Sample Pages
Download the sample pages
Table of Contents
Foreword
Introduction
Part I Network Security Concepts
Chapter 1 Understanding Network Security Principles
“Do I Know This Already?” Quiz
Foundation Topics
Exploring Security Fundamentals
Why Network Security Is a Necessity
Types of Threats
Scope of the Challenge
Nonsecured Custom Applications
The Three Primary Goals of Network Security
Confidentiality
Integrity
Availability
Categorizing Data
Classification Models
Classification Roles
Controls in a Security Solution
Responding to a Security Incident
Legal and Ethical Ramifications
Legal Issues to Consider
Understanding the Methods of Network Attacks
Vulnerabilities
Potential Attackers
The Mind-set of a Hacker
Defense in Depth
Understanding IP Spoofing
Launching a Remote IP Spoofing Attack with IP Source Routing
Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack
Protecting Against an IP Spoofing Attack
Understanding Confidentiality Attacks
Understanding Integrity Attacks
Understanding Availability Attacks
Best-Practice Recommendations
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 2 Developing a Secure Network
“Do I Know This Already?” Quiz
Foundation Topics
Increasing Operations Security
System Development Life Cycle 49
Initiation 49
Acquisition and Development 49
Implementation 50
Operations and Maintenance 50
Disposition 51
Operations Security Overview 51
Evaluating Network Security 52
Nmap 54
Disaster Recovery Considerations 55
Types of Disruptions 56
Types of Backup Sites 56
Constructing a Comprehensive Network Security Policy 57
Security Policy Fundamentals 57
Security Policy Components 58
Governing Policy 58
Technical Policies 58
End-User Policies 59
More-Detailed Documents 59
Security Policy Responsibilities 59
Risk Analysis, Management, and Avoidance 60
Quantitative Analysis 60
Qualitative Analysis 61
Risk Analysis Benefits 61
Risk Analysis Example: Threat Identification 61
Managing and Avoiding Risk 62
Factors Contributing to a Secure Network Design 62
Design Assumptions 63
Minimizing Privileges 63
Simplicity Versus Complexity 64
User Awareness and Training 64
Creating a Cisco Self-Defending Network 66
Evolving Security Threats 66
Constructing a Cisco Self-Defending Network 67
Cisco Security Management Suite 69
Cisco Integrated Security Products 70
Exam Preparation Tasks 74
Review All the Key Topics 74
Complete the Tables and Lists from Memory 75
Definition of Key Terms 75
Chapter 3 Defending the Perimeter 77
“Do I Know This Already?” Quiz 77
Foundation Topics 81
ISR Overview and Providing Secure Administrative Access 81
IOS Security Features 81
Cisco Integrated Services Routers 81
Cisco 800 Series 82
Cisco 1800 Series 83
Cisco 2800 Series 84
Cisco 3800 Series 84
ISR Enhanced Features 85
Password-Protecting a Router 86
Limiting the Number of Failed Login Attempts 92
Setting a Login Inactivity Timer 92
Configuring Privilege Levels 93
Creating Command-Line Interface Views 93
Protecting Router Files 95
Enabling Cisco IOS Login Enhancements for Virtual Connections 96
Creating a Banner Message 98
Cisco Security Device Manager Overview 99
Introducing SDM 99
Preparing to Launch Cisco SDM
Exploring the Cisco SDM Interface
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Chapter 4 Configuring AAA
“Do I Know This Already?” Quiz
Foundation Topics
Configuring AAA Using the Local User Database
Authentication, Authorization, and Accounting
AAA for Cisco Routers
Router Access Authentication
Using AAA to Configure Local User Database Authentication
Defining a Method List
Setting AAA Authentication for Login
Configuring AAA Authentication on Serial Interfaces Running PPP
Using the aaa authentication enable default Command
Implementing the aaa authorization Command
Working with the aaa accounting Command
Using the CLI to Troubleshoot AAA for Cisco Routers
Using Cisco SDM to Configure AAA
Configuring AAA Using Cisco Secure ACS
Overview of Cisco Secure ACS for Windows
Additional Features of Cisco Secure ACS 4.0 for Windows
Cisco Secure ACS 4.0 for Windows Installation
Overview of TACACS+ and RADIUS
TACACS+ Authentication
Command Authorization with TACACS+
TACACS+ Attributes
Authentication and Authorization with RADIUS
RADIUS Message Types
RADIUS Attributes
Features of RADIUS
Configuring TACACS+
Using the CLI to Configure AAA Login Authentication on Cisco Routers
Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM
Defining the AAA Servers
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Chapter 5 Securing the Router
“Do I Know This Already?” Quiz
Foundation Topics
Locking Down the Router
Identifying Potentially Vulnerable Router Interfaces and Services
Locking Down a Cisco IOS Router
AutoSecure
Cisco SDM One-Step Lockdown
Using Secure Management and Reporting
Planning for Secure Management and Reporting
Secure Management and Reporting Architecture
Configuring Syslog Support
Securing Management Traffic with SNMPv3
Enabling Secure Shell on a Router
Using Cisco SDM to Configure Management Features
Configuring Syslog Logging with Cisco SDM
Configuring SNMP with Cisco SDM
Configuring NTP with Cisco SDM
Configuring SSH with Cisco SDM
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Part II Constructing a Secure Infrastructure
Chapter 6 Securing Layer 2 Devices
“Do I Know This Already?” Quiz
Foundation Topics
Defending Against Layer 2 Attacks
Review of Layer 2 Switch Operation
Basic Approaches to Protecting Layer 2 Switches
Preventing VLAN Hopping
Switch Spoofing
Double Tagging
Protecting Against an STP Attack
Combating DHCP Server Spoofing
Using Dynamic ARP Inspection
Mitigating CAM Table Overflow Attacks
Spoofing MAC Addresses
Additional Cisco Catalyst Switch Security Features
Using the SPAN Feature with IDS
Enforcing Security Policies with VACLs
Isolating Traffic Within a VLAN Using Private VLANs
Traffic Policing
Notifying Network Managers of CAM Table Updates
Port Security Configuration
Configuration Recommendations
Cisco Identity-Based Networking Services
Introduction to Cisco IBNS
Overview of IEEE 802.1x
Extensible Authentication Protocols
EAP-MD5
EAP-TLS
PEAP (MS-CHAPv2)
EAP-FAST
Combining IEEE 802.1x with Port Security Features
Using IEEE 802.1x for VLAN Assignment
Configuring and Monitoring IEEE 802.1x
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Chapter 7 Implementing Endpoint Security
“Do I Know This Already?” Quiz
Foundation Topics
Examining Endpoint Security
Defining Endpoint Security
Examining Operating System Vulnerabilities
Examining Application Vulnerabilities
Understanding the Threat of Buffer Overflows
Buffer Overflow Defined
The Anatomy of a Buffer Overflow Exploit
Understanding the Types of Buffer Overflows
Additional Forms of Attack
Securing Endpoints with Cisco Technologies
Understanding IronPort
The Architecture Behind IronPort
Examining the Cisco NAC Appliance
Working with the Cisco Security Agent
Understanding Cisco Security Agent Interceptors
Examining Attack Response with the Cisco Security Agent
Best Practices for Securing Endpoints
Application Guidelines
Apply Application Protection Methods
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 8 Providing SAN Security
“Do I Know This Already?” Quiz
Foundation Topics
Overview of SAN Operations
Fundamentals of SANs
Organizational Benefits of SAN Usage
Understanding SAN Basics
Fundamentals of SAN Security
Classes of SAN Attacks
Implementing SAN Security Techniques
Using LUN Masking to Defend Against Attacks
Examining SAN Zoning Strategies
Examining Soft and Hard Zoning
Understanding World Wide Names
Defining Virtual SANs
Combining VSANs and Zones
Identifying Port Authentication Protocols
Understanding DHCHAP
CHAP in Securing SAN Devices
Working with Fibre Channel Authentication Protocol
Understanding Fibre Channel Password Authentication Protocol
Assuring Data Confidentiality in SANs
Incorporating Encapsulating Security Payload (ESP)
Providing Security with Fibre Channel Security Protocol
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 9 Exploring Secure Voice Solutions
“Do I Know This Already?” Quiz
Foundation Topics
Defining Voice Fundamentals
Defining VoIP
The Need for VoIP
VoIP Network Components
VoIP Protocols
Identifying Common Voice Vulnerabilities
Attacks Targeting Endpoints
VoIP Spam
Vishing and Toll Fraud
SIP Attack Targets
Securing a VoIP Network
Protecting a VoIP Network with Auxiliary VLANs
Protecting a VoIP Network with Security Appliances
Hardening Voice Endpoints and Application Servers
Summary of Voice Attack Mitigation Techniques
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 10 Using Cisco IOS Firewalls to Defend the Network
“Do I Know This Already?” Quiz
Foundation Topics
Exploring Firewall Technology
The Role of Firewalls in Defending Networks
The Advance of Firewall Technology
Transparent Firewalls
Application Layer Firewalls
Benefits of Using Application Layer Firewalls
Working with Application Layer Firewalls
Application Firewall Limitations
Static Packet-Filtering Firewalls
Stateful Packet-Filtering Firewalls
Stateful Packet Filtering and the State Table
Disadvantages of Stateful Filtering
Uses of Stateful Packet-Filtering Firewalls
Application Inspection Firewalls
Application Inspection Firewall Operation
Effective Use of an Application Inspection Firewall
Overview of the Cisco ASA Adaptive Security Appliance
The Role of Firewalls in a Layered Defense Strategy
Creating an Effective Firewall Policy
Using ACLs to Construct Static Packet Filters
The Basics of ACLs
Cisco ACL Configuration
Working with Turbo ACLs
Developing ACLs
Using the CLI to Apply ACLs to the Router Interface
Considerations When Creating ACLs
Filtering Traffic with ACLs
Preventing IP Spoofing with ACLs
Restricting ICMP Traffic with ACLs
Configuring ACLs to Filter Router Service Traffic
vty Filtering
SNMP Service Filtering
RIPv2 Route Filtering
Grouping ACL Functions
Implementing a Cisco IOS Zone-Based Firewall
Understanding Cisco IOS Firewalls
Traffic Filtering
Traffic Inspection
The Role of Alerts and Audit Trails
Classic Firewall Process
SPI and CBAC
Examining the Principles Behind Zone-Based Firewalls
Changes to Firewall Configuration
Zone Membership Rules
Understanding Security Zones
Zones and Inspection
Security Zone Restrictions
Working with Zone Pairs
Security Zone Firewall Policies
Class Maps
Verifying Zone-Based Firewall Configuration
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Chapter 11 Using Cisco IOS IPS to Secure the Network
“Do I Know This Already?” Quiz
Foundation Topics
Examining IPS Technologies
IDS Versus IPS
IDS and IPS Device Categories
Detection Methods
Network-Based Versus Host-Based IPS
Deploying Network-Based and Host-Based Solutions
IDS and IPS Appliances
Cisco IDS 4215 Sensor
Cisco IPS 4240 Sensor
Cisco IPS 4255 Sensor
Cisco IPS 4260 Sensor
Signatures
Exploit Signatures
Connection Signatures
String Signatures
Denial-of-Service Signatures
Signature Definition Files
Alarms
Using SDM to Configure Cisco IOS IPS
Launching the Intrusion Prevention Wizard
IPS Policies Wizard
Creating IPS Rules
Manipulating Global IPS Settings
Signature Configuration
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Part III Extending Security and Availability with Cryptography and VPNs
Chapter 12 Designing a Cryptographic Solution
“Do I Know This Already?” Quiz
Foundation Topics
Introducing Cryptographic Services
Understanding Cryptology
Cryptography Through the Ages
The Substitution Cipher
The Vigenčre Cipher
Transposition Ciphers
Working with the One-Time Pad
The Encryption Process
Cryptanalysis
Understanding the Features of Encryption Algorithms
Symmetric and Asymmetric Encryption Algorithms
Encryption Algorithms and Keys
Symmetric Encryption Algorithms
Asymmetric Encryption Algorithms
The Difference Between Block and Stream Ciphers
Block Ciphers
Stream Ciphers
Exploring Symmetric Encryption
Functionality of Symmetric Encryption Algorithms
Key Lengths
Features and Functions of DES
Working with the DES Key
Modes of Operation for DES
Working with DES Stream Cipher Modes
Usage Guidelines for Working with DES
Understanding How 3DES Works
Encrypting with 3DES
AES
The Rijndael Cipher
Comparing AES and 3DES
Availability of AES in the Cisco Product Line
SEAL
SEAL Restrictions
The Rivest Ciphers
Understanding Security Algorithms
Selecting an Encryption Algorithm
Understanding Cryptographic Hashes
Working with Hashing
Designing Key Management
Components of Key Management
Understanding Keyspaces
Issues Related to Key Length
SSL VPNs
Establishing an SSL Tunnel
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 13 Implementing Digital Signatures
“Do I Know This Already?” Quiz
Foundation Topics
Examining Hash Algorithms
Exploring Hash Algorithms and HMACs
Anatomy of a Hash Function
Application of Hash Functions
Cryptographic Hash Functions
Application of Cryptographic Hashes
HMAC Explained
MD5 Features and Functionality
Origins of MD5
Vulnerabilities of MD5
Usage of MD5
SHA-1 Features and Functionality
Overview of SHA-1
Vulnerabilities of SHA-1
Usage of SHA-1
Using Digital Signatures
Understanding Digital Signatures
Digital Signature Scheme
Authentication and Integrity
Examining RSA Signatures
Exploring the History of RSA
Understanding How RSA Works
Encrypting and Decrypting Messages with RSA
Signing Messages with RSA
Vulnerabilities of RSA
Exploring the Digital Signature Standard
Using the DSA Algorithm
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 14 Exploring PKI and Asymmetric Encryption
“Do I Know This Already?” Quiz
Foundation Topics
Understanding Asymmetric Algorithms
Exploring Asymmetric Encryption Algorithms
Using Public-Key Encryption to Achieve Confidentiality
Providing Authentication with a Public Key
Understanding the Features of the RSA Algorithm
Working with RSA Digital Signatures
Guidelines for Working with RSA
Examining the Features of the Diffie-Hellman Key Exchange Algorithm
Steps of the Diffie-Hellman Key Exchange Algorithm
Working with a PKI
Examining the Principles Behind a PKI
Understanding PKI Terminology
Components of a PKI
Classes of Certificates
Examining the PKI Topology of a Single Root CA
Examining the PKI Topology of Hierarchical CAs
Examining the PKI Topology of Cross-Certified CAs
Understanding PKI Usage and Keys
Working with PKI Server Offload
Understanding PKI Standards
Understanding X.509v3
Understanding Public Key Cryptography Standards (PKCS)
Understanding Simple Certificate Enrollment Protocol (SCEP)
Exploring the Role of Certificate Authorities and Registration Authorities in a PKI
Examining Identity Management
Retrieving the CA Certificate
Understanding the Certificate Enrollment Process
Examining Authentication Using Certificates
Examining Features of Digital Certificates and CAs
Understanding the Caveats of Using a PKI
Understanding How Certificates Are Employed
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Chapter 15 Building a Site-to-Site IPsec VPN Solution
“Do I Know This Already?” Quiz
Foundation Topics
Exploring the Basics of IPsec
Introducing Site-to-Site VPNs
Overview of IPsec
IKE Modes and Phases
Authentication Header and Encapsulating Security Payload
Cisco VPN Product Offerings
Cisco VPN-Enabled Routers and Switches
Cisco VPN 3000 Series Concentrators
Cisco ASA 5500 Series Appliances
Cisco 500 Series PIX Security Appliances
Hardware Acceleration Modules
VPN Design Considerations and Recommendations
Best-Practice Recommendations for Identity and IPsec Access Control
Best-Practice Recommendations for IPsec
Best-Practice Recommendations for Network Address Translation
Best-Practice Recommendations for Selecting a Single-Purpose Versus
Multipurpose Device
Constructing an IPsec Site-to-Site VPN
The Five Steps in the Life of an IPsec Site-to-Site VPN
The Five Steps of Configuring an IPsec Site-to-Site VPN
Configuring an IKE Phase 1 Tunnel
Configuring an IKE Phase 2 Tunnel
Applying Crypto Maps
Using Cisco SDM to Configure IPsec on a Site-to-Site VPN
Introduction to the Cisco SDM VPN Wizard
Quick Setup
Step-by-Step Setup
Configuring Connection Settings
Selecting an IKE Proposal
Selecting a Transform Set
Selecting Traffic to Protect in the IPsec Tunnel
Applying the Generated Configuration
Monitoring the Configuration
Exam Preparation Tasks
Review All the Key Topics
Complete the Tables and Lists from Memory
Definition of Key Terms
Command Reference to Check Your Memory
Part IV Final Preparation
Chapter 16 Final Preparation
Exam Engine and Questions on the CD
Install the Software from the CD
Activate and Download the Practice Exam
Activating Other Exams
Study Plan
Recall the Facts
Use the Exam Engine
Choosing Study or Simulation Mode
Passing Scores for the IINS Exam
Part V Appendixes
Appendix A Answers to “Do I Know This Already?” Questions
Appendix B Glossary
Appendix C CCNA Security Exam Updates: Version 1.0
Appendix D Memory Tables (CD only)
Appendix E Memory Tables Answer Key (CD only)
1587202204 TOC 5/19/2008
Global Stores
Browse CompTIA Certifications & Exams »