Read an Excerpt
Congratulations on your decision to pursue a Cisco Certification! If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achievethe Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with Cisco technology. Through its quality technologies, Cisco has garnered a significant market share in the router and switch marketplace, with more than 80 percent market share in some markets. For many industries and markets around the world, networking equals Cisco. Cisco certification will set you apart from the crowd and allow you to display your knowledge as a networking security professional.
Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network Associate (CCNA) certification, first offered in 1998.
With the introduction of the CCNA Security certification, Cisco has for the first time provided an area of focus at the associate level. The CCNA Security certification is for networking professionals who work with Cisco security technologies and who want to demonstrate their mastery of core network security principles and technologies.Format of the IINS Exam
The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're atthe PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing environment. Additionally, Chapter 16 points to a Cisco website where you can see a demo of the actual Cisco test engine.
When you start the exam, you are asked a series of questions. You answer the question and then move on to the next question. The exam engine does not let you go back and change your answer. When you move on to the next question, that's it for the earlier question.
The exam questions can be in one of the following formats:
Simulated lab (Sim)
The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a button or icon to another area, and release the mouse button to place the object somewhere elsetypically in a list. For example, to get the question correct, you might need to put a list of five things in the proper order.
The last two types both use a network simulator to ask questions. Interestingly, these two types allow Cisco to assess two very different skills. Sim questions generally describe a problem, and your task is to configure one or more routers and switches to fix the problem. The exam then grades the question based on the configuration you changed or added. Interestingly, Sim questions are the only questions that Cisco (to date) has openly confirmed that partial credit is given for.
The Simlet questions may well be the most difficult style of question on the exams. Simlet questions also use a network simulator, but instead of answering the question by changing the configuration, the question includes one or more MC questions. The questions require that you use the simulator to examine the current behavior of a network, interpreting the output of any show commands that you can remember to answer the question. Whereas Sim questions require you to troubleshoot problems related to a configuration, Simlets require you to analyze both working networks and networks with problems, correlating show command output with your knowledge of networking theory and configuration commands.What's on the IINS Exam?
Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with "Describe...", and another might begin with "Describe, configure, and troubleshoot...". The second objective clearly states that you need a thorough and deep understanding of that topic. By listing the topics and skill level, Cisco helps you prepare for the exam.
Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the posted exam topics for all its certification exams are guidelines. Cisco makes an effort to keep the exam questions within the confines of the stated exam topics. I know from talking to those involved that every question is analyzed to ensure that it fits within the stated exam topics.IINS Exam Topics
Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com (http://www.cisco.com/go/certification). If Cisco later adds exam topics, you may go to http://www.ciscopress.com and download additional information about the newly added topics.
Table I-1Å@640-553 IINS Exam Topics
Book Part(s) Where Topic Is Covered
Describe the security threats facing modern network infrastructures
Describe and mitigate the common threats to the physical installation
Describe and list mitigation methods for common network attacks
Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks
Describe the main activities in each phase of a secure network lifecycle
Explain how to meet the security needs of a typical enterprise with a comprehensive security policy
Describe the Cisco Self Defending Network architecture
Describe the Cisco security family of products and their interactions
I, II, III
Secure Cisco routers
Secure Cisco routers using the SDM Security Audit feature
Use the One-Step Lockdown feature in SDM to secure a Cisco router
Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements
Secure administrative access to Cisco routers by configuring multiple privilege levels
Secure administrative access to Cisco routers by configuring role based CLI
Secure the Cisco IOS image and configuration file
Implement AAA on Cisco routers using local router database and external ACS
Explain the functions and importance of AAA
Describe the features of TACACS+ and RADIUS AAA protocols
Configure AAA authentication
Configure AAA authorization
Configure AAA accounting
Mitigate threats to Cisco routers and networks using ACLs
Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets
Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
Configure IP ACLs to prevent IP address spoofing using CLI
Discuss the caveats to be considered when building ACLs
Implement secure network management and reporting
Describe the factors to be considered when planning for secure management and reporting of network devices
Use CLI and SDM to configure SSH on Cisco routers to enable secured management access
Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server
Describe SNMPv3 and NTPv3
Mitigate common Layer 2 attacks
Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features
Implement the Cisco IOS firewall feature set using SDM
Describe the operational strengths and weaknesses of the different firewall technologies
Explain stateful firewall operations and the function of the state table
Implement Zone Based Firewall using SDM
Implement the Cisco IOS IPS feature set using SDM
Define network based vs. host based intrusion detection and prevention
Explain IPS technologies, attack responses, and monitoring options
Enable and verify Cisco IOS IPS operations using SDM
Implement site-to-site VPNs on Cisco Routers using SDM
Explain the different methods used in cryptography
Explain IKE protocol functionality and phases
Describe the building blocks of IPSec and the security functions it provides
Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM
IINS Course Outlines
Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course: Implementing Cisco IOS Network Security (IINSv1.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward passing the 640-553 IINS exam.About the CCNA Security Official Exam Certification Guide
As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics.
This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn relevant real-world concepts and procedures.Objectives and Methods
The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading! However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job.
This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. So, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics. The CCNA Security certification is the foundation of the professional level Cisco certification in security, the CCSP, so it is important that this book also help you truly learn the material. This book is designed to help you pass the CCNA Security exam by using the following methods:
Helping you discover which exam topics you have not mastered
Providing explanations and information to fill in your knowledge gaps
Supplying exercises that enhance your ability to recall and deduce the answers to test questions
Providing practice exercises on the topics and the testing process via test questions on the CD
To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:
"Do I Know This Already?" quiz: Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter.
Foundation Topics: These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter.
Exam Preparation Tasks: At the end of the "Foundation Topics" section of each chapter, the "Exam Preparation Tasks" section lists a series of study activities that you should do at the end of the chapter. Each chapter includes the activities that make the most sense for studying the topics in that chapter.
Review All the Key Topics: The Key Topic icon appears next to the most important items in the "Foundation Topics" section of the chapter. The Review All the Key Topics activity lists the Key Topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each Key Topic, so you should review these.
Complete the Tables and Lists from Memory: To help you memorize some lists of facts, many of the more important lists and tables from the chapter are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list.
Definition of Key Terms: Although the exam may be unlikely to ask a question such as "Define this term," the CCNA exams do require that you learn and know a lot of networking terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.
Command Reference Tables: Some chapters cover a large number of configuration and EXEC commands. These tables list and describe the commands introduced in the chapter. For exam preparation, use these tables for reference, but also read them when performing the Exam Preparation Tasks to make sure you remember what all the commands do.
CD-based practice exam: The companion CD contains an exam engine (From Boson software, http://www.boson.com), that includes two question databases. One database has a copy of all the "Do I Know This Already?" quiz questions from the book, and the other has unique exam-realistic questions. To further help you prepare for the exam, you can take a simulated IINS exam using the CD.
This book contains 15 core chaptersChapters 1 through 15. Chapter 16 includes some preparation tips and suggestions for how to approach the exam. Each core chapter covers a subset of the topics on the IINS exam. The core chapters are organized into parts. They cover the following topics:
Part I: Network Security Concepts
Chapter 1, "Understanding Network Security Principles": This chapter explains the need for network security and discusses the elements of a secure network. Additionally, legal and ethical considerations are discussed. You are also introduced to various threats targeting the security of your network.
Chapter 2, "Developing a Secure Network": This chapter explains the day-to-day procedures for deploying, maintaining, and retiring information security components. You are also provided with considerations and principles for authoring a security policy, in addition to creating user awareness of the security policy. Finally, this chapter describes the Cisco Self-Defending Network, which is Cisco's vision for security systems.
Chapter 3, "Defending the Perimeter": This chapter describes methods of securely accessing a router prompt for purposes of administration. Additionally, you are given an overview of the Cisco Integrated Services Router (ISR) line of routers. In this chapter you also examine the Cisco Security Device Manager (SDM) interface. The graphical interface provided by SDM allows administrators to configure a variety of router features using a collection of wizards, which use best-practice recommendations from the Cisco Technical Assistance Center (TAC).
Chapter 4, "Configuring AAA": This chapter explores the uses of AAA, including the components that make it up, as well as the steps necessary to successfully configure AAA using the local database. The role of Cisco ACS is also examined as it relates to configuring AAA, including a discussion of working with both RADIUS and TACACS+.
Chapter 5, "Securing the Router": This chapter discusses various router services that attackers might target. To help you harden the security of a router, this chapter also describes the AutoSecure feature and Cisco SDM's One-Step Lockdown feature. Next the chapter focuses on securing and monitoring router access using syslog, SSH, and SNMPv3 technologies. Finally, this chapter distinguishes between in-band and out-of-band network management and how to use Cisco SDM to configure a variety of management and monitoring features.
Part II: Constructing a Secure Infrastructure
Chapter 6, "Securing Layer 2 Devices": This chapter explains how Cisco Catalyst switches can be configured to mitigate several common Layer 2 attacks. Then you are introduced to how Cisco Identity-Based Networking Services (IBNS) uses IEEE 802.1x, RADIUS, and Extensible Authentication Protocol (EAP) technologies to selectively allow access to network resources based on user credentials.
Chapter 7, "Implementing Endpoint Security": This chapter examines a variety of threats faced by endpoints in a network environment and introduces a series of techniques that can be used to help safeguard systems from common operating system vulnerabilities. This chapter also explores various Cisco-specific technologies that may be used to defend endpoints from a variety of attacks. Specifically, technologies such as IronPort, the Cisco NAC Appliance, and the Cisco Security Agent are discussed.
Chapter 8, "Providing SAN Security": This chapter outlines the basics of SAN operation and looks at the benefits that a SAN brings to the enterprise as a whole. A variety of security mechanisms, such as LUN masking, SAN zoning, and port authentication, are also explored as steps that may be taken to safeguard data in a SAN environment.
Chapter 9, "Exploring Secure Voice Solutions": This chapter introduces you to voice over IP (VoIP) networks. You learn what business benefits VoIP offers, in addition to the components and protocols that support the transmission of packetized voice across a data network. You are made aware of specific threats targeting a VoIP network. Some threats (such as toll fraud) are found in traditional telephony networks, but others are specific to VoIP. Finally, this chapter identifies specific actions you can take to increase the security of VoIP networks. For example, you will consider how to use firewalls and VPNs to protect voice networks and how to harden the security of Cisco IP Phones and voice servers.
Chapter 10, "Using Cisco IOS Firewalls to Defend the Network": This chapter begins by exploring the evolution of firewall technology and the role of firewalls in constructing an overall network defense. This chapter also examines how to use access control lists (ACL) to construct a static packet-filtering mechanism for the enterprise environment. Finally, zone-based firewalls are discussed because they represent a significant advance in firewall technology. Their role in defending the network is examined.
Chapter 11, "Using Cisco IOS IPS to Secure the Network": This chapter distinguishes between intrusion detection and intrusion prevention. Various Intrusion Prevention System (IPS) appliances are introduced, and the concept of signatures is discussed. Also, this chapter examines how to configure a Cisco IOS router to act as an IPS sensor, as opposed to using, for example, a dedicated IPS appliance. Specifically, the configuration discussed uses a wizard available in the Cisco SDM interface.
Part III: Extending Security and Availability with Cryptography and VPNs
Chapter 12, "Designing a Cryptographic Solution": This chapter initially explores the basics of cryptographic services and looks at their evolution. This chapter also examines the use of symmetric encryption, including a variety of symmetric algorithms such as DES, 3DES, AES, SEAL, and various Rivest ciphers. This chapter concludes with a discussion of the encryption process and what makes for a strong, trustworthy encryption algorithm.
Chapter 13, "Implementing Digital Signatures": This chapter begins with a look at hash algorithms and explores their construction and usage. This includes a discussion of their relative strengths and weaknesses in practical application. The components that make up a digital signature are also explored in depth, along with a discussion of their application as a means of proving a message's authenticity.
Chapter 14, "Exploring PKI and Asymmetric Encryption": This chapter looks at the use of asymmetric algorithms in a PKI and examines the features and capabilities of RSA specifically. The Diffie-Hellman (DH) algorithm is also discussed, as to how it is used for key exchange. This chapter also explores the makeup of the PKI infrastructure and discusses the various components and topologies that may be employed.
Chapter 15, "Building a Site-to-Site IPsec VPN Solution":
This chapter introduces you to an IPsec virtual private network (VPN) and its components. Additionally, you explore specific devices in the Cisco VPN product family. Then you are presented with Cisco best-practice recommendations for VPNs. This chapter then walks you through the process of configuring an IPsec site-to-site VPN on an IOS router, using both the command-line interface and the Cisco Security Device Manager (SDM) interface.
Part IV: Final Preparation
Chapter 16, "Final Preparation": This chapter identifies tools for final exam preparation and helps you develop an effective study plan.
Part V: Appendixes
Appendix A, "Answers to the 'Do I Know This Already?' Questions": Includes the answers to all the questions from Chapters 1 through 15.
Appendix B, "Glossary": The glossary contains definitions of all the terms listed in the "Definition of Key Terms" section at the conclusion of Chapters 1 through 15.
Appendix C, "CCNA Security Exam Updates: Version 1.0": This appendix provides instructions for finding updates to the exam and this book when and if they occur.
Appendix D, "Memory Tables": This CD-only appendix contains the key tables and lists from each chapter, with some of the contents removed. You can print this appendix and, as a memory exercise, complete the tables and lists. The goal is to help you memorize facts that can be useful on the exams. This appendix is available in PDF format on the CD; it is not in the printed book.
Appendix E, "Memory Tables Answer Key": This CD-only appendix contains the answer key for the memory tables in Appendix D. This appendix is available in PDF format on the CD; it is not in the printed book.
Using this book to prepare for the IINS exam is pretty straightforwardread each chapter in succession, and follow the study suggestions in Chapter 16, "Final Preparation."
For the core chapters of this book (Chapters 1 through 15), you do have some choices about how much of the chapter you read. In some cases, you may already know most or all of the information covered in a given chapter. To help you decide how much time to spend on each chapter, the chapters begin with a "Do I Know This Already?" quiz. If you get all the quiz questions correct, or you miss just one question, you may want to skip to the end of the chapter and the "Exam Preparation Tasks" section, and do those activities. Figure I-1 shows the overall plan.
How to Approach Each Chapter of This Book
When you have completed Chapters 1 through 15, you can use Chapter 16 for exam preparation guidance. That chapter includes the following suggestions:
Check http://www.ciscopress.com for the latest copy of Appendix C, which may include additional topics for study.
Repeat the tasks in all the chapters' "Exam Preparation Tasks" chapter-ending section.
Review all DIKTA questions using the exam engine.
Practice for the exam using the exam engine.
This book is broken into parts and chapters that address the key areas of the IINS exam. Each chapter begins with a series of "Do I Know This Already?" questions. You should work through these to get a sense of your current knowledge of the subject matter being discussed. Each chapter contains memory tables that you should work through. At the end of each chapter is a list of all the key topics, as well as terms central to the topic. It is a good idea to focus on these key topic areas and to be familiar with all the terms listed in each chapter. After you have completed this book, you may further prepare for the exam and test your knowledge by working through the practice exam on the CD. Tracking your score on the practice exam and noting areas of weakness will allow you to review these areas in the text to further solidify your knowledge before the actual IINS exam.For More Information
If you have any comments about this book, you can submit them at http://www.ciscopress.com. Just go to the website, click Contact Us, and enter your message.
Cisco might occasionally make changes that affect the CCNA Security certification. You should always check http://www.cisco.com/go/certification for the latest details.
© Copyright Pearson Education. All rights reserved.