Gift Guide

CCSP Complete Study Guide (642-501, 642-511, 642-521, 642-531, 642-541) / Edition 1

Hardcover (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $7.49
Usually ships in 1-2 business days
(Save 91%)
Other sellers (Hardcover)
  • All (9) from $7.49   
  • New (5) from $26.76   
  • Used (4) from $7.49   


The Most Comprehensive and Current CCSP Self-Study Solution on the Market!

Here's the comprehensive and economical self-study solution that will provide you with the knowledge and skills needed to approach the CCSP exams with confidence. This Study Guide was developed to meet the exacting requirements of today's certification candidates. In addition to the consistent and accessible instructional approach that has earned Sybex the reputation as the leading publisher for certification study guides, this book provides:

  • Clear and concise information on securing Cisco internetworks
  • Practical examples and insights drawn from real-world experience
  • Leading-edge exam preparation software, including a testing engine and electronic flashcards

And of course, you'll find in-depth coverage of all official objectives for all five exams required for the CCSP:

  • 642-501: Securing Cisco IOS Networks
  • 642-511: Cisco Secure VPN
  • 642-521: Cisco Secure PIX Firewall Advanced
  • 642-531: Cisco Secure Intrusion Detection System
  • 642-541: Cisco SAFE Implementation

Note: CD-ROM/DVD and other supplementary materials are not included as part of eBook file.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
It’s no longer enough to “know Cisco” -- you need a deep understanding of securing Cisco networks. The best way to demonstrate that knowledge is to earn your CCSP. Now one information-packed book preps you for all five CCSP exams: Sybex’s CCSP Complete Study Guide.

These 1,200-plus pages offer comprehensive and up-to-date security reviews covering IOS, VPNs, PIX Firewalls, intrusion detection, and Cisco’s latest SAFE security blueprint. You’ll find concise and readable coverage of everything from basic “AAA” security concepts to fighting rerouting attacks, configuring firewall signatures to implementing SAFE remote access network designs. And, of course, there’s a cornucopia of study help, including pre-assessment tests, six bonus exams on CD-ROM, and 500 multiplatform electronic flashcard questions. Bill Camarda, from the June 2005 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780782144222
  • Publisher: Wiley
  • Publication date: 3/28/2005
  • Edition description: Study Guid
  • Edition number: 1
  • Pages: 1213
  • Product dimensions: 7.70 (w) x 9.24 (h) x 2.10 (d)

Meet the Author

Wade Edwards, CCIE, has over 15 years of networking experience and has been actively involved in the computer industry for over 24 years.

Todd Lammle, CCNP is CEO and Chief Scientist of RouterSim, LLC and President of GlobalNet Training, Inc., and is the author of the best-selling CCNA: Cisco Certified Network Associate Study Guide from Sybex.

Tom Lancaster, CCIE, is a consultant with IBM Global Services.

Justin Menga, CCIE, is a Network Solutions Architect in the wireless and e-infrastructure field in New Zealand.

Eric Quinn, CCSI, CCNP + Voice is an Arizona-based instructor and security consultant.

Jason Rohm, CCIE, is a network consultant and adjunct instructor from Green Bay, Wisconsin.

Carl Timm, CCIE, has over 10 years of experience in the design and implementation of large scale IP-based internetworks.

Bryant Tow has over 15 years of experience in the IT industry as an instructor and entrepreneur.

Read More Show Less

Read an Excerpt

CCSP Complete Study Guide

By Todd Lammle

John Wiley & Sons

ISBN: 0-7821-4422-5

Chapter One

Introduction to Network Security


  • Introduction to network security
  • Creating a security policy
  • Reasons for creating a security policy
  • Security issues
  • Security threats

In a perfect world, network security would be as simple as installing some cool hardware or software onto your network, and voila! Your network is now Fort Knox. In the real world, you do this and then brace yourself so you don't make too much of a scene when the inevitable corporate security breach occurs. Frustrated, you say to yourself, "I really thought I took the necessary precautions-I did everything I could!" This chapter will help you understand that there's more to network security than technology. Real network security requires understanding the inherent people and corporate policy issues as well.

News and stories about Internet identity theft, hackers jacking sensitive corporate information, and new viruses vaporizing hard drives left and right are definitely the hot topics du jour. Countless shadowy Internet users are spreading havoc from their computers, and it's really difficult-sometimes impossible-to track them down. So how do you protect yourself? Well, to begin addressing this problem, let's take a look at what Cisco says are the three main security issues that a corporate network faces today:

* Security is not just a technology problem. Administrators and users are the cause of many corporate security problems.

* Vast quantities of security technologies exist. Too many network administrators buy technology from a random advertisement they happen to read in a networking magazine. But simply throwing money at your security problems usually isn't the best solution. Predictably, many vendors would absolutely love it if they could succeed in making you believe otherwise!

* Many organizations lack a single, well-defined network-wide security policy. Some corporations don't even have a security policy-no lie! Or worse, even if they do, each department has created its own security policy independently of the others. This is highly ineffective because it creates a myriad of security holes, leaving the network wide open to attacks in a number of places.

Anyone reading this book should be concerned with network security and interested in how a network can become truly secure using proper network policy. An effective network security policy involves a strategic combination of both hardware implementation and the proper corporate handling of information. This chapter will discuss the reasons for creating a corporate security policy. Understanding these reasons will provide you with a solid grasp of the Cisco SECUR exam objectives.

Let's move on to discuss the specific types of threats to which your network may be vulnerable.

Types of Network Security Threats

Sadly, human nature has a nasty side. And unfortunately, its lust for power, money, and revenge is sometimes aimed straight at your data. Although most of us aren't twisted, depraved, and ethically challenged, our fellow humans can and often do present serious threats to our network data. You must realize that you need to protect it. And you can-but before you begin to secure your data, you must understand the different types of threats looming out there, just waiting for the opportunity to strike. Four primary threats to network security define the type of attacker you could be dealing with some day:

Unstructured threats Unstructured threats typically originate from curious people who have downloaded information from the Internet and want to feel the sense of power this provides them. Sure, some of these folks-commonly referred to as Script Kiddies-can be pretty nasty, but most of them are just doing it for the rush and for bragging rights. They're untalented, inexperienced hackers, and they're motivated by the thrill of seeing what they can do.

Structured threats Hackers who create structured threats are much more sophisticated than Script Kiddies. They're technically competent and calculating in their work, they usually understand network system design, and they're well versed in how to exploit routing and network vulnerabilities. They can and often do create hacking scripts that allow them to penetrate deep into a network's systems at will. They tend to be repeat offenders. Both structured and unstructured threats typically come from the Internet.

External threats External threats typically come from people on the Internet or from someone who has found a hole in your network from the outside. These serious threats have become ubiquitous in the last six to seven years, during which time most companies began to show their presence on the Internet. External threats generally make their insidious way into your network via the Internet or via a dial-up server, where they try to gain access to your computer systems or network.

Internal threats Internal threats come from users on your network, typically employees. These are probably the scariest of all threats because they're extremely tough to both catch and stop. And because these hackers are authorized to be on the network, they can do serious damage in less time because they're already in and they know their way around.

Plus, the profile of an internal threat is that of the disgruntled, angry, vengeful former or current employee, or even a contractor who wants nothing more than to cause real pain and suffering. Although most users know this type of activity is illegal, some users also know it's fairly easy to cause a lot of damage-fast-and that they have a shake at getting away with it. That can be a huge, irresistible temptation to those with the right modus operandi or the wrong temperament.

Types of Security Weaknesses

This is probably the most important section in this chapter, because it defines what security weaknesses are and how to understand inherent weaknesses in hardware, software, and people. Generally, there are three types of security weaknesses in any network implementation:

* Technology weaknesses

* Configuration weaknesses

* Policy weaknesses

Technology Weaknesses

Cisco defines a technology weakness as a protocol, operating system, or hardware weakness. By default, protocols, operating systems, and hardware typically aren't secure. Understanding their weaknesses can help you secure your network before you're attacked.

Technology weakness refers to the inadequacies of electronic systems, whether hardware or software. These weaknesses create a challenge for IT staff because most hardware and software used in a company were already installed when they started their job.

Let's break this category into three specific areas:

TCP/IP weaknesses TCP/IP has intrinsic security weaknesses because it was designed as an open standard to facilitate network communication. The fact that TCP/IP is an open standard is the main reason for its vast popularity, but the open-standard nature of TCP/IP is also a reason why network attacks happen so easily and often-many people are familiar with how TCP/IP works.

For example, the original Unix sendmail daemon allows access to the Unix root, which, in turn, allows access to the entire Unix system. By viewing the sendmail information, a hacker can lock, load, and launch attacks on vulnerabilities specific to the operating system version. (Special torture!)

Yes, TCP/IP has operating system weaknesses that need to be addressed, but what's worse is that TCP/IP has also created network equipment weaknesses such as password protection, lack of required authentication, its routing protocols (which advertise your entire network), and firewall holes.

Cisco likes to pick on two protocols in the TCP/IP stack as being inherently insecure: Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). IP spoofing (masquerade attack), man-in-the-middle, and session replaying are specific examples of TCP/IP weaknesses.

Operating system weaknesses Every operating system has weaknesses, but Microsoft Windows' weaknesses get top billing because most people use some version of Windows. To be fair, Unix and Linux have considerably fewer operating system weaknesses than Windows does, but they still have security issues that must be dealt with if you're running them on your network. It all comes down to a specific network's needs.

Network equipment weaknesses All network equipment, such as servers, routers, switches, and so on, has inherent security weakness. But being armed with a well-defined policy for the configuration and installation of network equipment can help tremendously in reducing the effects of network equipment weaknesses.

It's recommended that the following policies be in place before any piece of network equipment is configured and installed: passwords, authentication, routing protocols, and firewalls.

Configuration Weaknesses

Here's where human error comes into the fray: It's the administrator who creates configuration weaknesses. You'd be surprised how often a network administrator either leaves equipment at a default setting or fails to secure the network administrator accounts. Some common "come hither and hack me" scenarios exposing your everyday corporate network include configuration flaws such as unsecured user accounts, system accounts with easily guessed passwords, misconfigured Internet services, unsecured default settings in products, and misconfigured network equipment.

Unsecured User Accounts

Using default administrator accounts with no passwords and God-like control over the network is definitely asking for trouble. Just don't do it! If you're running Microsoft Windows NT, make sure you rename the administrator account. Doing so ensures that any intruders will at least have a slightly harder time finding and breaking into your operating system.

Put some serious thought into which users are granted which rights and privileges, because if you don't, and you instead give away rights indiscriminately, chaos will ensue. Take the time to establish the rights each user really needs, and don't give them any more rights than are required to do their job.

Did you know that usernames and passwords are generally transmitted insecurely across the network? Ever hear of the Reconnaissance intruder-you know, the guy or gal who likes to imagine that they're in the Internet Special Forces and their job is to find your network weakness and exploit it? (Funny how these people always think they're performing a public service when they steal your data and that you were so lucky it was only them who broke in and not some really bad person. They actually believe that they've helped you, because now you'll fix the weakness before a bad guy breaks in.) Clear passwords are the kind of cool stuff these snoopers spy for so they can use the information to gain access to your network later. As an administrator, be sure you define password policies that will help secure your network.

System Accounts with Easily Guessed Passwords

Another way to invite trouble is to assign system account passwords that are easy to guess. To avoid this blunder, the administrator needs to set up policies on your servers that won't allow certain kinds of passwords and that make sure each password has an expiration date.

Explicitly define a corporate policy for all users that makes it crystal clear that they can't use their name, their significant other's name, their child's name, their birth date, or any other excruciatingly obvious password-even if they add something to it. It's also a great idea to have them mix lowercase and uppercase letters, numbers, and special characters into their passwords. Doing so helps defend your network against brute-force attacks that use dictionary files to guess passwords.

Misconfigured Internet Services

I know it's hard to believe, but some companies still use routable IP addresses on their network to address their hosts and servers. With the Network Address Translation (NAT) and Port Address Translation (PAT) services that are available now, there is absolutely no reason to use real IP addresses.

But you can use private IP addresses. These allow corporations-and even single homes-to use an IP address range that's blocked on the Internet. Doing so provides some security for corporations, whose real IP addresses on the border router allow routing from the Internet.

This isn't a magical cure, though. Ports need to be open on the router connecting the router interface to the Internet in order to allow users access to and from the Internet. This is the very hole in a firewall that attackers can and do exploit.

Don't get me wrong: By putting up a firewall-the Cisco Secure Private Internet Exchange (PIX) Firewall is one of the best-you can provide good security for your network by using conduits (which are basically secure connections) to open ports from the Internet to your servers. Is this bulletproof security? No, that doesn't exist; but the PIX box is good-really good.

Another potential source of trouble and exposure is that some network administrators enable Java and JavaScript in their web browsers. Doing this makes it possible for hackers to attack you with hostile Java applets.

Unsecured Default Settings in Products

Tangling things further is the fact that many hardware products either ship with no password at all or make the password available so that the administrator can easily configure the device. On one hand, this really does make life easier-some devices are meant to be plug-and-play. For example, Cisco switches are plug-and-play because Cisco wants you to be able to replace your hubs and instantly make your network better. (And it works, too.) But you definitely need to put a password on that switch, or an attacker could easily break in.

Cisco gave this issue some thought and is a step ahead in solving the problem. Cisco routers and switches won't allow Telnet sessions into them without some type of login configuration on the device. But this cool feature does nothing to guard against other types of break-in attempts, such as what the "Internet Special Forces" are trying to "protect" you from.

This is one reason why it's a good idea to establish a configuration security policy on each device before any new equipment is installed on your network.

Misconfigured Network Equipment

Misconfigured network equipment is another exploitable flaw. Weak passwords, no security policy, and unsecured user accounts can all be part of misconfigured network equipment policies.

Hardware and the protocols that run on it can also create security holes in your network. If you don't have a policy that describes the hardware and the protocols that run on each piece of equipment, hackers could be breaking in without your being aware that you've been attacked until it's too late.

Here's a huge problem: If you use SNMP default settings, tons of information about your network can be deciphered simply and quickly. So, make sure you either disable SNMP or change the default SNMP community strings. These strings are basically passwords for gathering SNMP data.

Policy Weaknesses

You know by now that your corporate network security policy describes how and where security will be implemented within your network. And you understand that your policy should include information about how those configuration policies will be or have been initiated-right?

Let's take a moment to clarify solid security policy by identifying the characteristics that contaminate bad policies.


Excerpted from CCSP Complete Study Guide by Todd Lammle Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents


Securing Cisco IOS Networks Assessment Test 1.

Cisco Secure PIX Firewall Advanced Assessment Test 2.

Cisco Secure Virtual Private Networks Assessment Test 3.

Cisco Secure Intrusion Detection Systems Assessment Test 4.

Cisco SAFE Implementation Assessment Test 5.

Part I: Securing Cisco IOS Networks (SECUR).

Chapter 1: Introduction to Network Security.

Chapter 2: Introduction to AAA Security.

Chapter 3: Configuring Cisco Secure ACS and TACACS+.

Chapter 4: Cisco Perimeter Router Problems and Solutions.

Chapter 5: Context-Based Access Control Configuration.

Chapter 6: Cisco IOS Firewall Authentication and Intrusion Detection.

Chapter 7: Understanding Cisco IOS IPSec Support.

Chapter 8: Cisco IOS IPSec Pre-shared Keys and Certificate Authority Support.

Chapter 9: Cisco IOS Remote Access Using Cisco Easy VPN.

Part II: Cisco Secure PIX Firewall Advanced.

Chapter 10: PIX Firewall Basics.

Chapter 11: PIX Firewall Configuration.

Chapter 12: ACLs, Filtering, Object Grouping, and AAA.

Chapter 13: Advanced Protocol Handling, Attack Guards, and Intrusion Detection.

Chapter 14: Firewall Failover and PDM.

Chapter 15: VPNs and the PIX Firewall.

Part III: Cisco Secure Virtual Private Networks.

Chapter 16: Introduction to Virtual Private Networks.

Chapter 17: Introduction to Cisco VPN Devices.

Chapter 18: Configuring the VPN Concentrator.

Chapter 19: Managing the VPN Concentrator.

Part IV: Cisco Secure Intrusion Detection Systems.

Chapter 20: Introduction to Intrusion Detection and Protection.

Chapter 21: Installing Cisco Secure IDS Sensors and IDSMs.

Chapter 22: Configuring the Network to Support Cisco Secure IDS Sensors.

Chapter 23: Configuring Cisco Secure IDS Sensors Using the IDS Device Manager.

Chapter 24: Configuring Signatures and Using the IDS Event Viewer.

Chapter 25: Enterprise Cisco Secure IDS Management.

Chapter 26: Enterprise Cisco Secure IDS Monitoring.

Part V: Cisco SAFE Implementation.

Chapter 27: Security Fundamentals.

Chapter 28: The Cisco Security Portfolio.

Chapter 29: SAFE Small and Medium Network Designs.

Chapter 30: SAFE Remote Access Network Design.


Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)