CCNA Security Exam Cram (Exam IINS 640-553) (Exam Cram Series)

IntroductionIntroduction\ Welcome to CCNA Security Exam Cram! The fact that you are reading this means that you are interested in the CCNA Security certification that Cisco announced in July of 2008. Cisco has done a thorough job of revamping the certification path for the Cisco Certified Security Professional (CCSP), with the CCNA Security certification being the cornerstone upon which the CCSP certification depends. Implementing Cisco IOS Network Security (IINS) is the recommended training course for CCNA Security certification. If you already hold the prerequisite valid CCNA certification, passing the 640-553 IINS exam enables you to obtain the CCNA Security certification—likely to become one of the hottest certifications in IT. This book helps prepare you for that exam. The book assumes that you already have your CCNA certification or an equivalent level of knowledge. If you do not have a CCNA level of knowledge, you should consider putting down this book and first pursuing more robust fundamental training, such as a full CCNA course book or a recommended CCNA course. And remember that CCNA is a prerequisite to CCNA Security certification.\ This book is a synthesized, distilled, and pared-down effort, with only enough information as is necessary to provide context for the information you need to pass the exam. This is not to say that this book is not a good read, but it is a fair reflection of the type of material that you will need to master in order to be successful with the exam. Read this book, understand the material, and drill yourself with the practice exams, and you stand a very good chance of passing the exam. That said, it's possible that inthe course of working through this book, depending on your prior CCNA Security training or on-the-job experience, you might identify topics you are struggling with and might require you to look up more fundamental resources to deal with. This book discusses all the topics on the exam and tests you on all of them, but it does not always provide detailed coverage of all those topics.Organization and Elements of This Book\ When designing a secure network infrastructure, the workflow moves from the perimeter of the network to the inside of the network. After the perimeter is properly secured, the security architect can turn his or her attention to securing devices on the inside of the network perimeter where the endpoints reside. This structured approach is mimicked in the basic organization of this book.\ The chapters of this book are organized into four major parts, with each part encapsulating a major idea in the field of network security:\ \ \ Part I: Network Security Architecture\ \ \ Part II: Perimeter Security\ \ \ Part III: Augmenting Depth of Defense\ \ \ Part IV: Security Inside the Perimeter\ \ \ You can use this book's organization to your advantage while studying for the CCNA Security 640-553 IINS exam because each part of the book is selfcontained. Although it is recommended that you follow the parts sequentially, there are frequent cross-references to content contained in other chapters if you choose to follow your own path through this book.\ Each chapter follows a uniform structure, with graphical cues about especially important or useful material. The structure of a typical chapter is as follows:\ \ \ Terms You'll Need to Understand: Each chapter begins with a list of the terms you'll need to understand, which define the concepts that you'll need to master before you can be fully conversant with the chapter's subject matter.\ \ \ Exam Topics Covered in This Chapter: Cisco publishes a list of exam topics for the 640-553 IINS exam. Each chapter of this book begins by listing the exam topics covered in that chapter. See the following "Self Assessment" element for a complete list of the topics and the chapters where they are covered.\ \ \ Exam Alerts: Throughout the topical coverage, Exam Alerts highlight material most likely to appear on the exam by using a special layout that looks like this:\ ***\ Warning - This is what an Exam Alert looks like. An Exam Alert stresses concepts, terms, or activities that will most likely appear in one or more certification exam questions. For that reason, any information found offset in Exam Alert format is worthy of unusual attentiveness on your part.\ ***\ \ Even if material isn't flagged as an Exam Alert, all content in this book is associated in some way with test-related material. What appears in the chapter content is critical knowledge.\ \ \ Notes: This book is an overall examination of basic Cisco network security concepts and practice. As such, there are a number of side excursions into other aspects of network security and prerequisite networking knowledge. So that these do not distract from the topic at hand, this material is placed in notes.\ ***\ Note - Cramming for an exam will get you through a test, but it won't make you a competent network security practitioner. Although you can memorize just the facts you need to become certified, your daily work in the field will rapidly put you in water over your head if you don't know the underlying principles behind a Cisco Self-Defending Network.\ ***\ \ \ \ Practice Questions: This section presents a short list of test questions (most chapters have 10 of these) related to the specific chapter topics. Each question has a follow-on explanation of both correct and incorrect answers—this is very important because it is more important to know why you were wrong. Computers are binary and will accept right or wrong as answers, but we aren't, so we don't!\ \ \ In addition to the topical chapters, this book also provides the following:\ \ \ Practice Exams: Part V contains the sample tests that are a very close approximation of the types of questions you are likely to see on the current CCNA Security exam.\ \ \ Answer Keys for Practice Exams: Part V also contains detailed answers to the practice exam questions. Like the questions at the end of the chapters, these explain both the correct answers and the incorrect answers and are therefore very helpful to go through thoroughly as you grade your practice exam. Knowing the topics you struggle with and why you got a question wrong is crucial.\ \ \ Cram Sheet: This appears as a tear-away sheet inside the front cover of the book. It is a valuable tool that represents a collection of the most difficult-to-remember facts and numbers that the author thinks you should memorize before taking the test.\ \ \ CD: The CD that accompanies this book features an innovative practice test engine powered by MeasureUp, including 100 practice questions. The practice exam contains question types covering all the topics on the CCNA Security exam, providing you with a challenging and realistic exam simulation environment.\ \ \ Contacting the Author\ I've tried to create a real-world tool and clearly written book that you can use to prepare for and pass the CCNA Security certification exam. That said, I am interested in any feedback that you have that might help make this Exam Cram better for future test-takers. Constructive and reasonable criticism is always welcome and will most certainly be responded to. You can contact the publisher, or you can reach me by email at eric@breezy.ca.\ Please also share your exam experience. Did this book help you pass this exam? Did you feel better prepared after you read the book? Was it a confidence booster? Would you recommend this book to your colleagues?\ Thanks for choosing me as your personal trainer, and enjoy the book!\ —Eric Stewart\ \ © Copyright Pearson Education. All rights reserved.

Introduction... 1 Organization and Elements of This Book. 1 Contacting the Author.. 4 Self Assessment... 5 Who Is a CCNA Security?.. 5 The Ideal CCNA Security Candidate. 6 Put Yourself to the Test.. 8 Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security).. 10 Strategy for Using This Exam Cram. 12 Part I: Network Security Architecture Chapter 1: Network Insecurity... 15 Exploring Network Security Basics and the Need for Network Security.. 16  The Threats.. 16  Other Reasons for Network Insecurity 18  The CIA Triad.. 18  Data Classification.. 21  Security Controls.. 22  Incident Response.. 25  Laws and Ethics.. 26 Exploring the Taxonomy of Network Attacks. 29  Adversaries.. 30  How Do Hackers Think?. 32  Concepts of Defense in Depth. 32  IP Spoofing Attacks.. 34  Attacks Against Confidentiality. 36  Attacks Against Integrity. 38  Attacks Against Availability. 42 Best Practices to Thwart Network Attacks. 45  Administrative Controls. 45  Technical Controls.. 46  Physical Controls.. 46 Exam Prep Questions.. 47 Answers to Exam Prep Questions. 50 Chapter 2: Building a Secure Network Using Security Controls. 51 Defining Operations Security Needs. 52  Cisco System Development Life Cycle for Secure Networks 52  Operations Security Principles. 54  Network Security Testing. 55  Disaster Recovery and Business Continuity Planning 59 Establishing a Comprehensive Network Security Policy 61  Defining Assets..62  The Need for a Security Policy. 63  Policies.. 64  Standards, Guidelines, and Procedures 65  Who Is Responsible for the Security Policy? 66  Risk Management.. 67   Principles of Secure Network Design 70 Examining Cisco’s Model of the Self-Defending Network 73  Where Is the Network Perimeter?. 73  Building a Cisco Self-Defending Network 74  Components of the Cisco Self-Defending Network 75  Cisco Integrated Security Portfolio. 79 Exam Prep Questions.. 81 Answers to Exam Prep Questions. 84 Part II: Perimeter Security Chapter 3: Security at the Network Perimeter.. 87 Cisco IOS Security Features.. 88  Where Do You Deploy an IOS Router? 88      Cisco ISR Family and Features. 90 Securing Administrative Access to Cisco Routers 91  Review Line Interfaces. 92  Password Best Practices. 94  Configuring Passwords. 94  Setting Multiple Privilege Levels. 97  Configuring Role-Based Access to the CLI 98  Configuring the Cisco IOS Resilient Configuration Feature 101  Protecting Virtual Logins from Attack 102      Configuring Banner Messages. 104 Introducing Cisco SDM.. 105  Files Required to Run Cisco SDM from the Router 106  Using Cisco SDM Express. 107  Launching Cisco SDM. 108  Cisco SDM Smart Wizards. 110  Advanced Configuration with SDM. 111  Cisco SDM Monitor Mode. 113 Configuring Local Database AAA on a Cisco Router 114  Authentication, Authorization, and Accounting (AAA) 114   Two Reasons for Implementing AAA on Cisco Routers 114  Cisco’s Implementation of AAA for Cisco Routers 115  Tasks to Configure Local Database AAA on a Cisco Router 116  Additional Local Database AAA CLI Commands 120 Configuring External AAA on a Cisco Router Using Cisco Secure ACS.. 121  Why Use Cisco Secure ACS?. 123  Cisco Secure ACS Features. 123  Cisco Secure ACS for Windows Installation Requirements 124  Cisco Secure ACS Solution Engine and Cisco Secure ACS Express 5.0 Comparison. 125  TACACS+ or RADIUS?. 125  Prerequisites for Cisco Secure ACS 126  Three Main Tasks for Setting Up External AAA 127  Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+.. 140  AAA Configuration Snapshot. 141 Exam Prep Questions.. 142 Answers to Exam Prep Questions. 145 Chapter 4: Implementing Secure Management and Hardening the Router 147 Planning for Secure Management and Reporting 148  What to Log.. 149  How to Log.. 150  Reference Architecture for Secure Management and Reporting.. 151  Secure Management and Reporting Guidelines 153  Logging with Syslog.. 153  Cisco Security MARS. 154  Where to Send Log Messages. 154  Log Message Levels. 155  Log Message Format. 156  Enabling Syslog Logging in SDM. 156  Using SNMP.. 157  Configuring the SSH Daemon. 161  Configuring Time Features. 165 Using Cisco SDM and CLI Tools to Lock Down the Router 167  Router Services and Interface Vulnerabilities 167  Performing a Security Audit. 172 Exam Prep Questions.. 180 Answers to Exam Prep Questions. 182 Part III: Augmenting Depth of Defense    Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185 Examining and Defining Firewall Technologies 187  What Is a Firewall?.. 188  Characteristics of a Firewall. 189  Firewall Advantages.. 189  Firewall Disadvantages. 190  Role of Firewalls in a Layered Defense Strategy 190  Types of Firewalls.. 190  Cisco Family of Firewalls. 201  Firewall Implementation Best Practices 202 Creating Static Packet Filters with ACLs. 203  Threat Mitigation with ACLs. 203  Inbound Versus Outbound. 203  Identifying ACLs.. 205  ACL Examples Using the CLI. 205  ACL Guidelines.. 208  Using the Cisco SDM to Configure ACLs 209      Using ACLs to Filter Network Services 212  Using ACLs to Mitigate IP Address Spoofing Attacks 213  Using ACLs to Filter Other Common Services 216 Cisco Zone-Based Policy Firewall Fundamentals 218  Advantages of ZPF.. 220  Features of ZPF.. 221  ZPF Actions.. 221  Zone Behavior.. 221  Using the Cisco SDM Basic Firewall Wizard to Configure ZPF.. 224      Manually Configuring ZPF with the Cisco SDM 233  Monitoring ZPF.. 238 Exam Prep Questions.. 241 Answers to Exam Prep Questions. 244 Chapter 6: Introducing Cryptographic Services.. 245 Cryptology Overview.. 246  Cryptanalysis.. 249  Encryption Algorithm (Cipher) Desirable Features 251  Symmetric Key Versus Asymmetric Key Encryption Algorithms.. 251  Block Versus Stream Ciphers. 254  Which Encryption Algorithm Do I Choose? 255  Cryptographic Hashing Algorithms. 256  Principles of Key Management. 256  Other Key Considerations. 257  SSL VPNs.. 259 Exploring Symmetric Key Encryption. 261  DES... 263  3DES.. 264  AES... 265  SEAL.. 266  Rivest Ciphers (RC).. 267 Exploring Cryptographic Hashing Algorithms and Digital Signatures.. 268  HMACs.. 270  Message Digest 5 (MD5). 271  Secure Hashing Algorithm 1 (SHA-1) 272  Digital Signatures.. 272 Exploring Asymmetric Key Encryption and Public Key Infrastructure.. 275  Encryption with Asymmetric Keys. 276  Authentication with Asymmetric Keys 277  Public Key Infrastructure Overview. 277  PKI Topologies.. 278  PKI and Usage Keys. 279  PKI Server Offload and Registration Authorities (RAs) 280  PKI Standards.. 280  Certificate Enrollment Process. 282  Certificate-Based Authentication. 283  Certificate Applications. 284 Exam Prep Questions.. 286 Answers to Exam Prep Questions. 289 Chapter 7: Virtual Private Networks with IPsec.. 291 Overview of VPN Technology.. 292  Cisco VPN Products. 293  VPN Benefits.. 293  Site-to-Site VPNs.. 294  Remote-Access VPNs. 295  Cisco IOS SSL VPN. 296  Cisco VPN Product Positioning. 297  VPN Clients.. 299  Hardware-Accelerated Encryption. 300  IPsec Compared to SSL. 301 Conceptualizing a Site-to-Site IPsec VPN. 302  IPsec Components.. 302  IPsec Strengths.. 306  Constructing a VPN: Putting it Together 307 Implementing IPsec on a Site-to-Site VPN Using the CLI 315  Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN.. 315  Step 2: Create ISAKMP (IKE Phase I) Policy Set(s) 316  Step 3: Configure IPsec Transform Set(s) 318  Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN.. 319  Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface).. 320  Verifying and Troubleshooting the IPsec VPN Using the CLI.. 321 Implementing IPsec on a Site-to-Site VPN Using Cisco SDM 325  Site-to-Site VPN Wizard Using Quick Setup 325  Site-to-Site VPN Wizard Using Step-by-Step Setup 329 Exam Prep Questions.. 337 Answers to Exam Prep Questions. 339 Chapter 8: Network Security Using Cisco IOS IPS. 341 Exploring IPS Technologies.. 342  IDS Versus IPS.. 342  IDS and IPS Categories. 343  IPS Attack Responses. 347  Event Management and Monitoring. 349  Host IPS.. 351  Network IPS.. 354  HIPS and Network IPS Comparison 355  Cisco IPS Appliances. 356  IDS and IPS Signatures. 357  Signature Alarms.. 359  Best Practices for IPS Configuration 360 Implementing Cisco IOS IPS.. 362  Cisco IOS IPS Feature Blend. 362  Cisco IOS IPS Primary Benefits. 362  Cisco IOS IPS Signature Integration 363  Configuring Cisco IOS IPS with the Cisco SDM 364  Cisco IOS IPS CLI Configuration. 377   Configuring IPS Signatures. 378  SDEE and Syslog Logging Protocol Support 381  Verifying IOS IPS Operation. 384 Exam Prep Questions.. 387 Answers to Exam Prep Questions. 390 Part IV: Security Inside the Perimeter    Chapter 9: Introduction to Endpoint, SAN, and Voice Security. 395 Introducing Endpoint Security. 396  Cisco’s Host Security Strategy. 397  Securing Software.. 397  Endpoint Attacks.. 399  Cisco Solutions to Secure Systems and Thwart Endpoint Attacks.. 403  Endpoint Best Practices. 407 Exploring SAN Security.. 407  SAN Advantages.. 407  SAN Technologies.. 408  SAN Address Vulnerabilities. 408  Virtual SANs (VSANs). 409  SAN Security Strategies. 409 Exploring Voice Security.. 411  VoIP Components.. 411  Threats to VoIP Endpoints. 413  Fraud... 414  SIP Vulnerabilities.. 414  Mitigating VoIP Hacking. 415 Exam Prep Questions.. 418 Answers to Exam Prep Questions. 420 Chapter 10: Protecting Switch Infrastructure.. 421 VLAN Hopping Attacks.. 422  VLAN Hopping by Rogue Trunk. 423  VLAN Hopping by Double-Tagging. 424 STP Manipulation Attack.. 425  STP Manipulation Attack Mitigation: Portfast 426  STP Manipulation Attack Mitigation: BPDU Guard 427  STP Manipulation Attack Mitigation: Root Guard 428 CAM Table Overflow Attack.. 428  CAM Table Overflow Attack Mitigation: Port Security 429 MAC Address Spoofing Attack. 429  MAC Address Spoofing Attack Mitigation: Port Security 429 Configuring Port Security.. 429  Port Security Basic Settings. 430  Port Security Optional Settings. 430  Port Security Verification. 433 Miscellaneous Switch Security Features. 434  Intrusion Notification.. 434  Switched Port Analyzer (SPAN). 435  Storm Control.. 436 Switch Security Best Practices. 438 Exam Prep Questions.. 439 Answers to Exam Prep Questions. 440 Part V: Practice Exams and Answers    Practice Exam 1... 443 Answers to Practice Exam 1.. 461 Practice Exam 2... 471 Answers to Practice Exam 2.. 487 Part VI: Appendixes Appendix A: What’s on the CD-ROM.. 499 Appendix B: Need to Know More?... 503 TOC, 0789738007, 10/3/08