Table of Contents
Organization and Elements of This Book
The Ideal CCNA Security Candidate
Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security)
Strategy for Using This Exam Cram
Part I: Network Security Architecture
Exploring Network Security Basics and the Need for Network Security
Other Reasons for Network Insecurity
Exploring the Taxonomy of Network Attacks
Attacks Against Confidentiality
Best Practices to Thwart Network Attacks
Answers to Exam Prep Questions
Chapter 2: Building a Secure Network Using Security Controls
Defining Operations Security Needs
Cisco System Development Life Cycle for Secure Networks
Operations Security Principles
Disaster Recovery and Business Continuity Planning
Establishing a Comprehensive Network Security Policy
The Need for a Security Policy
Standards, Guidelines, and Procedures
Who Is Responsible for the Security Policy?
Principles of Secure Network Design
Examining Cisco’s Model of the Self-Defending Network
Where Is the Network Perimeter?
Building a Cisco Self-Defending Network
Components of the Cisco Self-Defending Network
Cisco Integrated Security Portfolio
Answers to Exam Prep Questions
Chapter 3: Security at the Network Perimeter
Where Do You Deploy an IOS Router?
Securing Administrative Access to Cisco Routers
Setting Multiple Privilege Levels
Configuring Role-Based Access to the CLI
Configuring the Cisco IOS Resilient Configuration Feature
Protecting Virtual Logins from Attack
Files Required to Run Cisco SDM from the Router
Advanced Configuration with SDM
Configuring Local Database AAA on a Cisco Router
Authentication, Authorization, and Accounting (AAA)
Two Reasons for Implementing AAA on Cisco Routers
Cisco’s Implementation of AAA for Cisco Routers
Tasks to Configure Local Database AAA on a Cisco Router
Additional Local Database AAA CLI Commands
Configuring External AAA on a Cisco Router Using Cisco Secure ACS
Cisco Secure ACS for Windows Installation Requirements
Cisco Secure ACS Solution Engine and Cisco Secure ACS Express 5.0 Comparison
Prerequisites for Cisco Secure ACS
Three Main Tasks for Setting Up External AAA
Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+
Answers to Exam Prep Questions
Chapter 4: Implementing Secure Management and Hardening the Router
Planning for Secure Management and Reporting
Reference Architecture for Secure Management and Reporting
Secure Management and Reporting Guidelines
Enabling Syslog Logging in SDM
Using Cisco SDM and CLI Tools to Lock Down the Router
Router Services and Interface Vulnerabilities
Answers to Exam Prep Questions
Part III: Augmenting Depth of Defense
Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy
Examining and Defining Firewall Technologies
Role of Firewalls in a Layered Defense Strategy
Firewall Implementation Best Practices
Creating Static Packet Filters with ACLs
Using the Cisco SDM to Configure ACLs
Using ACLs to Filter Network Services
Using ACLs to Mitigate IP Address Spoofing Attacks
Using ACLs to Filter Other Common Services
Cisco Zone-Based Policy Firewall Fundamentals
Using the Cisco SDM Basic Firewall Wizard to Configure ZPF
Manually Configuring ZPF with the Cisco SDM
Answers to Exam Prep Questions
Chapter 6: Introducing Cryptographic Services
Encryption Algorithm (Cipher) Desirable Features
Symmetric Key Versus Asymmetric Key Encryption Algorithms
Which Encryption Algorithm Do I Choose?
Cryptographic Hashing Algorithms
Exploring Symmetric Key Encryption
Exploring Cryptographic Hashing Algorithms and Digital Signatures
Secure Hashing Algorithm 1 (SHA-1)
Exploring Asymmetric Key Encryption and Public Key Infrastructure
Encryption with Asymmetric Keys
Authentication with Asymmetric Keys
Public Key Infrastructure Overview
PKI Server Offload and Registration Authorities (RAs)
Certificate Enrollment Process
Certificate-Based Authentication
Answers to Exam Prep Questions
Chapter 7: Virtual Private Networks with IPsec
Hardware-Accelerated Encryption
Conceptualizing a Site-to-Site IPsec VPN
Constructing a VPN: Putting it Together
Implementing IPsec on a Site-to-Site VPN Using the CLI
Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN
Step 2: Create ISAKMP (IKE Phase I) Policy Set(s)
Step 3: Configure IPsec Transform Set(s)
Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN
Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface)
Verifying and Troubleshooting the IPsec VPN Using the CLI
Implementing IPsec on a Site-to-Site VPN Using Cisco SDM
Site-to-Site VPN Wizard Using Quick Setup
Site-to-Site VPN Wizard Using Step-by-Step Setup
Answers to Exam Prep Questions
Chapter 8: Network Security Using Cisco IOS IPS
Event Management and Monitoring
HIPS and Network IPS Comparison
Best Practices for IPS Configuration
Cisco IOS IPS Primary Benefits
Cisco IOS IPS Signature Integration
Configuring Cisco IOS IPS with the Cisco SDM
Cisco IOS IPS CLI Configuration
SDEE and Syslog Logging Protocol Support
Answers to Exam Prep Questions
Part IV: Security Inside the Perimeter
Chapter 9: Introduction to Endpoint, SAN, and Voice Security
Cisco’s Host Security Strategy
Cisco Solutions to Secure Systems and Thwart Endpoint Attacks
Answers to Exam Prep Questions
Chapter 10: Protecting Switch Infrastructure
VLAN Hopping by Double-Tagging
STP Manipulation Attack Mitigation: Portfast
STP Manipulation Attack Mitigation: BPDU Guard
STP Manipulation Attack Mitigation: Root Guard
CAM Table Overflow Attack Mitigation: Port Security
MAC Address Spoofing Attack Mitigation: Port Security
Port Security Optional Settings
Miscellaneous Switch Security Features
Switch Security Best Practices
Answers to Exam Prep Questions
Part V: Practice Exams and Answers
Appendix A: What’s on the CD-ROM
Creating a Shortcut to the MeasureUp Practice Tests