CCNA Security Official Exam Certification Guide

IntroductionIntroduction\ Congratulations on your decision to pursue a Cisco Certification! If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve—the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with Cisco technology. Through its quality technologies, Cisco has garnered a significant market share in the router and switch marketplace, with more than 80 percent market share in some markets. For many industries and markets around the world, networking equals Cisco. Cisco certification will set you apart from the crowd and allow you to display your knowledge as a networking security professional.\ Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network Associate (CCNA) certification, first offered in 1998.\ With the introduction of the CCNA Security certification, Cisco has for the first time provided an area of focus at the associate level. The CCNA Security certification is for networking professionals who work with Cisco security technologies and who want to demonstrate their mastery of core network security principles and technologies.Format of the IINS Exam\ The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're atthe PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing environment. Additionally, Chapter 16 points to a Cisco website where you can see a demo of the actual Cisco test engine.\ When you start the exam, you are asked a series of questions. You answer the question and then move on to the next question. The exam engine does not let you go back and change your answer. When you move on to the next question, that's it for the earlier question.\ The exam questions can be in one of the following formats:\ \ \ Multiple-choice (MC)\ \ \ Testlet\ \ \ Drag-and-drop (DND)\ \ \ Simulated lab (Sim)\ \ \ Simlet\ \ \ The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a button or icon to another area, and release the mouse button to place the object somewhere else—typically in a list. For example, to get the question correct, you might need to put a list of five things in the proper order.\ The last two types both use a network simulator to ask questions. Interestingly, these two types allow Cisco to assess two very different skills. Sim questions generally describe a problem, and your task is to configure one or more routers and switches to fix the problem. The exam then grades the question based on the configuration you changed or added. Interestingly, Sim questions are the only questions that Cisco (to date) has openly confirmed that partial credit is given for.\ The Simlet questions may well be the most difficult style of question on the exams. Simlet questions also use a network simulator, but instead of answering the question by changing the configuration, the question includes one or more MC questions. The questions require that you use the simulator to examine the current behavior of a network, interpreting the output of any show commands that you can remember to answer the question. Whereas Sim questions require you to troubleshoot problems related to a configuration, Simlets require you to analyze both working networks and networks with problems, correlating show command output with your knowledge of networking theory and configuration commands.What's on the IINS Exam?\ Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with "Describe...", and another might begin with "Describe, configure, and troubleshoot...". The second objective clearly states that you need a thorough and deep understanding of that topic. By listing the topics and skill level, Cisco helps you prepare for the exam.\ Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the posted exam topics for all its certification exams are guidelines. Cisco makes an effort to keep the exam questions within the confines of the stated exam topics. I know from talking to those involved that every question is analyzed to ensure that it fits within the stated exam topics.IINS Exam Topics\ Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com (http://www.cisco.com/go/certification). If Cisco later adds exam topics, you may go to http://www.ciscopress.com and download additional information about the newly added topics.\ Table I-1Å@640-553 IINS Exam Topics\ \ \ \ Reference Number\ \ \ Exam Topic\ \ \ Book Part(s) Where Topic Is Covered\ \ \ \ \ 1.0\ \ \ Describe the security threats facing modern network infrastructures\ \ \  \ \ \ \ \ 1.1\ \ \ Describe and mitigate the common threats to the physical installation\ \ \ I\ \ \ \ \ 1.2\ \ \ Describe and list mitigation methods for common network attacks\ \ \ I\ \ \ \ \ 1.3\ \ \ Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks\ \ \ II\ \ \ \ \ 1.4\ \ \ Describe the main activities in each phase of a secure network lifecycle\ \ \ I\ \ \ \ \ 1.5\ \ \ Explain how to meet the security needs of a typical enterprise with a comprehensive security policy\ \ \ I\ \ \ \ \ 1.6\ \ \ Describe the Cisco Self Defending Network architecture\ \ \ I\ \ \ \ \ 1.7\ \ \ Describe the Cisco security family of products and their interactions\ \ \ I, II, III\ \ \ \ \ 2.0\ \ \ Secure Cisco routers\ \ \  \ \ \ \ \ 2.1\ \ \ Secure Cisco routers using the SDM Security Audit feature\ \ \ I\ \ \ \ \ 2.2\ \ \ Use the One-Step Lockdown feature in SDM to secure a Cisco router\ \ \ I\ \ \ \ \ 2.3\ \ \ Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements\ \ \ I\ \ \ \ \ 2.4\ \ \ Secure administrative access to Cisco routers by configuring multiple privilege levels\ \ \ I\ \ \ \ \ 2.5\ \ \ Secure administrative access to Cisco routers by configuring role based CLI\ \ \ I\ \ \ \ \ 2.6\ \ \ Secure the Cisco IOS image and configuration file\ \ \ I\ \ \ \ \ 3.0\ \ \ Implement AAA on Cisco routers using local router database and external ACS\ \ \  \ \ \ \ \ 3.1\ \ \ Explain the functions and importance of AAA\ \ \ I\ \ \ \ \ 3.2\ \ \ Describe the features of TACACS+ and RADIUS AAA protocols\ \ \ I\ \ \ \ \ 3.3\ \ \ Configure AAA authentication\ \ \ I\ \ \ \ \ 3.4\ \ \ Configure AAA authorization\ \ \ I\ \ \ \ \ 3.5\ \ \ Configure AAA accounting\ \ \ I\ \ \ \ \ 4.0\ \ \ Mitigate threats to Cisco routers and networks using ACLs\ \ \  \ \ \ \ \ 4.1\ \ \ Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets\ \ \ II\ \ \ \ \ 4.2\ \ \ Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI\ \ \ II\ \ \ \ \ 4.3\ \ \ Configure IP ACLs to prevent IP address spoofing using CLI\ \ \ II\ \ \ \ \ 4.4\ \ \ Discuss the caveats to be considered when building ACLs\ \ \ II\ \ \ \ \ 5.0\ \ \ Implement secure network management and reporting\ \ \  \ \ \ \ \ 5.1\ \ \ Describe the factors to be considered when planning for secure management and reporting of network devices\ \ \ I\ \ \ \ \ 5.2\ \ \ Use CLI and SDM to configure SSH on Cisco routers to enable secured management access\ \ \ I\ \ \ \ \ 5.3\ \ \ Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server\ \ \ I\ \ \ \ \ 5.4\ \ \ Describe SNMPv3 and NTPv3\ \ \ I\ \ \ \ \ 6.0\ \ \ Mitigate common Layer 2 attacks\ \ \  \ \ \ \ \ 6.1\ \ \ Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features\ \ \ II\ \ \ \ \ 7.0\ \ \ Implement the Cisco IOS firewall feature set using SDM\ \ \  \ \ \ \ \ 7.1\ \ \ Describe the operational strengths and weaknesses of the different firewall technologies\ \ \ II\ \ \ \ \ 7.2\ \ \ Explain stateful firewall operations and the function of the state table\ \ \ II\ \ \ \ \ 7.3\ \ \ Implement Zone Based Firewall using SDM\ \ \ II\ \ \ \ \ 8.0\ \ \ Implement the Cisco IOS IPS feature set using SDM\ \ \  \ \ \ \ \ 8.1\ \ \ Define network based vs. host based intrusion detection and prevention\ \ \ II\ \ \ \ \ 8.2\ \ \ Explain IPS technologies, attack responses, and monitoring options\ \ \ II\ \ \ \ \ 8.3\ \ \ Enable and verify Cisco IOS IPS operations using SDM\ \ \ II\ \ \ \ \ 9.0\ \ \ Implement site-to-site VPNs on Cisco Routers using SDM\ \ \  \ \ \ \ \ 9.1\ \ \ Explain the different methods used in cryptography\ \ \ III\ \ \ \ \ 9.2\ \ \ Explain IKE protocol functionality and phases\ \ \ III\ \ \ \ \ 9.3\ \ \ Describe the building blocks of IPSec and the security functions it provides\ \ \ III\ \ \ \ \ 9.4\ \ \ Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM\ \ \ III\ \ \ \ IINS Course Outlines\ Another way to get some direction about the topics on the exams is to look at the course outlines for the related courses. Cisco offers one authorized CCNA Security-related course: Implementing Cisco IOS Network Security (IINSv1.0). Cisco authorizes Certified Learning Solutions Providers (CLSP) and Certified Learning Partners (CLP) to deliver these classes. These authorized companies can also create unique custom course books using this material, in some cases to teach classes geared toward passing the 640-553 IINS exam.About the CCNA Security Official Exam Certification Guide\ As mentioned earlier, Cisco has outlined the topics tested on the 640-553 IINS exam. This book maps to these topic areas and provides some background material to give context and to help you understand these topics.\ This section lists this book's variety of features. A number of basic features included in this book are common to all Cisco Press Official Exam Certification Guides. These features are designed to help you prepare to pass the official certification exam, as well as help you learn relevant real-world concepts and procedures.Objectives and Methods\ The most important and somewhat obvious objective of this book is to help you pass the 640-553 IINS exam. In fact, if the primary objective of this book were different, the book's title would be misleading! However, the methods used in this book to help you pass the exams are also designed to make you much more knowledgeable about how to do your job.\ This book uses several key methodologies to help you discover the exam topics on which you need more review, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. So, this book does not try to help you pass the exams only by memorization, but by truly learning and understanding the topics. The CCNA Security certification is the foundation of the professional level Cisco certification in security, the CCSP, so it is important that this book also help you truly learn the material. This book is designed to help you pass the CCNA Security exam by using the following methods:\ \ \ Helping you discover which exam topics you have not mastered\ \ \ Providing explanations and information to fill in your knowledge gaps\ \ \ Supplying exercises that enhance your ability to recall and deduce the answers to test questions\ \ \ Providing practice exercises on the topics and the testing process via test questions on the CD\ \ \ Book Features\ To help you customize your study time using this book, the core chapters have several features that help you make the best use of your time:\ \ \ "Do I Know This Already?" quiz: Each chapter begins with a quiz that helps you determine how much time you need to spend studying that chapter.\ \ \ Foundation Topics: These are the core sections of each chapter. They explain the protocols, concepts, and configuration for the topics in that chapter.\ \ \ Exam Preparation Tasks: At the end of the "Foundation Topics" section of each chapter, the "Exam Preparation Tasks" section lists a series of study activities that you should do at the end of the chapter. Each chapter includes the activities that make the most sense for studying the topics in that chapter.\ \ \ \ —\ Review All the Key Topics: The Key Topic icon appears next to the most important items in the "Foundation Topics" section of the chapter. The Review All the Key Topics activity lists the Key Topics from the chapter, along with their page numbers. Although the contents of the entire chapter could be on the exam, you should definitely know the information listed in each Key Topic, so you should review these.\ — Complete the Tables and Lists from Memory: To help you memorize some lists of facts, many of the more important lists and tables from the chapter are included in a document on the CD. This document lists only partial information, allowing you to complete the table or list.\ — Definition of Key Terms: Although the exam may be unlikely to ask a question such as "Define this term," the CCNA exams do require that you learn and know a lot of networking terminology. This section lists the most important terms from the chapter, asking you to write a short definition and compare your answer to the glossary at the end of the book.\ — Command Reference Tables: Some chapters cover a large number of configuration and EXEC commands. These tables list and describe the commands introduced in the chapter. For exam preparation, use these tables for reference, but also read them when performing the Exam Preparation Tasks to make sure you remember what all the commands do.

Foreword Introduction Part I Network Security Concepts Chapter 1 Understanding Network Security Principles “Do I Know This Already?” Quiz Foundation Topics Exploring Security Fundamentals Why Network Security Is a Necessity   Types of Threats   Scope of the Challenge   Nonsecured Custom Applications The Three Primary Goals of Network Security   Confidentiality   Integrity   Availability Categorizing Data   Classification Models   Classification Roles Controls in a Security Solution Responding to a Security Incident Legal and Ethical Ramifications   Legal Issues to Consider Understanding the Methods of Network Attacks Vulnerabilities Potential Attackers The Mind-set of a Hacker Defense in Depth Understanding IP Spoofing   Launching a Remote IP Spoofing Attack with IP Source Routing   Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack   Protecting Against an IP Spoofing Attack Understanding Confidentiality Attacks Understanding Integrity Attacks Understanding Availability Attacks Best-Practice Recommendations Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 2 Developing a Secure Network “Do I Know This Already?” Quiz Foundation Topics Increasing Operations Security System Development Life Cycle 49   Initiation 49   Acquisition and Development 49   Implementation 50   Operations and Maintenance 50   Disposition 51 Operations Security Overview 51 Evaluating Network Security 52   Nmap 54 Disaster Recovery Considerations 55   Types of Disruptions 56   Types of Backup Sites 56 Constructing a Comprehensive Network Security Policy 57 Security Policy Fundamentals 57 Security Policy Components 58   Governing Policy 58   Technical Policies 58   End-User Policies 59   More-Detailed Documents 59 Security Policy Responsibilities 59 Risk Analysis, Management, and Avoidance 60   Quantitative Analysis 60   Qualitative Analysis 61   Risk Analysis Benefits 61   Risk Analysis Example: Threat Identification 61   Managing and Avoiding Risk 62 Factors Contributing to a Secure Network Design 62   Design Assumptions 63   Minimizing Privileges 63   Simplicity Versus Complexity 64 User Awareness and Training 64 Creating a Cisco Self-Defending Network 66 Evolving Security Threats 66 Constructing a Cisco Self-Defending Network 67   Cisco Security Management Suite 69 Cisco Integrated Security Products 70 Exam Preparation Tasks 74 Review All the Key Topics 74 Complete the Tables and Lists from Memory 75 Definition of Key Terms 75 Chapter 3 Defending the Perimeter 77 “Do I Know This Already?” Quiz 77 Foundation Topics 81 ISR Overview and Providing Secure Administrative Access 81 IOS Security Features 81 Cisco Integrated Services Routers 81   Cisco 800 Series 82   Cisco 1800 Series 83   Cisco 2800 Series 84   Cisco 3800 Series 84   ISR Enhanced Features 85 Password-Protecting a Router 86 Limiting the Number of Failed Login Attempts 92 Setting a Login Inactivity Timer 92 Configuring Privilege Levels 93 Creating Command-Line Interface Views 93 Protecting Router Files 95 Enabling Cisco IOS Login Enhancements for Virtual Connections 96 Creating a Banner Message 98 Cisco Security Device Manager Overview 99 Introducing SDM 99 Preparing to Launch Cisco SDM Exploring the Cisco SDM Interface Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 4 Configuring AAA “Do I Know This Already?” Quiz Foundation Topics Configuring AAA Using the Local User Database Authentication, Authorization, and Accounting AAA for Cisco Routers Router Access Authentication Using AAA to Configure Local User Database Authentication   Defining a Method List   Setting AAA Authentication for Login   Configuring AAA Authentication on Serial Interfaces Running PPP   Using the aaa authentication enable default Command   Implementing the aaa authorization Command   Working with the aaa accounting Command Using the CLI to Troubleshoot AAA for Cisco Routers Using Cisco SDM to Configure AAA Configuring AAA Using Cisco Secure ACS Overview of Cisco Secure ACS for Windows   Additional Features of Cisco Secure ACS 4.0 for Windows Cisco Secure ACS 4.0 for Windows Installation Overview of TACACS+ and RADIUS   TACACS+ Authentication   Command Authorization with TACACS+   TACACS+ Attributes   Authentication and Authorization with RADIUS   RADIUS Message Types   RADIUS Attributes   Features of RADIUS Configuring TACACS+   Using the CLI to Configure AAA Login Authentication on Cisco Routers   Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM   Defining the AAA Servers Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 5 Securing the Router “Do I Know This Already?” Quiz Foundation Topics Locking Down the Router Identifying Potentially Vulnerable Router Interfaces and Services Locking Down a Cisco IOS Router   AutoSecure   Cisco SDM One-Step Lockdown Using Secure Management and Reporting Planning for Secure Management and Reporting Secure Management and Reporting Architecture Configuring Syslog Support Securing Management Traffic with SNMPv3 Enabling Secure Shell on a Router Using Cisco SDM to Configure Management Features   Configuring Syslog Logging with Cisco SDM   Configuring SNMP with Cisco SDM   Configuring NTP with Cisco SDM   Configuring SSH with Cisco SDM Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Part II Constructing a Secure Infrastructure Chapter 6 Securing Layer 2 Devices “Do I Know This Already?” Quiz Foundation Topics Defending Against Layer 2 Attacks Review of Layer 2 Switch Operation Basic Approaches to Protecting Layer 2 Switches Preventing VLAN Hopping   Switch Spoofing   Double Tagging Protecting Against an STP Attack Combating DHCP Server Spoofing Using Dynamic ARP Inspection Mitigating CAM Table Overflow Attacks Spoofing MAC Addresses Additional Cisco Catalyst Switch Security Features   Using the SPAN Feature with IDS   Enforcing Security Policies with VACLs   Isolating Traffic Within a VLAN Using Private VLANs   Traffic Policing   Notifying Network Managers of CAM Table Updates Port Security Configuration Configuration Recommendations Cisco Identity-Based Networking Services Introduction to Cisco IBNS Overview of IEEE 802.1x Extensible Authentication Protocols   EAP-MD5      EAP-TLS   PEAP (MS-CHAPv2)   EAP-FAST Combining IEEE 802.1x with Port Security Features Using IEEE 802.1x for VLAN Assignment Configuring and Monitoring IEEE 802.1x Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 7 Implementing Endpoint Security “Do I Know This Already?” Quiz Foundation Topics Examining Endpoint Security Defining Endpoint Security   Examining Operating System Vulnerabilities   Examining Application Vulnerabilities Understanding the Threat of Buffer Overflows   Buffer Overflow Defined   The Anatomy of a Buffer Overflow Exploit   Understanding the Types of Buffer Overflows   Additional Forms of Attack Securing Endpoints with Cisco Technologies Understanding IronPort   The Architecture Behind IronPort Examining the Cisco NAC Appliance Working with the Cisco Security Agent   Understanding Cisco Security Agent Interceptors   Examining Attack Response with the Cisco Security Agent Best Practices for Securing Endpoints   Application Guidelines   Apply Application Protection Methods Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 8 Providing SAN Security “Do I Know This Already?” Quiz Foundation Topics Overview of SAN Operations Fundamentals of SANs Organizational Benefits of SAN Usage Understanding SAN Basics Fundamentals of SAN Security   Classes of SAN Attacks Implementing SAN Security Techniques Using LUN Masking to Defend Against Attacks Examining SAN Zoning Strategies   Examining Soft and Hard Zoning Understanding World Wide Names Defining Virtual SANs      Combining VSANs and Zones Identifying Port Authentication Protocols   Understanding DHCHAP   CHAP in Securing SAN Devices Working with Fibre Channel Authentication Protocol Understanding Fibre Channel Password Authentication Protocol Assuring Data Confidentiality in SANs   Incorporating Encapsulating Security Payload (ESP)   Providing Security with Fibre Channel Security Protocol Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 9 Exploring Secure Voice Solutions “Do I Know This Already?” Quiz Foundation Topics Defining Voice Fundamentals Defining VoIP The Need for VoIP VoIP Network Components VoIP Protocols Identifying Common Voice Vulnerabilities Attacks Targeting Endpoints VoIP Spam Vishing and Toll Fraud SIP Attack Targets Securing a VoIP Network Protecting a VoIP Network with Auxiliary VLANs Protecting a VoIP Network with Security Appliances Hardening Voice Endpoints and Application Servers Summary of Voice Attack Mitigation Techniques Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 10 Using Cisco IOS Firewalls to Defend the Network “Do I Know This Already?” Quiz Foundation Topics Exploring Firewall Technology The Role of Firewalls in Defending Networks The Advance of Firewall Technology Transparent Firewalls Application Layer Firewalls   Benefits of Using Application Layer Firewalls   Working with Application Layer Firewalls   Application Firewall Limitations Static Packet-Filtering Firewalls Stateful Packet-Filtering Firewalls   Stateful Packet Filtering and the State Table   Disadvantages of Stateful Filtering   Uses of Stateful Packet-Filtering Firewalls Application Inspection Firewalls   Application Inspection Firewall Operation   Effective Use of an Application Inspection Firewall Overview of the Cisco ASA Adaptive Security Appliance The Role of Firewalls in a Layered Defense Strategy Creating an Effective Firewall Policy Using ACLs to Construct Static Packet Filters The Basics of ACLs Cisco ACL Configuration   Working with Turbo ACLs   Developing ACLs Using the CLI to Apply ACLs to the Router Interface Considerations When Creating ACLs Filtering Traffic with ACLs Preventing IP Spoofing with ACLs Restricting ICMP Traffic with ACLs     Configuring ACLs to Filter Router Service Traffic   vty Filtering   SNMP Service Filtering   RIPv2 Route Filtering Grouping ACL Functions Implementing a Cisco IOS Zone-Based Firewall Understanding Cisco IOS Firewalls   Traffic Filtering   Traffic Inspection   The Role of Alerts and Audit Trails   Classic Firewall Process   SPI and CBAC Examining the Principles Behind Zone-Based Firewalls  Changes to Firewall Configuration   Zone Membership Rules   Understanding Security Zones   Zones and Inspection   Security Zone Restrictions   Working with Zone Pairs   Security Zone Firewall Policies   Class Maps Verifying Zone-Based Firewall Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 11 Using Cisco IOS IPS to Secure the Network “Do I Know This Already?” Quiz Foundation Topics Examining IPS Technologies IDS Versus IPS IDS and IPS Device Categories   Detection Methods   Network-Based Versus Host-Based IPS   Deploying Network-Based and Host-Based Solutions IDS and IPS Appliances   Cisco IDS 4215 Sensor   Cisco IPS 4240 Sensor   Cisco IPS 4255 Sensor   Cisco IPS 4260 Sensor Signatures   Exploit Signatures   Connection Signatures   String Signatures   Denial-of-Service Signatures Signature Definition Files Alarms Using SDM to Configure Cisco IOS IPS Launching the Intrusion Prevention Wizard IPS Policies Wizard Creating IPS Rules Manipulating Global IPS Settings Signature Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Part III Extending Security and Availability with Cryptography and VPNs Chapter 12 Designing a Cryptographic Solution “Do I Know This Already?” Quiz Foundation Topics Introducing Cryptographic Services Understanding Cryptology   Cryptography Through the Ages   The Substitution Cipher   The Vigenère Cipher   Transposition Ciphers   Working with the One-Time Pad   The Encryption Process   Cryptanalysis   Understanding the Features of Encryption Algorithms Symmetric and Asymmetric Encryption Algorithms   Encryption Algorithms and Keys   Symmetric Encryption Algorithms   Asymmetric Encryption Algorithms The Difference Between Block and Stream Ciphers   Block Ciphers   Stream Ciphers Exploring Symmetric Encryption Functionality of Symmetric Encryption Algorithms   Key Lengths Features and Functions of DES   Working with the DES Key   Modes of Operation for DES   Working with DES Stream Cipher Modes   Usage Guidelines for Working with DES   Understanding How 3DES Works   Encrypting with 3DES AES   The Rijndael Cipher   Comparing AES and 3DES   Availability of AES in the Cisco Product Line SEAL   SEAL Restrictions The Rivest Ciphers Understanding Security Algorithms Selecting an Encryption Algorithm Understanding Cryptographic Hashes Working with Hashing Designing Key Management   Components of Key Management   Understanding Keyspaces   Issues Related to Key Length SSL VPNs Establishing an SSL Tunnel Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 13 Implementing Digital Signatures “Do I Know This Already?” Quiz Foundation Topics Examining Hash Algorithms Exploring Hash Algorithms and HMACs   Anatomy of a Hash Function   Application of Hash Functions   Cryptographic Hash Functions   Application of Cryptographic Hashes   HMAC Explained MD5 Features and Functionality   Origins of MD5   Vulnerabilities of MD5   Usage of MD5 SHA-1 Features and Functionality   Overview of SHA-1   Vulnerabilities of SHA-1   Usage of SHA-1 Using Digital Signatures Understanding Digital Signatures   Digital Signature Scheme   Authentication and Integrity Examining RSA Signatures  Exploring the History of RSA   Understanding How RSA Works   Encrypting and Decrypting Messages with RSA   Signing Messages with RSA   Vulnerabilities of RSA Exploring the Digital Signature Standard   Using the DSA Algorithm Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 14 Exploring PKI and Asymmetric Encryption “Do I Know This Already?” Quiz Foundation Topics Understanding Asymmetric Algorithms Exploring Asymmetric Encryption Algorithms   Using Public-Key Encryption to Achieve Confidentiality   Providing Authentication with a Public Key Understanding the Features of the RSA Algorithm   Working with RSA Digital Signatures   Guidelines for Working with RSA Examining the Features of the Diffie-Hellman Key Exchange Algorithm   Steps of the Diffie-Hellman Key Exchange Algorithm Working with a PKI Examining the Principles Behind a PKI   Understanding PKI Terminology   Components of a PKI   Classes of Certificates   Examining the PKI Topology of a Single Root CA   Examining the PKI Topology of Hierarchical CAs   Examining the PKI Topology of Cross-Certified CAs   Understanding PKI Usage and Keys   Working with PKI Server Offload Understanding PKI Standards   Understanding X.509v3   Understanding Public Key Cryptography Standards (PKCS)   Understanding Simple Certificate Enrollment Protocol (SCEP) Exploring the Role of Certificate Authorities and Registration Authorities in a PKI   Examining Identity Management   Retrieving the CA Certificate   Understanding the Certificate Enrollment Process   Examining Authentication Using Certificates   Examining Features of Digital Certificates and CAs  Understanding the Caveats of Using a PKI   Understanding How Certificates Are Employed Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 15 Building a Site-to-Site IPsec VPN Solution “Do I Know This Already?” Quiz Foundation Topics Exploring the Basics of IPsec Introducing Site-to-Site VPNs Overview of IPsec IKE Modes and Phases Authentication Header and Encapsulating Security Payload Cisco VPN Product Offerings   Cisco VPN-Enabled Routers and Switches   Cisco VPN 3000 Series Concentrators   Cisco ASA 5500 Series Appliances   Cisco 500 Series PIX Security Appliances   Hardware Acceleration Modules VPN Design Considerations and Recommendations   Best-Practice Recommendations for Identity and IPsec Access Control   Best-Practice Recommendations for IPsec   Best-Practice Recommendations for Network Address Translation   Best-Practice Recommendations for Selecting a Single-Purpose Versus   Multipurpose Device Constructing an IPsec Site-to-Site VPN The Five Steps in the Life of an IPsec Site-to-Site VPN The Five Steps of Configuring an IPsec Site-to-Site VPN Configuring an IKE Phase 1 Tunnel Configuring an IKE Phase 2 Tunnel Applying Crypto Maps Using Cisco SDM to Configure IPsec on a Site-to-Site VPN Introduction to the Cisco SDM VPN Wizard Quick Setup Step-by-Step Setup   Configuring Connection Settings   Selecting an IKE Proposal   Selecting a Transform Set   Selecting Traffic to Protect in the IPsec Tunnel   Applying the Generated Configuration   Monitoring the Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Part IV Final Preparation Chapter 16 Final Preparation Exam Engine and Questions on the CD Install the Software from the CD Activate and Download the Practice Exam Activating Other Exams Study Plan Recall the Facts Use the Exam Engine   Choosing Study or Simulation Mode   Passing Scores for the IINS Exam Part V Appendixes Appendix A Answers to “Do I Know This Already?” Questions Appendix B Glossary Appendix C CCNA Security Exam Updates: Version 1.0 Appendix D Memory Tables (CD only) Appendix E Memory Tables Answer Key (CD only) 1587202204   TOC 5/19/2008