. The role of Cisco ACS is also examined as it relates to configuring AAA, including a discussion of working with both RADIUS and TACACS+.

    — Chapter 5, "Securing the Router": This chapter discusses various router services that attackers might target. To help you harden the security of a router, this chapter also describes the AutoSecure feature and Cisco SDM's One-Step Lockdown feature. Next the chapter focuses on securing and monitoring router access using syslog, SSH, and SNMPv3 technologies. Finally, this chapter distinguishes between in-band and out-of-band network management and how to use Cisco SDM to configure a variety of management and monitoring features.

  • Part II: Constructing a Secure Infrastructure
  • — Chapter 6, "Securing Layer 2 Devices": This chapter explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Then you are introduced to how Cisco Identity-Based Networking Services (IBNS) uses IEEE 802.1x, RADIUS, and Extensible Authentication Protocol (EAP) technologies to selectively allow access to network resources based on user credentials.

    — Chapter 7, "Implementing Endpoint Security": This chapter examines a variety of threats faced by endpoints in a network environment and introduces a series of techniques that can be used to help safeguard systems from common operating system vulnerabilities. This chapter also explores various Cisco-specific technologies that may be used to defend endpoints from a variety of attacks. Specifically, technologies such as IronPort, the Cisco NAC Appliance, and the Cisco Security Agent are discussed.

    — Chapter 8, "Providing SAN Security": This chapter outlines the basics of SAN operation and looks at the benefits that a SAN brings to the enterprise as a whole. A variety of security mechanisms, such as LUN masking, SAN zoning, and port authentication, are also explored as steps that may be taken to safeguard data in a SAN environment.

    — Chapter 9, "Exploring Secure Voice Solutions": This chapter introduces you to voice over IP (VoIP) networks. You learn what business benefits VoIP offers, in addition to the components and protocols that support the transmission of packetized voice across a data network. You are made aware of specific threats targeting a VoIP network. Some threats (such as toll fraud) are found in traditional telephony networks, but others are specific to VoIP. Finally, this chapter identifies specific actions you can take to increase the security of VoIP networks. For example, you will consider how to use firewalls and VPNs to protect voice networks and how to harden the security of Cisco IP Phones and voice servers.

    — Chapter 10, "Using Cisco IOS Firewalls to Defend the Network": This chapter begins by exploring the evolution of firewall technology and the role of firewalls in constructing an overall network defense. This chapter also examines how to use access control lists (ACL) to construct a static packet-filtering mechanism for the enterprise environment. Finally, zone-based firewalls are discussed because they represent a significant advance in firewall technology. Their role in defending the network is examined.

    — Chapter 11, "Using Cisco IOS IPS to Secure the Network": This chapter distinguishes between intrusion detection and intrusion prevention. Various Intrusion Prevention System (IPS) appliances are introduced, and the concept of signatures is discussed. Also, this chapter examines how to configure a Cisco IOS router to act as an IPS sensor, as opposed to using, for example, a dedicated IPS appliance. Specifically, the configuration discussed uses a wizard available in the Cisco SDM interface.

  • Part III: Extending Security and Availability with Cryptography and VPNs
  • — Chapter 12, "Designing a Cryptographic Solution": This chapter initially explores the basics of cryptographic services and looks at their evolution. This chapter also examines the use of symmetric encryption, including a variety of symmetric algorithms such as DES, 3DES, AES, SEAL, and various Rivest ciphers. This chapter concludes with a discussion of the encryption process and what makes for a strong, trustworthy encryption algorithm.

    — Chapter 13, "Implementing Digital Signatures": This chapter begins with a look at hash algorithms and explores their construction and usage. This includes a discussion of their relative strengths and weaknesses in practical application. The components that make up a digital signature are also explored in depth, along with a discussion of their application as a means of proving a message's authenticity.

    — Chapter 14, "Exploring PKI and Asymmetric Encryption": This chapter looks at the use of asymmetric algorithms in a PKI and examines the features and capabilities of RSA specifically. The Diffie-Hellman (DH) algorithm is also discussed, as to how it is used for key exchange. This chapter also explores the makeup of the PKI infrastructure and discusses the various components and topologies that may be employed.

    — Chapter 15, "Building a Site-to-Site IPsec VPN Solution": This chapter introduces you to an IPsec virtual private network (VPN) and its components. Additionally, you explore specific devices in the Cisco VPN product family. Then you are presented with Cisco best-practice recommendations for VPNs. This chapter then walks you through the process of configuring an IPsec site-to-site VPN on an IOS router, using both the command-line interface and the Cisco Security Device Manager (SDM) interface.

  • Part IV: Final Preparation
  • — Chapter 16, "Final Preparation": This chapter identifies tools for final exam preparation and helps you develop an effective study plan.

  • Part V: Appendixes
  • — Appendix A, "Answers to the 'Do I Know This Already?' Questions": Includes the answers to all the questions from Chapters 1 through 15.

    — Appendix B, "Glossary": The glossary contains definitions of all the terms listed in the "Definition of Key Terms" section at the conclusion of Chapters 1 through 15.

    — Appendix C, "CCNA Security Exam Updates: Version 1.0": This appendix provides instructions for finding updates to the exam and this book when and if they occur.

    — Appendix D, "Memory Tables": This CD-only appendix contains the key tables and lists from each chapter, with some of the contents removed. You can print this appendix and, as a memory exercise, complete the tables and lists. The goal is to help you memorize facts that can be useful on the exams. This appendix is available in PDF format on the CD; it is not in the printed book.

    — Appendix E, "Memory Tables Answer Key": This CD-only appendix contains the answer key for the memory tables in Appendix D. This appendix is available in PDF format on the CD; it is not in the printed book.

How to Use This Book to Prepare for the IINS Exam

Using this book to prepare for the IINS exam is pretty straightforward—read each chapter in succession, and follow the study suggestions in Chapter 16, "Final Preparation."

For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a "Do I Know This Already?" quiz. If you get all the quiz questions correct, or you miss just one question, you may want to skip to the end of the chapter and the "Exam Preparation Tasks" section, and do those activities. Figure I-1 shows the overall plan.

Figure I-1
How to Approach Each Chapter of This Book

When you have completed Chapters 1 through 15, you can use Chapter 16 for exam preparation guidance. That chapter includes the following suggestions:

  • Check http://www.ciscopress.com for the latest copy of Appendix C, which may include additional topics for study.
  • Repeat the tasks in all the chapters' "Exam Preparation Tasks" chapter-ending section.
  • Review all DIKTA questions using the exam engine.
  • Practice for the exam using the exam engine.

This book is broken into parts and chapters that address the key areas of the IINS exam. Each chapter begins with a series of "Do I Know This Already?" questions. You should work through these to get a sense of your current knowledge of the subject matter being discussed. Each chapter contains memory tables that you should work through. At the end of each chapter is a list of all the key topics, as well as terms central to the topic. It is a good idea to focus on these key topic areas and to be familiar with all the terms listed in each chapter. After you have completed this book, you may further prepare for the exam and test your knowledge by working through the practice exam on the CD. Tracking your score on the practice exam and noting areas of weakness will allow you to review these areas in the text to further solidify your knowledge before the actual IINS exam.

For More Information

If you have any comments about this book, you can submit them at http://www.ciscopress.com. Just go to the website, click Contact Us, and enter your message.

Cisco might occasionally make changes that affect the CCNA Security certification. You should always check http://www.cisco.com/go/certification for the latest details.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)