Contents
Part I Fundamentals of Network Security
Chapter 1 Networking Security Concepts
“Do I Know This Already?” Quiz
Understanding Network and Information Security Basics
Confidentiality, Integrity, and Availability
Cost-Benefit Analysis of Security
Recognizing Current Network Threats
Other Miscellaneous Attack Methods
Applying Fundamental Security Principles to Network Design
Network Security for a Virtual Environment
Complete the Tables and Lists from Memory
Chapter 2 Common Security Threats
“Do I Know This Already?” Quiz
Network Security Threat Landscape
Distributed Denial-of-Service Attacks
Defenses Against Social Engineering
Methods Available for Malware Identification
Data Loss and Exfiltration Methods
Complete the Tables and Lists from Memory
Chapter 3 Implementing AAA in Cisco IOS
“Do I Know This Already?” Quiz
Cisco Secure ACS, RADIUS, and TACACS
On What Platform Does ACS Run?
Protocols Used Between the ACS and the Router
Protocol Choices Between the ACS Server and the Client (the Router)
Configuring Routers to Interoperate with an ACS Server
Configuring the ACS Server to Interoperate with a Router
Verifying and Troubleshooting Router-to-ACS Server Interactions
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 4 Bring Your Own Device (BYOD)
“Do I Know This Already?” Quiz
Bring Your Own Device Fundamentals
Complete the Tables and Lists from Memory
Part III Virtual Private Networks (VPN)
Chapter 5 Fundamentals of VPN Technology and Cryptography
“Do I Know This Already?” Quiz
Understanding VPNs and Why We Use Them
Symmetric and Asymmetric Algorithms
Hashed Message Authentication Code
Next-Generation Encryption Protocols
RSA Algorithm, the Keys, and Digital Certificates
Who Has Keys and a Digital Certificate?
How Two Parties Exchange Public Keys
Root and Identity Certificates
Using the Digital Certificates to Get the Peer’s Public Key
X.500 and X.509v3 Certificates
Authenticating and Enrolling with the CA
Public Key Cryptography Standards
Simple Certificate Enrollment Protocol
Hierarchical CA with Subordinate CAs
Putting the Pieces of PKI to Work
Viewing the Certificates in ASDM
Easier Method for Installing Both Root and Identity Certificates
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 6 Fundamentals of IP Security
“Do I Know This Already?” Quiz
IPsec Concepts, Components, and Operations
The Internet Key Exchange (IKE) Protocol
Step 1: Negotiate the IKEv1 Phase 1 Tunnel
Step 2: Run the DH Key Exchange
What About the User’s Original Packet?
Leveraging What They Have Already Built
Now IPsec Can Protect the User’s Packets
Configuring and Verifying IPsec
Tools to Configure the Tunnels
Viewing the CLI Equivalent at the Router
Completing and Verifying IPsec
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 7 Implementing IPsec Site-to-Site VPNs
“Do I Know This Already?” Quiz
Planning and Preparing an IPsec Site-to-Site VPN
Implementing and Verifying an IPsec Site-to-Site VPN in Cisco IOS Devices
Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS
Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA
Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 8 Implementing SSL VPNs Using Cisco ASA
“Do I Know This Already?” Quiz
Functions and Use of SSL for VPNs
SSL and TLS Protocol Framework
The Play by Play of SSL for VPNs
Configuring Clientless SSL VPNs on ASA
Accessing the Connection Profile
Seeing the VPN Activity from the Server
Using the Cisco AnyConnect Secure Mobility Client
Configuring the Cisco ASA to Terminate the Cisco AnyConnect Secure Mobility Client Connections
Groups, Connection Profiles, and Defaults
One Item with Three Different Names
Troubleshooting SSL Negotiations
Troubleshooting AnyConnect Client Issues
Complete the Tables and Lists from Memory
Part IV Secure Routing and Switching
Chapter 9 Securing Layer 2 Technologies
“Do I Know This Already?” Quiz
VLAN and Trunking Fundamentals
Following the Frame, Step by Step
So, What Do You Want to Be? (Asks the Port)
The Challenge of Using Physical Interfaces Only
Using Virtual “Sub” Interfaces
Loops in Networks Are Usually Bad
The Solution to the Layer 2 Loop
Improving the Time Until Forwarding
Common Layer 2 Threats and How to Mitigate Them
Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too
Specific Layer 2 Mitigation for CCNA Security
Complete the Tables and Lists from Memory
Review the Port Security Video Included with This Book
Command Reference to Check Your Memory
Chapter 10 Network Foundation Protection
“Do I Know This Already?” Quiz
Using Network Foundation Protection to Secure Networks
The Importance of the Network Infrastructure
The Network Foundation Protection Framework
Understanding the Management Plane
Best Practices for Securing the Management Plane
Understanding the Control Plane
Best Practices for Securing the Control Plane
Best Practices for Protecting the Data Plane
Additional Data Plane Protection Mechanisms
Complete the Tables and Lists from Memory
Chapter 11 Securing the Management Plane on Cisco IOS Devices
“Do I Know This Already?” Quiz
What Is Management Traffic and the Management Plane?
Beyond the Blue Rollover Cable
Management Plane Best Practices
Options for Storing Usernames, Passwords, and Access Rules
Limiting the Administrator by Assigning a View
Encrypted Management Protocols
Implementing Security Measures to Protect the Management Plane
Using the CLI to Troubleshoot AAA for Cisco Routers
RBAC Privilege Level/Parser View
Securing the Cisco IOS Image and Configuration Files
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 12 Securing the Data Plane in IPv6
“Do I Know This Already?” Quiz
Understanding and Configuring IPv6
Developing a Security Plan for IPv6
Best Practices Common to Both IPv4 and IPv6
Threats Common to Both IPv4 and IPv6
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 13 Securing Routing Protocols and the Control Plane
“Do I Know This Already?” Quiz
Minimizing the Impact of Control Plane Traffic on the CPU
Implement Routing Update Authentication on OSPF
Implement Routing Update Authentication on EIGRP
Implement Routing Update Authentication on RIP
Implement Routing Update Authentication on BGP
Complete the Tables and Lists from Memory
Part V Cisco Firewall Technologies and Intrusion Prevention System Technologies
Chapter 14 Understanding Firewall Fundamentals
“Do I Know This Already?” Quiz
Firewall Concepts and Technologies
Using Network Address Translation
NAT Is About Hiding or Changing the Truth About Source Addresses
Inside, Outside, Local, Global
Creating and Deploying Firewalls
Firewall Design Considerations
Packet-Filtering Access Rule Structure
Firewall Rule Design Guidelines
Rule Implementation Consistency
Complete the Tables and Lists from Memory
Chapter 15 Implementing Cisco IOS Zone-Based Firewalls
“Do I Know This Already?” Quiz
Cisco IOS Zone-Based Firewalls
How Zone-Based Firewall Operates
Specific Features of Zone-Based Firewalls
Zones and Why We Need Pairs of Them
Configuring and Verifying Cisco IOS Zone-Based Firewalls
Using CCP to Configure the Firewall
Verifying the Configuration from the Command Line
Implementing NAT in Addition to ZBF
Verifying Whether NAT Is Working
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 16 Configuring Basic Firewall Policies on Cisco ASA
“Do I Know This Already?” Quiz
The ASA Appliance Family and Features
Implementing a Packet-Filtering ACL
Permitting Additional Access Through the Firewall
Using Packet Tracer to Verify Which Packets Are Allowed
Verifying the Policy of No Telnet
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 17 Cisco IDS/IPS Fundamentals
“Do I Know This Already?” Quiz
Difference Between IPS and IDS
True/False Negatives/Positives
Identifying Malicious Traffic on the Network
When Sensors Detect Malicious Traffic
Controlling Which Actions the Sensors Should Take
Implementing Actions Based on the Risk Rating
Monitoring and Managing Alarms and Alerts
Cisco Next-Generation IPS Solutions
Complete the Tables and Lists from Memory
Part VI Content and Endpoint Security
Chapter 18 Mitigation Technologies for E-mail-Based and Web-Based Threats
“Do I Know This Already?” Quiz
Mitigation Technology for E-mail-Based Threats
Cisco E-mail Security Appliance
Cisco ESA Initial Configuration
Mitigation Technology for Web-Based Threats
Cisco Content Security Management Appliance
Complete the Tables and Lists from Memory
Command Reference to Check Your Memory
Chapter 19 Mitigation Technologies for Endpoint Threats
“Do I Know This Already?” Quiz
Antivirus and Antimalware Solutions
Personal Firewalls and Host Intrusion Prevention Systems
Advanced Malware Protection for Endpoints
Hardware and Software Encryption of Endpoint Data
Encrypting Endpoint Data at Rest
Complete the Tables and Lists from Memory
Exam Engine and Questions on the CD
Activate and Download the Practice Exam
Appendix A Answers to the “Do I Know This Already?” Quizzes
Appendix B CCNA Security 210-260 (IINS) Exam Updates
On the CD
Glossary