Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide Second Edition Foundation learning for the CCNA Security IINS 640-554 exam   Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is a Cisco-authorized, self-paced learning tool for CCNA® Security 640-554 foundation learning. This book provides you with the knowledge needed to secure Cisco® networks. By reading this book, you will gain a thorough understanding of how to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.   This book focuses on using Cisco IOS routers to protect the network by capitalizing on their advanced features as a perimeter router, firewall, intrusion prevention system, and site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security, the  Cisco Secure Access Control System (ACS), and the Cisco Adaptive Security Appliance (ASA). You learn how to perform basic tasks to secure a small branch office network using Cisco IOS security features available through web-based GUIs (Cisco Configuration Professional) and the CLI on Cisco routers, switches, and ASAs.   Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book.   Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.   -- Develop a comprehensive network security policy to counter threats against information security -- Secure borderless networks -- Learn how to use Cisco IOS Network Foundation Protection (NFP) and Cisco Configuration Professional (CCP) -- Securely implement the management and reporting features of Cisco IOS devices -- Deploy Cisco Catalyst Switch security features -- Understand IPv6 security features -- Plan threat control strategies -- Filter traffic with access control lists -- Configure ASA and Cisco IOS zone-based firewalls -- Implement intrusion prevention systems (IPS) and network address translation (NAT) -- Secure connectivity with site-to-site IPsec VPNs and remote access VPNs   This volume is in the Foundation Learning Guide Series offered by Cisco Press®. These guides are developed together with Cisco as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams.   Category: Cisco Certification Covers: CCNA Security IINS exam 640-554  

Table of Contents:
Introduction xxviii Part I Networking Security Fundamentals Chapter 1 Network Security Concepts and Policies 1 Building Blocks of Information Security 2     Basic Security Assumptions 2     Basic Security Requirements 2     Data, Vulnerabilities, and Countermeasures 3         Data Classification 4         Vulnerabilities Classifications 7         Countermeasures Classification 8         Need for Network Security 12         Intent Evolution 13         Threat Evolution 14         Trends Affecting Network Security 16     Adversaries, Methodologies, and Classes of Attack 19         Adversaries 20         Methodologies 21         Threats Classification 23         Man-in-the-Middle Attacks 32         Overt and Covert Channels 33         Botnets 37         DoS and DDoS Attacks 37     Principles of Secure Network Design 39         Defense in Depth 41 Evaluating and Managing the Risk 42     Levels of Risks 43     Risk Analysis and Management 44         Risk Analysis 44         Building Blocks of Risk Analysis 47         A Lifecycle Approach to Risk Management 49     Regulatory Compliance 50 Security Policies 53     Security Policy Components 55         Governing Policy 56         End-User Policies 57         Technical Policies 57         Standards, Guidelines, and Procedures 59         Security Policy Roles and Responsibilities 61         Security Awareness 62 Secure Network Lifecycle Management 63     IT Governance, Risk Management, and Compliance 64     Secure Network Life Cycle 64         Initiation Phase 65         Acquisition and Development Phase 65         Implementation Phase 66         Operations and Maintenance Phase 67         Disposition Phase 67         Models and Frameworks 67     Network Security Posture 69     Network Security Testing 70         Security Testing Techniques 70         Common Testing Tools 71     Incident Response 72     Incident Management 73         Computer Crime Investigations 74         Laws and Ethics 75         Liability 76     Disaster Recovery and Business Continuity Planning 77         Business Continuity Concepts 78 Summary 79 References 79     Publications 79     Web Resources 80 Review Questions 80 Chapter 2 Security Strategy and Cisco Borderless Network 85 Borderless Networks 85 Cisco Borderless Network Security Architecture 86     Borderless End Zone 88     Borderless Internet 89     Borderless Data Center 90     Policy Management Layer 91     Borderless Network Services 91 Borderless Security Products 92     SecureX, a Context-Aware Security Approach 93         SecureX Core Components 94     Threat Control and Containment 98     Cisco Security Intelligence Operation 99     Cloud Security, Content Security, and Data Loss Prevention 100         Content Security 101         Data Loss Prevention 101         Cloud-Based Security 101         Web Security 101         Email Security 104     Secure Connectivity Through VPNs 105     Security Management 106         Cisco Security Manager 107 Summary 108 References 108 Review Questions 109 Part II Protecting the Network Infrastructure Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111 Threats Against the Network Infrastructure 112 Cisco NFP Framework 114     Control Plane Security 118         CoPP 119         CPPr 119         Traffic Classes 120         Routing Protocol Integrity 121         Cisco AutoSecure 122     Management Plane Security 123         Secure Management and Reporting 124         Role-Based Access Control 126         Deploying AAA 127     Data Plane Security 128         Access Control List Filtering 128 Cisco Configuration Professional 131     CCP Initial Configuration 133     Cisco Configuration Professional User Interface and Features 136         Menu Bar 136         Toolbar 138         Navigation Pane 138         Content Pane 142         Status Bar 142 Cisco Configuration Professional Building Blocks 142     Communities 142         Creating Communities 143         Managing Communities 144     Templates 145     User Profiles 147     Using CCP to Harden Cisco IOS Devices 148         Security Audit 149         One-Step Lockdown 152         Cisco IOS AutoSecure 152 Summary 154 References 155 Review Questions 155 Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159 Configuring Secure Administration Access 159     Configuring an SSH Daemon for Secure Management Access 161     Configuring Passwords on Cisco IOS Devices 163         Setting Timeouts for Router Lines 164         Configuring the Minimum Length for Router Passwords 165         Enhanced Username Password Security 166     Securing ROM Monitor 167     Securing the Cisco IOS Image and Configuration Files 168     Configuring Multiple Privilege Levels 170     Configuring Role-Based Command-Line Interface Access 171 Implementing Secure Management and Reporting 174     Planning Considerations for Secure Management and Reporting 175     Secure Management and Reporting Architecture 176         Secure Management and Reporting Guidelines 176     Enabling Time Features 176         Network Time Protocol 177     Using Syslog Logging for Network Security 178         Implementing Log Messaging for Security 179     Using SNMP to Manage Network Devices 182         SNMPv3 Architecture 183         Enabling SNMP Options Using Cisco CCP 185 Configuring AAA on a Cisco Router 186     Authentication, Authorization, and Accounting 186         Authenticating Router Access 188     Configuring AAA Authentication and Method Lists 190     Configuring AAA on a Cisco Router Using the Local Database 191         Configuring AAA Local Authentication 192     AAA on a Cisco Router Using Cisco Secure ACS 198         Cisco Secure ACS Overview 198         Cisco Identity Services Engine 204 TACACS+ and RADIUS Protocols 205     TACACS+ 205     RADIUS 206     Comparing TACACS+ and RADIUS 206 AAA on a Cisco Router Using an External Database 208     Configuration Steps for AAA Using an External Database 208         AAA Servers and Groups 208         AAA Authentication Method Lists 210         AAA Authorization Policies 211         AAA Accounting Policies 213     AAA Configuration for TACACS+ Example 215     Troubleshooting TACACS+ 216 Deploying and Configuring Cisco Secure ACS 218     Evolution of Authorization 219         Before: Group-Based Policies 219         Now: More Than Just Identities 220     Rule-Based Policies 222     Configuring Cisco Secure ACS 5.2 223         Configuring Authorization Policies for Device Administration 224 Summary 230 References 230 Review Questions 231 Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233 Overview of VLANs and Trunking 234     Trunking and 802.1Q 235         802.1Q Tagging 236         Native VLANs 237     Configuring VLANs and Trunks 237         Step 1: Configuring and Verifying 802.1Q Trunks 238         Step 2: Creating a VLAN 240         Step 3: Assigning Switch Ports to a VLAN 242         Step 4: Configuring Inter-VLAN Routing 243 Spanning Tree Overview 244     STP Fundamentals 245     Verifying RSTP and PVRST+ 248 Mitigating Layer 2 Attacks 249     Basic Switch Operation 249     Layer 2 Best Practices 250     Layer 2 Protection Toolkit 250     Mitigating VLAN Attacks 251         VLAN Hopping 251     Mitigating Spanning Tree Attacks 254         PortFast 255     Mitigating CAM Table Overflow Attacks 259     Mitigating MAC Address Spoofing Attacks 260     Using Port Security 261         Errdisable Recovery 263 Summary 270 References 271 Review Questions 271 Chapter 6 Securing the Data Plane in IPv6 Environments 275 The Need for IPv6 275 IPv6 Features and Enhancements 278     IPv6 Headers 279     Stateless Address Autoconfiguration 280     Internet Control Message Protocol Version 6 281     IPv6 General Features 282     Transition to IPv6 283 IPv6 Addressing 285     IPv6 Address Representation 285     IPv6 Address Types 286         IPv6 Unicast Addressing 286     Assigning IPv6 Global Unicast Addresses 291         Manual Interface Assignment 291         EUI-64 Interface ID Assignment 291         Stateless Autoconfiguration 292         DHCPv6 (Stateful) 292     IPv6 EUI-64 Interface Identifier 292 IPv6 and Cisco Routers 293     IPv6 Address Configuration Example 294     Routing Considerations for IPv6 294 Revisiting Threats: Considerations for IPv6 295     Examples of Possible IPv6 Attacks 298         Recommended Practices 300 Summary 301 References 301 Review Questions 302 Part III Threat Control and Containment Chapter 7 Planning a Threat Control Strategy 305 Threats Revisited 305     Trends in Network Security Threats 306     Threat Mitigation and Containment: Design Fundamentals 307         Threat Control Design Guidelines 308         Application Layer Visibility 309         Distributed Security Intelligence 309         Security Intelligence Analysis 310 Integrated Threat Control Strategy 311     Cisco Threat Control and Containment Categories 311         Integrated Approach to Threat Control 312         Application Awareness 313         Application-Specific Gateways 313         Security Management 313         Cisco Security Intelligence Operations Site 313     Cisco Threat Control and Containment Solutions Fundamentals 314         Cisco Security Appliances 314         Cisco IPSs 316 Summary 317 References 318 Review Questions 318 Chapter 8 Access Control Lists for Threat Mitigation 319 ACL Fundamentals 320     Types of IP ACLs 324 ACL Wildcard Masking and VLSM Review 325     Subnetting Overview 326         Subnetting Example: Class C 326         Subnetting Example 327     Variable-Length Subnet Masking 328         A Working VLSM Example 329     ACL Wildcard Bits 331         Example: Wildcard Masking Process for IP Subnets 332         Example: Wildcard Masking Process with a Single IP Address 333         Example: Wildcard Masking Process with a Match Any IP Address 334     Using ACLs to Control Traffic 335         Example: Numbered Standard IPv4 ACL–Deny a Specific Subnet 336         Numbered Extended IPv4 ACL 338         Displaying ACLs 342     Enhancing ACLs with Object Groups 343     ACL Considerations 345 Configuring ACLs for Threat Control Using Cisco Configuration Professional 347     Rules in Cisco Configuration Professional 347         Working with ACLs in CCP 348         ACL Editor 349         Adding Rules 350         Associating Rules with Interfaces 352         Enabling Logging with CCP 354         Monitoring ACLs with CCP 356         Configuring an Object Group with CCP 357     Using ACLs in IPv6 Environments 360 Summary 363 References 364 Review Questions 364 Chapter 9 Firewall Fundamentals and Network Address Translation 367 Introducing Firewall Technologies 367     Firewall Fundamentals 367     Firewalls in a Layered Defense Strategy 370     Static Packet-Filtering Firewalls 372     Application Layer Gateways 374     Dynamic or Stateful Packet-Filtering Firewalls 378     Other Types of Firewalls 382         Application Inspection Firewalls, aka Deep Packet Inspection 382         Transparent Firewalls (Layer 2 Firewalls) 383 NAT Fundamentals 384     Example of Translating an Inside Source Address 387     NAT Deployment Choices 389 Firewall Designs 390     Firewall Policies in a Layered Defense Strategy 391     Firewall Rules Design Guidelines 392 Summary 394 References 394 Review Questions 394 Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397 Cisco Firewall Solutions 398 Cisco IOS Zone-Based Policy Firewall 398     Zone-Based Policy Firewall Overview 398     Zones and Zone Pairs 402         Self Zone 402         Zone-Based Topology Examples 403 Introduction to Cisco Common Classification Policy Language 403     Zone-Based Policy Firewall Actions 407     Service Policy Zone Pair Assignments 408     Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408         Zone-Based Policy Firewall: Rules for Router Traffic 409     Configuring Basic Interzone Policies Using CCP and the CLI 411         Step 1: Start the Basic Firewall Wizard 412         Step 2: Select Trusted and Untrusted Interfaces 413         Step 3: Review and Verify the Resulting Policies 416         Verifying and Tuning the Configuration 416         Step 4: Enabling Logging 417         Step 5: Verifying Firewall Status and Activity 419         Step 6: Modifying Zone-Based Firewall Configuration Objects 420         Step 7: Verifying the Configuration Using the CLI 421     Configuring NAT Services for Zone-Based Firewalls 422         Step 1: Run the Basic NAT Wizard 423         Step 2: Select NAT Inside and Outside Interfaces 424         Step 3: Verify NAT with CCP and the CLI 426 Cisco ASA Firewall 427     Stateful Packet Filtering and Application Awareness 427     Network Services Offered by the Cisco ASA 5500 Series 428         Network Address Translation 428         Additional Network Services 431     Cisco ASA Security Technologies 431         Cisco ASA Configuration Fundamentals 432         Cisco ASA 5505 435     Cisco ASDM 436         Preparing the Cisco ASA 5505 for ASDM 437         Cisco ASDM Features and Menus 438     Cisco Modular Policy Framework 443         Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443         Policy Map: Configuring the Action That Will Be Applied to the Traffic 444         Service Policy: Activating the Policy 444         Cisco ASA Modular Policy Framework: Simple Example 445     Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446         Scenario Configuration Steps Using Cisco ASDM 446 Summary 461 References 462     Cisco.com Resources 462     Other Resources 462     CCP and ASDM Demo Mode Tutorials 462 Review Questions 463 Chapter 11 Intrusion Prevention Systems 467 IPS Fundamentals 467     Introducing IDS and IPS 467         So, IDS or IPS? Why Not Both? 473         Alarm Types 474     Intrusion Prevention Technologies 475         Signature-Based IDS/IPS 476         Policy-Based IDS/IPS 477         Anomaly-Based IDS/IPS 477         Reputation-Based IPS 478     IPS Attack Responses 478         IPS Anti-Evasion Techniques 480         Risk-Based Intrusion Prevention 482         IPv6-Aware IPS 484     Alarms 484         IPS Alarms: Event Monitoring and Management 485         Global Correlation 486     IPS Deployment 488         Cisco IPS Offerings 490         IPS Best Practices 492         Cisco IPS Architecture 494 Cisco IOS IPS 495     Cisco IOS IPS Features 495         Scenario: Protecting the Branch Office Against Inside Attack 497     Signatures 497     Signature Files 498         Signature Management 500         Examining Signature Microengines 500     Signature Tuning 502         Optimal Signature Set 504         Monitoring IPS Alarms and Event Management 505     Configuring Cisco IOS IPS Using Cisco Configuration Professional 507         Step 1: Download Cisco IOS IPS Signature Package 508         Step 2: Launch IPS Policies Wizard 509         Step 3: Verify Configuration and Signature Files 515         Step 4: Perform Signature Tuning 517         Step 5: Verify Alarms 521     Configuring Cisco IOS IPS Using the CLI 524 Summary 529 References 530     Cisco.com Resources 530     General IDS/IPS Resource 530 Review Questions 530 Part IV Secure Connectivity Chapter 12 Fundamentals of Cryptography and VPN Technologies 533 VPN Overview 534     VPN Types 535         Site-to-Site VPNs 536         Remote-Access VPNs 537 Examining Cryptographic Services 538     Cryptology Overview 538         The History of Cryptography 540         Ciphers 540     Block and Stream Ciphers 547         Block Ciphers 547         Stream Ciphers 548     The Process of Encryption 549         Encryption Application Examples 550         Cryptanalysis 551         Desirable Encryption Algorithm Features 554     Key Management 555         Key Management Components 555         Keyspaces 556         Key Length Issues 556         Example of the Impact of Key Length 557 Symmetric and Asymmetric Encryption Overview 557     Symmetric Encryption Algorithms 558         Comparing Symmetric Encryption Algorithms 560         DES Modes of Operation 561         DES Security Guidelines 561         The Rijndael Cipher 563         AES Versus 3DES 564     Asymmetric Encryption Algorithms 565         Public Key Confidentiality 566     Encryption Algorithm Selection 567 Cryptographic Hashes and Digital Signatures 568     Hashing Algorithms 571         MD5 572         SHA-1 572         SHA-2 573     Hashed Message Authentication Codes 573     Overview of Digital Signatures 575         Digital Signatures = Encrypted Message Digest 578 Diffie-Hellman 579     Diffie-Hellman Example 581     Cryptographic Processes in VPNs 582 Asymmetric Encryption: Digital Signatures 583     Asymmetric Encryption Overview 583         Public Key Authentication 584     RSA and Digital Signatures 585 Public Key Infrastructure 587     PKI Terminology and Components 589     Certificate Classes 590     Certificate Authorities 590     PKI Standards 593         Certificate Revocation 599     Certificate Use 600         Digital Certificates and CAs 601 Summary 602 References 603     Books and Articles 603     Standards 603     Encryption Regulations 603 Review Questions 604 Chapter 13 IPsec Fundamentals 609 IPsec Framework 609     Suite B Cryptographic Standard 611     Encryption Algorithms 612     Key Exchange: Diffie-Hellman 613     Data Integrity 614     Authentication 615 IPsec Protocol 616     Authentication Header 618     Encapsulating Security Payload 619     IPsec Modes of Operations 620         Transport Mode 621         Tunnel Mode 621 IKE Protocol 622     IKEv1 Modes 624     IKEv1 Phases 625         IKEv1 Phase 1 625         IKEv1 Phase 1 Example 626         IKEv1 Phase 2 631     IKE Version 2 632     IKEv1 Versus IKEv2 633 IPv6 VPNs 635     IPsec Services for Transitioning to IPv6 636 Summary 637 References 637     Books 637     Cisco.com Resources 637 Review Questions 637 Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers 641 Site-to-Site IPsec: Planning and Preparation 641     Site-to-Site IPsec VPN Operations 642     Planning and Preparation Checklist 643     Building Blocks of Site-to-Site IPsec 643         Interesting Traffic and Crypto ACLs 643         Mirrored Crypto ACLs 644         Cipher Suite 645         Crypto Map 646 Configuring a Site-to-Site IPsec VPN Using CCP 647     Initiating the VPN Wizard 647         VPN Connection Information 649         IKE Proposals 652         Transform Set 653         Traffic to Protect 654         Configuration Summary 656     Creating a Mirror Configuration for the Peer Site 657 Verifying the IPsec Configuration Using CCP and CLI 658     Verifying IPsec Configuration Using CLI 658     Verifying IKE Policy Using the CLI 659         Verifying IKE Phase 2 Policy Using the CLI 660         Verifying Crypto Maps Using the CLI 660 Monitoring Established IPsec VPN Connections 661     IKE Policy Negotiation 662     VPN Troubleshooting 662     Monitoring IKE Security Association 664     Monitoring IPsec Security Association 664 Summary 665 References 666 Review Questions 666 Chapter 15 SSL VPNs with Cisco ASA 669 SSL VPNs in Borderless Networks 670     Cisco SSL VPN 671 SSL and TLS Protocol Framework 672     SSL and TLS 673     SSL Cryptography 674     SSL Tunnel Establishment 675         SSL Tunnel Establishment Example 676 Cisco SSL VPN Deployment Options and Considerations 679     Cisco SSL VPN Client: Full Network Access 681 SSL VPN on Cisco ASA in Clientless Mode 683     Clientless Configuration Scenario 683     Task 1: Launch the Clientless SSL VPN Wizard from ASDM 684     Task 2: Configure the SSL VPN Interface 684     Task 3: Configure User Authentication 686     Task 4: Configure User Group Policy 686     Task 5: Configure a Bookmark List 687     Task 6: Verify the Clientless SSL VPN Wizard Configuration 690     Log In to the VPN Portal: Clientless SSL VPN 690 SSL VPN on ASA Using the Cisco AnyConnect VPN Client 692     Cisco AnyConnect Configuration Scenario 693     Phase 1: Configure Cisco ASA for Cisco AnyConnect 693         Task 1: Connection Profile Identification 694         Task 2: VPN Protocols and Device Certificate 695         Task 3: Client Image 696         Task 4: Authentication Methods 697         Task 5: Client Address Assignment 698         Task 6: Network Name Resolution Servers 700         Task 7: Network Address Translation Exemption 700         Task 8: AnyConnect Client Deployment Summary 702     Phase 2: Configure the Cisco AnyConnect VPN Client 702     Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client 706         Verifying VPN Connectivity from Cisco ASA 706 Summary 707 References 708 Review Questions 708 Appendix A Answers to Chapter Review Questions 711     9781587142727   TOC   10/16/2012