Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide

Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide

by Catherine Paquet


View All Available Formats & Editions
Choose Expedited Shipping at checkout for guaranteed delivery by Tuesday, October 22


Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide Second Edition

Foundation learning for the CCNA Security IINS 640-554 exam

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is a Cisco-authorized, self-paced learning tool for CCNA® Security 640-554 foundation learning. This book provides you with the knowledge needed to secure Cisco® networks. By reading this book, you will gain a thorough understanding of how to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.

This book focuses on using Cisco IOS routers to protect the network by capitalizing on their advanced features as a perimeter router, firewall, intrusion prevention system, and site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security, the Cisco Secure Access Control System (ACS), and the Cisco Adaptive Security Appliance (ASA). You learn how to perform basic tasks to secure a small branch office network using Cisco IOS security features available through web-based GUIs (Cisco Configuration Professional) and the CLI
on Cisco routers, switches, and ASAs.

Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book.

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition, is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit

— Develop a comprehensive network security policy to counter threats against information security

— Secure borderless networks

— Learn how to use Cisco IOS Network Foundation Protection (NFP) and Cisco Configuration Professional (CCP)

— Securely implement the management and reporting features of Cisco IOS devices

— Deploy Cisco Catalyst Switch security features

— Understand IPv6 security features

— Plan threat control strategies

— Filter traffic with access control lists

— Configure ASA and Cisco IOS zone-based firewalls

— Implement intrusion prevention systems (IPS) and network address translation (NAT)

— Secure connectivity with site-to-site IPsec VPNs and remote access VPNs

This volume is in the Foundation Learning Guide Series offered by Cisco Press®. These guides are developed together with Cisco as the only authorized, self-paced learning tools that help networking professionals build their understanding of networking concepts and prepare for Cisco certification exams.

Category: Cisco Certification

Covers: CCNA Security IINS exam 640-554

Product Details

ISBN-13: 9781587142727
Publisher: Cisco Press
Publication date: 12/14/2012
Series: Foundation Learning Guides Series
Pages: 742
Product dimensions: 7.70(w) x 9.20(h) x 1.80(d)

About the Author

Catherine Paquet is a practitioner in the field of internetworking, network security, and security financials. She has authored or contributed to ten books thus far with Cisco Press. Catherine has in-depth knowledge of security systems, remote access, and routing technology. She is a Cisco Certified Network Professional (CCNP) and a CCNP Security. Catherine is also a Cisco IronPort Certified Security Instructor (CICSI) and a Certified Cisco Systems Instructor (CCSI) with Cisco’s largest training partner, Global Knowledge, Inc. She also works on IT security projects and implementations for different organizations on a part-time basis. Following her university graduation from the Collège Militaire Royal de St-Jean (Canada), Catherine worked as a system analyst, LAN manager, MAN manager, and eventually as a WAN manager. Later, she received a master’s degree in business administration (MBA) with a specialty in management information systems (MIS) from York University.

Catherine has lectured for the Computer Security Institute and for Cisco Systems (Emerging Markets) on the topic of the business case for network security. In 2002 and 2003, she volunteered with the U.N. mission in Kabul, Afghanistan, to train Afghan public servants in the area of networking.

Catherine lives in Toronto with her husband. They have two children, who are both attending college.

Table of Contents

Introduction xxviii

Part I Networking Security Fundamentals

Chapter 1 Network Security Concepts and Policies 1

Building Blocks of Information Security 2

Basic Security Assumptions 2

Basic Security Requirements 2

Data, Vulnerabilities, and Countermeasures 3

Data Classification 4

Vulnerabilities Classifications 7

Countermeasures Classification 8

Need for Network Security 12

Intent Evolution 13

Threat Evolution 14

Trends Affecting Network Security 16

Adversaries, Methodologies, and Classes of Attack 19

Adversaries 20

Methodologies 21

Threats Classification 23

Man-in-the-Middle Attacks 32

Overt and Covert Channels 33

Botnets 37

DoS and DDoS Attacks 37

Principles of Secure Network Design 39

Defense in Depth 41

Evaluating and Managing the Risk 42

Levels of Risks 43

Risk Analysis and Management 44

Risk Analysis 44

Building Blocks of Risk Analysis 47

A Lifecycle Approach to Risk Management 49

Regulatory Compliance 50

Security Policies 53

Security Policy Components 55

Governing Policy 56

End-User Policies 57

Technical Policies 57

Standards, Guidelines, and Procedures 59

Security Policy Roles and Responsibilities 61

Security Awareness 62

Secure Network Lifecycle Management 63

IT Governance, Risk Management, and Compliance 64

Secure Network Life Cycle 64

Initiation Phase 65

Acquisition and Development Phase 65

Implementation Phase 66

Operations and Maintenance Phase 67

Disposition Phase 67

Models and Frameworks 67

Network Security Posture 69

Network Security Testing 70

Security Testing Techniques 70

Common Testing Tools 71

Incident Response 72

Incident Management 73

Computer Crime Investigations 74

Laws and Ethics 75

Liability 76

Disaster Recovery and Business Continuity Planning 77

Business Continuity Concepts 78

Summary 79

References 79

Publications 79

Web Resources 80

Review Questions 80

Chapter 2 Security Strategy and Cisco Borderless Network 85

Borderless Networks 85

Cisco Borderless Network Security Architecture 86

Borderless End Zone 88

Borderless Internet 89

Borderless Data Center 90

Policy Management Layer 91

Borderless Network Services 91

Borderless Security Products 92

SecureX, a Context-Aware Security Approach 93

SecureX Core Components 94

Threat Control and Containment 98

Cisco Security Intelligence Operation 99

Cloud Security, Content Security, and Data Loss Prevention 100

Content Security 101

Data Loss Prevention 101

Cloud-Based Security 101

Web Security 101

Email Security 104

Secure Connectivity Through VPNs 105

Security Management 106

Cisco Security Manager 107

Summary 108

References 108

Review Questions 109

Part II Protecting the Network Infrastructure

Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111

Threats Against the Network Infrastructure 112

Cisco NFP Framework 114

Control Plane Security 118

CoPP 119

CPPr 119

Traffic Classes 120

Routing Protocol Integrity 121

Cisco AutoSecure 122

Management Plane Security 123

Secure Management and Reporting 124

Role-Based Access Control 126

Deploying AAA 127

Data Plane Security 128

Access Control List Filtering 128

Cisco Configuration Professional 131

CCP Initial Configuration 133

Cisco Configuration Professional User Interface and Features 136

Menu Bar 136

Toolbar 138

Navigation Pane 138

Content Pane 142

Status Bar 142

Cisco Configuration Professional Building Blocks 142

Communities 142

Creating Communities 143

Managing Communities 144

Templates 145

User Profiles 147

Using CCP to Harden Cisco IOS Devices 148

Security Audit 149

One-Step Lockdown 152

Cisco IOS AutoSecure 152

Summary 154

References 155

Review Questions 155

Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159

Configuring Secure Administration Access 159

Configuring an SSH Daemon for Secure Management Access 161

Configuring Passwords on Cisco IOS Devices 163

Setting Timeouts for Router Lines 164

Configuring the Minimum Length for Router Passwords 165

Enhanced Username Password Security 166

Securing ROM Monitor 167

Securing the Cisco IOS Image and Configuration Files 168

Configuring Multiple Privilege Levels 170

Configuring Role-Based Command-Line Interface Access 171

Implementing Secure Management and Reporting 174

Planning Considerations for Secure Management and Reporting 175

Secure Management and Reporting Architecture 176

Secure Management and Reporting Guidelines 176

Enabling Time Features 176

Network Time Protocol 177

Using Syslog Logging for Network Security 178

Implementing Log Messaging for Security 179

Using SNMP to Manage Network Devices 182

SNMPv3 Architecture 183

Enabling SNMP Options Using Cisco CCP 185

Configuring AAA on a Cisco Router 186

Authentication, Authorization, and Accounting 186

Authenticating Router Access 188

Configuring AAA Authentication and Method Lists 190

Configuring AAA on a Cisco Router Using the Local Database 191

Configuring AAA Local Authentication 192

AAA on a Cisco Router Using Cisco Secure ACS 198

Cisco Secure ACS Overview 198

Cisco Identity Services Engine 204

TACACS+ and RADIUS Protocols 205



Comparing TACACS+ and RADIUS 206

AAA on a Cisco Router Using an External Database 208

Configuration Steps for AAA Using an External Database 208

AAA Servers and Groups 208

AAA Authentication Method Lists 210

AAA Authorization Policies 211

AAA Accounting Policies 213

AAA Configuration for TACACS+ Example 215

Troubleshooting TACACS+ 216

Deploying and Configuring Cisco Secure ACS 218

Evolution of Authorization 219

Before: Group-Based Policies 219

Now: More Than Just Identities 220

Rule-Based Policies 222

Configuring Cisco Secure ACS 5.2 223

Configuring Authorization Policies for Device Administration 224

Summary 230

References 230

Review Questions 231

Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233

Overview of VLANs and Trunking 234

Trunking and 802.1Q 235

802.1Q Tagging 236

Native VLANs 237

Configuring VLANs and Trunks 237

Step 1: Configuring and Verifying 802.1Q Trunks 238

Step 2: Creating a VLAN 240

Step 3: Assigning Switch Ports to a VLAN 242

Step 4: Configuring Inter-VLAN Routing 243

Spanning Tree Overview 244

STP Fundamentals 245

Verifying RSTP and PVRST+ 248

Mitigating Layer 2 Attacks 249

Basic Switch Operation 249

Layer 2 Best Practices 250

Layer 2 Protection Toolkit 250

Mitigating VLAN Attacks 251

VLAN Hopping 251

Mitigating Spanning Tree Attacks 254

PortFast 255

Mitigating CAM Table Overflow Attacks 259

Mitigating MAC Address Spoofing Attacks 260

Using Port Security 261

Errdisable Recovery 263

Summary 270

References 271

Review Questions 271

Chapter 6 Securing the Data Plane in IPv6 Environments 275

The Need for IPv6 275

IPv6 Features and Enhancements 278

IPv6 Headers 279

Stateless Address Autoconfiguration 280

Internet Control Message Protocol Version 6 281

IPv6 General Features 282

Transition to IPv6 283

IPv6 Addressing 285

IPv6 Address Representation 285

IPv6 Address Types 286

IPv6 Unicast Addressing 286

Assigning IPv6 Global Unicast Addresses 291

Manual Interface Assignment 291

EUI-64 Interface ID Assignment 291

Stateless Autoconfiguration 292

DHCPv6 (Stateful) 292

IPv6 EUI-64 Interface Identifier 292

IPv6 and Cisco Routers 293

IPv6 Address Configuration Example 294

Routing Considerations for IPv6 294

Revisiting Threats: Considerations for IPv6 295

Examples of Possible IPv6 Attacks 298

Recommended Practices 300

Summary 301

References 301

Review Questions 302

Part III Threat Control and Containment

Chapter 7 Planning a Threat Control Strategy 305

Threats Revisited 305

Trends in Network Security Threats 306

Threat Mitigation and Containment: Design Fundamentals 307

Threat Control Design Guidelines 308

Application Layer Visibility 309

Distributed Security Intelligence 309

Security Intelligence Analysis 310

Integrated Threat Control Strategy 311

Cisco Threat Control and Containment Categories 311

Integrated Approach to Threat Control 312

Application Awareness 313

Application-Specific Gateways 313

Security Management 313

Cisco Security Intelligence Operations Site 313

Cisco Threat Control and Containment Solutions Fundamentals 314

Cisco Security Appliances 314

Cisco IPSs 316

Summary 317

References 318

Review Questions 318

Chapter 8 Access Control Lists for Threat Mitigation 319

ACL Fundamentals 320

Types of IP ACLs 324

ACL Wildcard Masking and VLSM Review 325

Subnetting Overview 326

Subnetting Example: Class C 326

Subnetting Example 327

Variable-Length Subnet Masking 328

A Working VLSM Example 329

ACL Wildcard Bits 331

Example: Wildcard Masking Process for IP Subnets 332

Example: Wildcard Masking Process with a Single IP Address 333

Example: Wildcard Masking Process with a Match Any IP Address 334

Using ACLs to Control Traffic 335

Example: Numbered Standard IPv4 ACL–Deny a Specific Subnet 336

Numbered Extended IPv4 ACL 338

Displaying ACLs 342

Enhancing ACLs with Object Groups 343

ACL Considerations 345

Configuring ACLs for Threat Control Using Cisco Configuration Professional 347

Rules in Cisco Configuration Professional 347

Working with ACLs in CCP 348

ACL Editor 349

Adding Rules 350

Associating Rules with Interfaces 352

Enabling Logging with CCP 354

Monitoring ACLs with CCP 356

Configuring an Object Group with CCP 357

Using ACLs in IPv6 Environments 360

Summary 363

References 364

Review Questions 364

Chapter 9 Firewall Fundamentals and Network Address Translation 367

Introducing Firewall Technologies 367

Firewall Fundamentals 367

Firewalls in a Layered Defense Strategy 370

Static Packet-Filtering Firewalls 372

Application Layer Gateways 374

Dynamic or Stateful Packet-Filtering Firewalls 378

Other Types of Firewalls 382

Application Inspection Firewalls, aka Deep Packet Inspection 382

Transparent Firewalls (Layer 2 Firewalls) 383

NAT Fundamentals 384

Example of Translating an Inside Source Address 387

NAT Deployment Choices 389

Firewall Designs 390

Firewall Policies in a Layered Defense Strategy 391

Firewall Rules Design Guidelines 392

Summary 394

References 394

Review Questions 394

Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397

Cisco Firewall Solutions 398

Cisco IOS Zone-Based Policy Firewall 398

Zone-Based Policy Firewall Overview 398

Zones and Zone Pairs 402

Self Zone 402

Zone-Based Topology Examples 403

Introduction to Cisco Common Classification Policy Language 403

Zone-Based Policy Firewall Actions 407

Service Policy Zone Pair Assignments 408

Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408

Zone-Based Policy Firewall: Rules for Router Traffic 409

Configuring Basic Interzone Policies Using CCP and the CLI 411

Step 1: Start the Basic Firewall Wizard 412

Step 2: Select Trusted and Untrusted Interfaces 413

Step 3: Review and Verify the Resulting Policies 416

Verifying and Tuning the Configuration 416

Step 4: Enabling Logging 417

Step 5: Verifying Firewall Status and Activity 419

Step 6: Modifying Zone-Based Firewall Configuration Objects 420

Step 7: Verifying the Configuration Using the CLI 421

Configuring NAT Services for Zone-Based Firewalls 422

Step 1: Run the Basic NAT Wizard 423

Step 2: Select NAT Inside and Outside Interfaces 424

Step 3: Verify NAT with CCP and the CLI 426

Cisco ASA Firewall 427

Stateful Packet Filtering and Application Awareness 427

Network Services Offered by the Cisco ASA 5500 Series 428

Network Address Translation 428

Additional Network Services 431

Cisco ASA Security Technologies 431

Cisco ASA Configuration Fundamentals 432

Cisco ASA 5505 435

Cisco ASDM 436

Preparing the Cisco ASA 5505 for ASDM 437

Cisco ASDM Features and Menus 438

Cisco Modular Policy Framework 443

Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443

Policy Map: Configuring the Action That Will Be Applied to the Traffic 444

Service Policy: Activating the Policy 444

Cisco ASA Modular Policy Framework: Simple Example 445

Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446

Scenario Configuration Steps Using Cisco ASDM 446

Summary 461

References 462 Resources 462

Other Resources 462

CCP and ASDM Demo Mode Tutorials 462

Review Questions 463

Chapter 11 Intrusion Prevention Systems 467

IPS Fundamentals 467

Introducing IDS and IPS 467

So, IDS or IPS? Why Not Both? 473

Alarm Types 474

Intrusion Prevention Technologies 475

Signature-Based IDS/IPS 476

Policy-Based IDS/IPS 477

Anomaly-Based IDS/IPS 477

Reputation-Based IPS 478

IPS Attack Responses 478

IPS Anti-Evasion Techniques 480

Risk-Based Intrusion Prevention 482

IPv6-Aware IPS 484

Alarms 484

IPS Alarms: Event Monitoring and Management 485

Global Correlation 486

IPS Deployment 488

Cisco IPS Offerings 490

IPS Best Practices 492

Cisco IPS Architecture 494

Cisco IOS IPS 495

Cisco IOS IPS Features 495

Scenario: Protecting the Branch Office Against Inside Attack 497

Signatures 497

Signature Files 498

Signature Management 500

Examining Signature Microengines 500

Signature Tuning 502

Optimal Signature Set 504

Monitoring IPS Alarms and Event Management 505

Configuring Cisco IOS IPS Using Cisco Configuration Professional 507

Step 1: Download Cisco IOS IPS Signature Package 508

Step 2: Launch IPS Policies Wizard 509

Step 3: Verify Configuration and Signature Files 515

Step 4: Perform Signature Tuning 517

Step 5: Verify Alarms 521

Configuring Cisco IOS IPS Using the CLI 524

Summary 529

References 530 Resources 530

General IDS/IPS Resource 530

Review Questions 530

Part IV Secure Connectivity

Chapter 12 Fundamentals of Cryptography and VPN Technologies 533

VPN Overview 534

VPN Types 535

Site-to-Site VPNs 536

Remote-Access VPNs 537

Examining Cryptographic Services 538

Cryptology Overview 538

The History of Cryptography 540

Ciphers 540

Block and Stream Ciphers 547

Block Ciphers 547

Stream Ciphers 548

The Process of Encryption 549

Encryption Application Examples 550

Cryptanalysis 551

Desirable Encryption Algorithm Features 554

Key Management 555

Key Management Components 555

Keyspaces 556

Key Length Issues 556

Example of the Impact of Key Length 557

Symmetric and Asymmetric Encryption Overview 557

Symmetric Encryption Algorithms 558

Comparing Symmetric Encryption Algorithms 560

DES Modes of Operation 561

DES Security Guidelines 561

The Rijndael Cipher 563

AES Versus 3DES 564

Asymmetric Encryption Algorithms 565

Public Key Confidentiality 566

Encryption Algorithm Selection 567

Cryptographic Hashes and Digital Signatures 568

Hashing Algorithms 571

MD5 572

SHA-1 572

SHA-2 573

Hashed Message Authentication Codes 573

Overview of Digital Signatures 575

Digital Signatures = Encrypted Message Digest 578

Diffie-Hellman 579

Diffie-Hellman Example 581

Cryptographic Processes in VPNs 582

Asymmetric Encryption: Digital Signatures 583

Asymmetric Encryption Overview 583

Public Key Authentication 584

RSA and Digital Signatures 585

Public Key Infrastructure 587

PKI Terminology and Components 589

Certificate Classes 590

Certificate Authorities 590

PKI Standards 593

Certificate Revocation 599

Certificate Use 600

Digital Certificates and CAs 601

Summary 602

References 603

Books and Articles 603

Standards 603

Encryption Regulations 603

Review Questions 604

Chapter 13 IPsec Fundamentals 609

IPsec Framework 609

Suite B Cryptographic Standard 611

Encryption Algorithms 612

Key Exchange: Diffie-Hellman 613

Data Integrity 614

Authentication 615

IPsec Protocol 616

Authentication Header 618

Encapsulating Security Payload 619

IPsec Modes of Operations 620

Transport Mode 621

Tunnel Mode 621

IKE Protocol 622

IKEv1 Modes 624

IKEv1 Phases 625

IKEv1 Phase 1 625

IKEv1 Phase 1 Example 626

IKEv1 Phase 2 631

IKE Version 2 632

IKEv1 Versus IKEv2 633

IPv6 VPNs 635

IPsec Services for Transitioning to IPv6 636

Summary 637

References 637

Books 637 Resources 637

Review Questions 637

Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers 641

Site-to-Site IPsec: Planning and Preparation 641

Site-to-Site IPsec VPN Operations 642

Planning and Preparation Checklist 643

Building Blocks of Site-to-Site IPsec 643

Interesting Traffic and Crypto ACLs 643

Mirrored Crypto ACLs 644

Cipher Suite 645

Crypto Map 646

Configuring a Site-to-Site IPsec VPN Using CCP 647

Initiating the VPN Wizard 647

VPN Connection Information 649

IKE Proposals 652

Transform Set 653

Traffic to Protect 654

Configuration Summary 656

Creating a Mirror Configuration for the Peer Site 657

Verifying the IPsec Configuration Using CCP and CLI 658

Verifying IPsec Configuration Using CLI 658

Verifying IKE Policy Using the CLI 659

Verifying IKE Phase 2 Policy Using the CLI 660

Verifying Crypto Maps Using the CLI 660

Monitoring Established IPsec VPN Connections 661

IKE Policy Negotiation 662

VPN Troubleshooting 662

Monitoring IKE Security Association 664

Monitoring IPsec Security Association 664

Summary 665

References 666

Review Questions 666

Chapter 15 SSL VPNs with Cisco ASA 669

SSL VPNs in Borderless Networks 670

Cisco SSL VPN 671

SSL and TLS Protocol Framework 672

SSL and TLS 673

SSL Cryptography 674

SSL Tunnel Establishment 675

SSL Tunnel Establishment Example 676

Cisco SSL VPN Deployment Options and Considerations 679

Cisco SSL VPN Client: Full Network Access 681

SSL VPN on Cisco ASA in Clientless Mode 683

Clientless Configuration Scenario 683

Task 1: Launch the Clientless SSL VPN Wizard from ASDM 684

Task 2: Configure the SSL VPN Interface 684

Task 3: Configure User Authentication 686

Task 4: Configure User Group Policy 686

Task 5: Configure a Bookmark List 687

Task 6: Verify the Clientless SSL VPN Wizard Configuration 690

Log In to the VPN Portal: Clientless SSL VPN 690

SSL VPN on ASA Using the Cisco AnyConnect VPN Client 692

Cisco AnyConnect Configuration Scenario 693

Phase 1: Configure Cisco ASA for Cisco AnyConnect 693

Task 1: Connection Profile Identification 694

Task 2: VPN Protocols and Device Certificate 695

Task 3: Client Image 696

Task 4: Authentication Methods 697

Task 5: Client Address Assignment 698

Task 6: Network Name Resolution Servers 700

Task 7: Network Address Translation Exemption 700

Task 8: AnyConnect Client Deployment Summary 702

Phase 2: Configure the Cisco AnyConnect VPN Client 702

Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client 706

Verifying VPN Connectivity from Cisco ASA 706

Summary 707

References 708

Review Questions 708

Appendix A Answers to Chapter Review Questions 711

9781587142727 TOC 10/16/2012

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews