* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download CCIE Security Written Exam Study Guide
Survey
Document related concepts
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer network wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Airborne Networking wikipedia , lookup
Internet protocol suite wikipedia , lookup
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Transcript
4.0 For questions: www.securityie.com cciesecurityv4 CCBOOTCAMP’s Study Guide for the Cisco CCIE Security 4.0 Written Exam Authors: Brad Ellis, Edwin Marin Copyright© 2014 Network Learning, Inc. Published by: CCBOOTCAMP (Cisco Learning Solutions Partner) 375 N Stephanie Building 21 Henderson, NV 89014 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America Warning and Disclaimer This book is designed to provide information the Cisco Security written exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, editors, and CCBOOTCAMP, shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of CCBOOTCAMP. Trademark Acknowledgements All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. CCBOOTCAMP cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated ii For questions: www.securityie.com cciesecurityv4 Feedback Information At CCBOOTCAMP our goal is to create advanced technical material of the highest quality and value. Each book is authored with attention to detail, undergoing strenuous development that involves input from a variety of technical experts. For technical support on this book, please visit: www.securityie.com Readers’ feedback is a natural part of this process. If you have any comments regarding how we could improve the quality of our materials, or otherwise change it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN number in your message. Also, feel free to visit our website: www.ccbootcamp.com for information on many more great products! Thank you for your input www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated iii For questions: www.securityie.com cciesecurityv4 About the contributors: Author – Brad Ellis Brad Ellis (CCIE #5796, CCSI #30482, CSS1, CCDP, CCNP, MCNE, MCSE) works as a network engineer and is CEO of CCBOOTCAMP. He has been dedicated to the networking industry for over 12 years. Brad has worked on large scale security assessments and infrastructure projects. He is currently focusing his efforts in the security and voice fields. Brad is a dual CCIE (R&S / Security) #5796 Contributing Author – Edwin Marin Edwin Marin (CCNP Security, CCDA, CCNA) is a full-time instructor and Network Operations Manager for CCBOOTCAMP, a training subsidiary of Network Learning, Inc. Edwin has over 10 years of LAN/WAN/MAN experience. While at CCBOOTCAMP he upgraded the version 3 security technology infrastructure to meet the requirements of version 4. These upgrades included: ASA 8.4, IPS 4200, ACS 5, Ironport, ISE, and more. www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated iv For questions: www.securityie.com cciesecurityv4 (This page intentionally left blank) www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated v For questions: www.securityie.com cciesecurityv4 Table of Contents Introduction ....................................................................xxiv Chapter 1 Security Protocols ............................................... 1 Authentication, Authorization and Accounting ............................... 1 AAA Overview ........................................................................ 1 Overview: AAA Security Services ........................................... 1 AAA Terminology .................................................................... 3 Benefits of Using AAA............................................................. 3 AAA Configuration Process – Overview .................................. 4 AAA Request for Comments (RFCs) ........................................ 4 Remote Authentication Dial-In User Service (RADIUS) .................. 4 Introduction ........................................................................... 4 Background Information ........................................................ 5 Authentication and Authorization ........................................... 6 Accounting ............................................................................. 7 Radius Packet Format ............................................................ 7 Radius Packet Types .............................................................. 8 Radius Files ............................................................................ 9 Radius Attributes ................................................................... 9 IETF Attributes vs. VSAs............................................................... 23 RADIUS Configuration Task List ................................................... 24 AAA and RADIUS IOS Configuration ............................................. 25 Named Method Lists for Authorization ......................................... 26 Terminal Access Controller Access Control System plus (TACACS+)27 Introduction ......................................................................... 27 TACACS+ Packet Format ...................................................... 27 TACACS+ Encryption ............................................................ 29 TACACS+ Authentication ...................................................... 29 TACACS+ Authentication Example Sequence ........................ 30 TACACS+ Authorization ........................................................ 30 TACACS+ Authentication and Authorization Attributes ........ 31 TACACS+ Accounting............................................................ 38 TACACS+ Accounting Attributes ........................................... 39 Attribute ...................................................................................... 39 RADIUS and TACACS+ Compared ................................................. 43 Web Cache Communication Protocol (WCCP) ............................... 43 SGT Exchange Protocol over TCP (SXP) ........................................ 44 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated vi For questions: www.securityie.com cciesecurityv4 MACsec ......................................................................................... 46 Downlink MACsec ................................................................. 48 Uplink MACsec ...................................................................... 49 Domain Name System Security Extensions (DNSSEC) .................. 50 Records ................................................................................ 50 Cryptographic Algorithms ............................................................ 51 Introduction ......................................................................... 51 Symmetric Algorithms .......................................................... 52 Types ................................................................................. 53 Computation Speed .............................................................. 53 Asymmetric Algorithms ........................................................ 53 Postal System – An Analogy .................................................. 53 Hash Functions ..................................................................... 54 Digital Signatures................................................................. 54 Advanced Encryption Standard (AES)................................... 54 How secure is AES? .............................................................. 55 Performance ........................................................................ 55 Further Reading – AES RFCs and Books .................................. 55 Data Encryption Standard (DES) .......................................... 56 Triple DES (3DES) ................................................................ 56 Performance ........................................................................ 56 Wireless Security Protocols .......................................................... 57 Introduction ......................................................................... 57 Extensible Authentication Protocol (EAP) ............................ 57 EAP Packer Format ............................................................... 57 EAP Message Types .............................................................. 57 EAP Flavors ......................................................................... 58 EAP-FAST (TEAP) ................................................................. 58 Protected Extensible Authentication Protocol (PEAP) .......... 58 Temporal Key Integrity Protocol (TKIP) ............................... 58 802.11i ................................................................................. 59 VPN Protocols .............................................................................. 59 Introduction ......................................................................... 59 Virtual Private Networks Defined ......................................... 60 Virtual Private Networks Goals ............................................ 61 Types of Virtual Private Networks ........................................ 62 VPN Types – Based on Security .............................................. 62 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated vii For questions: www.securityie.com cciesecurityv4 VPN Types – Based on Business Model .................................... 63 VPN Types – Based on the OSI Model ..................................... 63 VPN Types – Based on Network Connectivity and End-Points ..... 64 Benefits of Virtual Private Networks .................................... 65 VPN Security Protocols – IPSEC ........................................... 66 IPSec Standards and Protocols ............................................... 67 IPSec Terminology ............................................................... 67 Anti-Replay ......................................................................... 67 Data Authentication .............................................................. 68 Data Confidentiality .............................................................. 68 Data Flow ............................................................................ 68 Peer ................................................................................... 68 Perfect Forward Secrecy (PFS) ............................................... 68 Security Association ............................................................. 69 Security Parameter Index (SPI) ............................................. 69 Transform ........................................................................... 69 Tunnel ................................................................................ 69 IPSec Functionality .............................................................. 70 IPSec Modes and Packet Encapsulation ................................ 71 Encapsulating Security Payload (ESP) ..................................... 71 Authentication Header (AH) ................................................... 72 Tunnel Mode ........................................................................ 73 Transport Mode .................................................................... 74 Authentication Header vs. ESP ............................................... 74 Further Reading ................................................................... 75 VPN Security Protocols – Internet Key Exchange (IKE) ....... 75 IKE Benefits ........................................................................ 76 IKE Protocols ....................................................................... 76 IKE Phases .......................................................................... 77 IKE Main Mode and Aggressive Mode ...................................... 77 IKE Authentication ............................................................... 78 IKEv2 ........................................................................................... 79 Creating IKE Policies .................................................................... 80 Diffie Hellman .............................................................................. 81 IPSEC and Fragmentation .................................................... 82 IPSEC and GRE ..................................................................... 83 IPSEC and QoS ..................................................................... 84 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated viii For questions: www.securityie.com cciesecurityv4 Point to Point Tunneling Protocol ......................................... 86 Configuration Summary: PPTP ............................................. 86 Configuration Sample: Basic PAC Setup: ............................. 87 Layer 2 Tunneling Protocol................................................... 88 L2TP Benefits....................................................................... 89 L2TP Implementation Topologies ............................................ 90 L2TP Security ...................................................................... 90 Multi Protocol Label Switching (MPLS) ......................................... 94 Forwarding Equivalence Class (FEC) .................................... 95 Architectural Blocks of MPLS ................................................ 95 Control plan: ........................................................................ 95 Data plane: ........................................................................... 95 Label Switch Router (LSR) ................................................... 95 Label Switched Path (LSP) ................................................... 96 Label definition .................................................................... 97 Label Format ........................................................................ 97 Label imposition/disposition ................................................ 98 Penultimate Hop Popping: .................................................... 98 Label allocation in Frame-Mode MPLS Networks .................. 99 Label allocation in Cell-Mode MPLS networks ..................... 100 Label Distribution ............................................................... 100 Label Distribution Protocol (LDP):...................................... 101 MPLS Virtual Private Networks ........................................... 101 VPN Operation .................................................................... 102 VPN Route Target Communities ......................................... 102 MPLS Forwarding ............................................................... 103 Route distinguisher (RD) ................................................... 104 MPLS VPN Virtual Routing/Forwarding Tables ................... 106 Distribution of VPN Routing Information in an MPLS VPN .. 107 BGP Distribution of VPN Routing Information .................... 107 MPLS Forwarding ............................................................... 108 Major Components of MPLS VPNs ....................................... 108 Mobile IP .................................................................................... 112 Components of a Mobile IP Network .................................. 113 How Mobile IP Works ......................................................... 114 Agent Discovery ................................................................. 114 Registration ....................................................................... 115 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated ix For questions: www.securityie.com cciesecurityv4 Tunneling ........................................................................... 116 Security .............................................................................. 118 Solution to Network Mobility .............................................. 118 Chapter 1 Questions ................................................................... 119 Chapter 1 Answers ..................................................................... 134 Chapter 2 Application Protocols....................................... 136 Domain Name System (DNS) ...................................................... 136 Trivial File Transfer Protocol (TFTP) ........................................... 139 File Transfer Protocol (FTP) ....................................................... 141 Hypertext Transfer Protocol (HTTP) ........................................... 142 Secure Socket Layer (SSL) ......................................................... 145 Simple Mail Transfer Protocol (SMTP) ........................................ 146 Network Time Protocol (NTP) .................................................... 149 Secure Shell (SSH) ..................................................................... 151 Simple Network Management Protocol (SNMP) .......................... 154 Netlogon, NetBIOS, and SMB ...................................................... 156 Remote Prodecure Call (RPC) ..................................................... 157 Lightweight Directory Access Protocol (LDAP) ........................... 158 Active Directory ......................................................................... 158 Remote Desktop ......................................................................... 159 Remote Desktop Protocol (RDP) ........................................ 159 Virtual Network Computing (VNC) ..................................... 159 PC-over-IP (PCoIP) ............................................................ 160 Remote Data Exchange Protocol (RDEP) .................................... 160 OWASP ....................................................................................... 160 OWASP CSRF Guard ............................................................ 160 Unnecessary Services ................................................................. 161 Chapter 2 Questions ................................................................... 162 Chapter 2 Answers ..................................................................... 168 Chapter 3 General Networking ........................................ 169 Networking Basics / OSI Model .................................................. 169 TCP/IP Model ............................................................................. 170 Routing and Switching Concepts ................................................ 171 Cisco Hierarchical Internetworking Model .................................. 171 Distance-Vector Routing Protocols ............................................. 172 Link-State Routing Protocols ...................................................... 173 Hybrid Routing Protocols ........................................................... 174 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated x For questions: www.securityie.com cciesecurityv4 Routing Loops ............................................................................ 174 Methods for Avoiding Routing Loops .................................. 174 Route Summarization ................................................................. 175 Tunnels ...................................................................................... 177 Networking Standards................................................................ 178 IEEE 802.x Protocols .......................................................... 178 More 802.x standards......................................................... 178 Cabling and connector standards ....................................... 179 Protocol Mechanisms ................................................................. 179 Connection-Oriented and Connectionless Service............... 179 Maximum Transmission Unit (MTU) ................................... 180 Transmission Control Protocol (TCP).......................................... 180 TCP Sliding Window (Data Transfer) .................................. 181 TCP Flags (Control Bits) ..................................................... 182 User Datagram Protocol (UDP)................................................... 182 Address Resolution Protocol (ARP) ............................................ 182 Passive Interface ............................................................... 183 Jam Signal .......................................................................... 184 Bridged Environment.......................................................... 184 Routed Environment........................................................... 185 General Bridging Rules ............................................................... 185 LAN Switching ............................................................................ 185 Routing Information Protocol (RIP) & RIP V2 ............................ 186 Split Horizon in a Hub and Spoke Network ......................... 187 Interior Gateway Routing Protocol (IGRP) ................................. 188 Open Shortest Path First (OSPF) ................................................ 189 Other OSPF Features: ......................................................... 189 OSPF Traffic Types: ............................................................ 190 OSPF Area Types: ............................................................... 190 Stub and Totally Stubby Area Similarities: ......................... 191 Stub and Totally Stubby Area Differences: ......................... 191 OSPF Peer Relationships: ................................................... 191 Router Types: ..................................................................... 193 LSA Types: ......................................................................... 194 LSA Options Field: .............................................................. 195 OSPF Summarization .......................................................... 195 OSPF Metrics ...................................................................... 196 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xi For questions: www.securityie.com cciesecurityv4 Passive OSPF Interface ...................................................... 197 OSPF Multicast Addresses .................................................. 198 Default Routes ................................................................... 198 OSPF Timers ....................................................................... 198 OSPF Redistribution ........................................................... 198 Basic OSPF Configuration: .................................................. 198 Configuring Stub and Totally Stubby Areas: ....................... 199 Configuring a Totally Stubby Network (ABR only): ............. 199 Enhanced Interior Gateway Routing Protocol (EIGRP) ............... 199 Types of EIGRP Successors ................................................ 200 Feasibility Condition ........................................................... 200 Attributes of EIGRP ............................................................ 201 EIGRP Tables...................................................................... 201 Choosing routes ................................................................. 201 Init Flag ............................................................................. 203 EIGRP Stub Routing ........................................................... 204 Simple Hub and Spoke Network ......................................... 205 Route Summary.................................................................. 206 Auto-Summarization .......................................................... 206 Process ID for an Autonomous System .............................. 206 Show IP Route EIGRP ........................................................ 206 Show Ip Eigrp Topology ..................................................... 207 Show Ip Eigrp Neighbor ..................................................... 209 Border Gateway Protocol (BGP) ................................................. 210 Situations that may require BGP: ....................................... 211 Interior Border Gateway Protocol (IBGP) .......................... 211 Exterior Border Gateway Protocol (EBGP) .......................... 212 BGP Attributes ................................................................... 212 Weight Attribute ................................................................ 212 Local Preference Attribute ................................................. 213 Multi-Exit Discriminator Attribute ...................................... 214 Origin Attribute .................................................................. 215 AS_path Attribute .............................................................. 215 Next-Hop Attribute ............................................................. 216 Community Attribute .......................................................... 217 Cluster-List ........................................................................ 217 Originator ID ...................................................................... 218 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xii For questions: www.securityie.com cciesecurityv4 BGP Neighbor Connectivity................................................. 218 Synchronization/Full Mesh ................................................. 219 Next-Hop-Self Command .................................................... 219 Private AS numbers ............................................................ 219 BGP Path Selection ............................................................. 220 Scalability Problems with Internal BGP (IBGP) .................. 220 Peer Groups ....................................................................... 220 Confederations ................................................................... 221 Route Reflectors ................................................................. 221 Route Summary.................................................................. 221 BGP Clusters ...................................................................... 222 Implement Routing Protocol Authentication .............................. 222 Protocols That Use Neighbor Authentication ...................... 223 How Neighbor Authentication Works ................................. 223 Key Management (Key Chains) .......................................... 223 RIP Authentication ............................................................. 224 OSPF Authentication .......................................................... 224 EIGRP Authentication ......................................................... 225 BGP Authentication ............................................................ 226 Tunneling Protocols ................................................................... 226 Configuring GRE Tunnel ..................................................... 227 NHRP .................................................................................. 228 Automatic IPv4-Compatible IPv6 Tunnels .......................... 231 ISATAP ............................................................................... 232 Configuration Examples: .................................................... 232 Manual IPv6 Tunnels Example............................................ 232 6to4 Tunnels Configuration Example: ................................. 235 IPv4-Compatible IPv6 Tunnels Configuration Example: ..... 236 ISATAP Tunnels Configuration Example: ............................ 237 High-Level Data Link Control (HDLC) ......................................... 237 Point-to-Point Protocol (PPP) .................................................... 238 Modems and Async ..................................................................... 239 IP Multicast ................................................................................ 239 Benefits of IP Multicast .............................................................. 240 Multicast ............................................................................ 240 Protocol Independent Multicast (PIM) ....................................... 241 PIM Commands .................................................................. 242 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xiii For questions: www.securityie.com cciesecurityv4 Bidirectional PIM ................................................................ 242 Rendezvous Points ............................................................. 243 Auto-RP .............................................................................. 244 Sparse-Dense Mode for Auto-RP ........................................ 245 Bootstrap Router ................................................................ 245 Multicast Source Discovery Protocol (MSDP).............................. 245 IGMP and CGMP Multicast Protocols ........................................... 246 Designated Querier ............................................................ 247 IGMP Versions 1, 2, and 3 .......................................................... 248 Multicast Addressing .......................................................... 249 Implement IPv6 Multicast .......................................................... 250 IPv6 Multicast Groups ........................................................ 250 Multicast Listener Discovery Protocol for IPv6 ................... 251 Wireless Standards .................................................................... 251 Wireless/802.11b ...................................................................... 252 Wireless Networking Terms ....................................................... 253 802.1x Authentication ................................................................ 254 802.11 On Its Own is Inherently Insecure ................................. 255 Prevention.......................................................................... 255 Detection............................................................................ 255 Wireless Networks Are Targets for Intruders ............................. 255 Interference and Jamming ................................................. 256 MAC Authentication ............................................................ 256 Ad Hoc versus Infrastructure Modes .................................. 257 Service Denial or Degradation ............................................ 257 Wireless Networks Are Weapons ........................................ 257 Authentication.................................................................... 258 Key Management ................................................................ 258 802.11 Wired Equivalent Privacy (WEP) ..................................... 258 Security Extensions to WEP Are Required .......................... 259 IPsec in a WLAN Environment .................................................... 259 802.1x/EAP ................................................................................ 260 EAP Authentication Protocols ..................................................... 262 Lightweight Extensible Authentication Protocol (LEAP) ..... 263 Extensible Authentication Protocol-Transport Level Security (EAP-TLS) ........................................................................................... 263 Protected Extensible Authentication Protocol (PEAP) ........ 265 WEP Enhancements ............................................................ 266 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xiv For questions: www.securityie.com cciesecurityv4 Cisco TKIP: Per-Packet Keying ........................................... 267 Cisco TKIP—Message Integrity Check ................................ 268 EAP Authentication Summary ..................................................... 268 Chapter 3 Answers ..................................................................... 279 Chapter 4 Security Technologies ..................................... 280 Firewalls and Access Control ...................................................... 280 Introduction ....................................................................... 280 Choosing the Right Firewall ............................................... 280 Redundancy and Resiliency.................................................. 280 High Throughput Support .................................................... 281 Ease of Configuration .......................................................... 281 Detailed Logging and Notification Support ............................. 281 Types of Firewalls .............................................................. 281 Packet-filtering Firewalls ..................................................... 282 Stateful Firewalls................................................................ 283 Application Gateways .......................................................... 284 Host-Based Firewalls .......................................................... 286 Anti-Virus and Anti-Spyware Solutions ...................................... 286 Anti-Virus Software ............................................................ 286 Anti-Spyware Software ...................................................... 287 Content Filtering ................................................................ 287 QoS Attacks ................................................................................ 289 Network Address Translation ..................................................... 291 Introduction ....................................................................... 291 Benefits .............................................................................. 291 Terminology ....................................................................... 293 More NAT Terminology ....................................................... 298 Summary of NAT Commands .............................................. 299 NAT Order of Operation ...................................................... 299 Configuring IPSec-Based VPNs (Pre-Shared Keys) ..................... 301 Configuring Scalable IPSec-Based VPNs Using Digital Certificates312 What are Digital Certificates? ............................................. 312 Introduction to Certificate Authorities (CA) ....................... 313 Certificate Authority Support on Cisco Routers .................. 313 Implementing IPSEC without CA Support........................... 315 Implementing IPSEC with CA Support ................................ 316 Implementing IPSEC with Multiple Root CAs ...................... 316 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xv For questions: www.securityie.com cciesecurityv4 How CA Certificates are used by IPSec Devices? ................ 317 Registration Authorities ..................................................... 317 CA Configuration Steps on Cisco Routers ........................... 317 Verifying Keys and Certificates .......................................... 324 CA Configuration Example .................................................. 326 Configuring NAT & IPSec Together ............................................. 329 Configuration for Router 3640-2b ...................................... 329 Configuration for Router 3640-2b ...................................... 331 Intrusion Detection and Prevention ........................................... 334 Introduction ....................................................................... 334 What is Intrusion Detection?.............................................. 335 Intrusion Detection Terminology........................................ 335 Attack Identification and Analysis ...................................... 336 Anomaly Detection ............................................................. 336 Misuse Detection ................................................................ 337 Protocol Analysis ................................................................ 337 IDS placement.................................................................... 338 Network-Based Intrusion Detection Systems (NIDS) ............... 338 Host-Based Intrusion Detection Systems (HIDS) .................... 339 TCP Reset ......................................................................... 340 Blocking ............................................................................ 341 Logging............................................................................. 341 Intrusion Detection – Evasion Techniques ......................... 341 Encryption ......................................................................... 341 Flooding ............................................................................ 342 Fragmentation ................................................................... 342 Obfuscation ....................................................................... 343 Cisco Threat Response (CTR) ............................................. 343 Introduction ...................................................................... 343 Benefits ............................................................................ 344 Threat Response Investigation Levels ................................... 345 Threat Response Predefined Policies ..................................... 345 Multiphase Analysis ............................................................ 347 Attack Scenarios ................................................................ 348 EOL Status ........................................................................ 350 Network-Based Application Recognition .................................... 351 Identity Technologies................................................................. 352 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xvi For questions: www.securityie.com cciesecurityv4 Introduction ....................................................................... 352 Authentication Factors ....................................................... 352 Some Identity Technologies ............................................... 352 Static Usernames and Passwords ......................................... 353 Aging Passwords ................................................................ 353 One-Time Passwords (OTPs) ................................................ 353 Smart Cards ...................................................................... 354 Public Key Infrastructure (PKI)............................................. 354 Kerberos ........................................................................... 354 Biometrics ......................................................................... 356 PGP and S/MIME ................................................................ 356 802.1x .............................................................................. 357 Chapter 4 Questions ................................................................... 358 Chapter 4 Answers ..................................................................... 378 Chapter 5 Security Applications ....................................... 380 Cisco Secure ACS ........................................................................ 380 Introduction ....................................................................... 380 Benefits .............................................................................. 380 Cisco Secure ACS for Windows Architecture ....................... 381 ACS Version 3.3 .................................................................. 383 Software Requirements ....................................................... 384 ACS Version 4.0 .................................................................. 384 System Requirements ......................................................... 384 Software Requirements ....................................................... 384 Network and Port Requirements ........................................... 385 Features and Benefits of version 4.0 .................................. 385 Installing Cisco Secure ACS ................................................ 387 Administration of Cisco Secure ACS............................................ 389 Reports and Activity ........................................................... 390 Positioning ACS in your Network ........................................ 391 Network Topology .............................................................. 391 Remote-Access Policy ......................................................... 396 Database .......................................................................... 396 Network Speed and Reliability.............................................. 397 ACS Version 5 ..................................................................... 398 Cisco Secure ASA Firewall .......................................................... 402 Introduction ....................................................................... 402 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xvii For questions: www.securityie.com cciesecurityv4 Stateful Inspection Firewall Features ................................. 402 Intrusion Detection ............................................................. 403 URL Filtering ...................................................................... 404 Access Control Lists (ACLs) ................................................. 404 Routing Options ................................................................. 405 Customizable Administrative Roles ....................................... 405 Customizable Syslog ........................................................... 405 MANAGEMENT .................................................................... 406 Cisco ASA Device Manager .................................................. 406 Cisco Secure Policy Manager ................................................ 407 Large-Scale Management Solutions ...................................... 408 Two Key Components of Cisco ASA Firewalls ..................... 408 Cut-Through Proxy ............................................................. 408 Adaptive Security Algorithm ................................................ 409 How Adaptive Security Algorithm works in ASA ...................... 410 Cisco ASA 5500 Series Adaptive Security Appliances............... 412 Cisco Adaptive Security Device Manager ............................ 414 Routing and Multicast ........................................................ 415 Egress Interface Selection Process .................................... 415 Next Hop Selection Process ................................................ 416 Supported Internet Protocols for Routing .......................... 416 Multicast Support ............................................................... 417 Firewall Modes ................................................................... 418 Using Security Contexts ..................................................... 419 NAT Operation .................................................................... 419 Context-Aware Firewall ...................................................... 421 Configuring Cisco ASA Firewalls ......................................... 422 Two Interfaces with NAT and PAT ...................................... 433 Site-to-Site VPN Configuration ........................................... 434 Configuring Overlapping Networks .................................... 438 Application Inspection Using MPF ...................................... 440 Identity-based Services ..................................................... 441 Failover .............................................................................. 443 Hardware Requirements .................................................... 444 Software Requirements ...................................................... 444 License Requirements ........................................................ 444 The Failover and Stateful Failover Links ............................. 445 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xviii For questions: www.securityie.com cciesecurityv4 Failover Link....................................................................... 445 LAN-Based Failover Link..................................................... 446 Stateful Failover Link ......................................................... 447 Failover Interface Speed for Stateful Links ........................ 448 Active/Active and Active/Standby Failover ........................ 449 Active/Standby Failover ..................................................... 449 Active/Standby Failover Overview ..................................... 449 Primary/Secondary Status and Active/Standby Status ...... 449 Device Initialization and Configuration Synchronization .... 450 Command Replication......................................................... 451 Failover Triggers ................................................................ 452 Failover Actions.................................................................. 452 Active/Active Failover ........................................................ 454 Active/Active Failover Overview ........................................ 454 Primary/Secondary Status and Active/Standby Status ...... 455 Device Initialization and Configuration Synchronization .... 455 Command Replication......................................................... 456 Failover Triggers ................................................................ 457 Failover Actions.................................................................. 457 Determining Which Type of Failover to Use ........................ 459 Syslog Messages ................................................................ 460 Cisco IOS Firewall ...................................................................... 463 Cisco IOS Firewall Features ................................................ 464 Authentication Proxy.................................................................. 465 Introduction ....................................................................... 465 Working ............................................................................. 465 Authentication Proxy Screens ............................................ 466 Compatibility ...................................................................... 468 Configuring Authentication Proxy ...................................... 468 Cisco IOS Firewall TCP Intercept ................................................ 472 Modes................................................................................. 472 Configuration Sample ......................................................... 473 Cisco Context-Based Access Control (CBAC) .............................. 473 Introduction ....................................................................... 473 Traffic Filtering .................................................................. 473 Traffic Inspection and DoS Attack Protection ..................... 474 Limitations of CBAC ............................................................ 474 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xix For questions: www.securityie.com cciesecurityv4 CBAC - Working .................................................................. 475 CBAC Deployment Scenarios .............................................. 476 The CBAC Process............................................................... 477 CBAC - Supported Protocols ............................................... 478 Generic Inspection ............................................................. 478 Application Specific Inspection ............................................. 478 CBAC - Limitations.............................................................. 479 Configuring CBAC ............................................................... 479 Generic TCP/UDP Inspection ................................................ 484 Port to Application Mapping ................................................. 487 Cisco Identity Services Engine (ISE) .................................. 489 Cisco Scansafe ................................................................... 500 Cisco Email Security Appliance ........................................... 501 Cisco Prime ........................................................................ 503 Cisco Secure Intrusion Detection System ........................... 504 Introduction ....................................................................... 504 IDS/IPS Software .............................................................. 505 New Features in Cisco IPS Software Version 7.0 ..................... 505 Cisco IDS 4.1 Software Architecture ..................................... 507 Cisco Intrusion Detection Sensors - Models ....................... 509 Cisco Intrusion Detection Solution for Routers and Switches513 Cisco IDS / IPS Network Interfaces ........................................... 513 Cisco Intrusion Detection Signatures ................................. 514 Signature Categories .......................................................... 514 Signature Engines .............................................................. 515 Cisco IDS Alarm Levels ....................................................... 517 Tuning IDS Signatures ....................................................... 517 Cisco Intrusion Detection Management .............................. 517 Cisco IDS MC & IPS MC ....................................................... 518 Cisco Intrusion Detection Event Monitoring ....................... 520 Cisco IDS Management and Monitoring – Ports and Protocols522 Cisco IOS Intrusion Prevention System (IPS) .................... 523 Cisco IOS IPS Overview ..................................................... 525 SDEE Overview ................................................................... 539 Cisco Catalyst Service Modules................................................... 541 Benefits .............................................................................. 543 Firewall Services Module (FWSM) ...................................... 544 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xx For questions: www.securityie.com cciesecurityv4 Intrusion Detection System Service Module (IDSM)........... 545 IPSEC VPN Services Module (VPNSM) ................................ 546 SSL Services Module (SSLSM) ............................................ 546 Cisco VMS – Security Management System ................................ 547 Introduction ....................................................................... 547 Application ......................................................................... 548 Current Status .................................................................... 549 Cisco Router and Security Device Manager (SDM) ...................... 549 SDM enabling a IOS Router ................................................ 553 CoPP........................................................................................... 554 CPPr ................................................................................... 556 MPP .................................................................................... 561 ZFW .................................................................................... 562 Chapter 5 Questions ................................................................... 576 Chapter 5 Answers ..................................................................... 600 Chapter 6 Security General .............................................. 603 Security Policy Best Practices ............................................ 603 Standards Bodies and Security Organizations .................... 606 Vulnerabilities .................................................................... 611 Know Your Enemy .............................................................. 612 Hacking Methodology ......................................................... 614 Common Attacks ........................................................................ 615 Countermeasures ............................................................... 629 Information Security Standards ......................................... 632 ISO 17799 ........................................................................ 632 ISO 27001 ........................................................................ 633 BS7799 ............................................................................. 634 BCP 38 ............................................................................. 635 Security and Attack Tools ................................................... 636 Chapter 6 Questions ................................................................... 639 Chapter 6 Answers ..................................................................... 646 Chapter 7 Cisco General .................................................. 647 Access Control Lists (ACLs) ................................................ 647 Basic IP Extended ACL ........................................................ 650 ICMP ................................................................................ 651 TCP .................................................................................. 651 UDP .................................................................................. 651 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xxi For questions: www.securityie.com cciesecurityv4 Logging .............................................................................. 656 Show and Debug Commands .............................................. 660 Controlling Access to a Cisco Router .................................. 671 Line Authentication ............................................................. 671 Local Authentication ........................................................... 672 AAA Authentication ............................................................. 672 Privilege Levels .................................................................. 673 Enable and Enable Secret .................................................... 674 Password Recovery ............................................................ 676 Older Routers .................................................................... 676 Newer Routers ................................................................... 679 Encrypting Cisco Passwords ............................................... 679 Disable Unnecessary Services ............................................ 680 TCP and UDP Small Services ................................................ 680 Finger ............................................................................... 680 NTP .................................................................................. 680 CDP .................................................................................. 680 DHCP ................................................................................ 681 Layer-2 Switching Security Features .................................. 681 Media Access Control (MAC) Address Flooding........................ 681 Port Security ..................................................................... 683 VLAN “Hopping” ................................................................. 684 VLAN Best Practices ............................................................ 685 Address Resolution Protocol (ARP) Attacks ............................ 685 DHCP Snooping and Dynamic ARP Inspection ........................ 685 Spanning Tree Protocol (STP) Protection ............................... 687 Chapter 7 Questions ................................................................... 688 Chapter 7 Answers ..................................................................... 698 Chapter 8 New Topics ...................................................... 699 Network Access Control (NAC) ................................................... 699 Deployment modes ............................................................ 702 NAC in Band ...................................................................... 702 NAC Out of Band ................................................................ 704 Cisco Trust Agent (CTA) ...................................................... 704 CTA Features ..................................................................... 705 Adaptive threat defense (ATD) ........................................... 706 Host Intrusion-prevention system (HIPS) .......................... 707 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xxii For questions: www.securityie.com cciesecurityv4 Cisco Security Agent (CSA) ................................................. 708 Cisco Security Agent Management Architecture ...................... 708 Cisco Security Agent for IP Communication ........................... 709 Easy Virtual Private Network (EZVPN) ............................... 710 Easy VPN Client .................................................................. 711 Easy VPN Remote ............................................................... 711 Easy VPN Server ................................................................. 712 Secure Socket Layer Virtual Private Network (SSLVPN) ..... 713 Cisco IOS IPS ..................................................................... 714 Key Benefits ...................................................................... 714 Actions for Detected Signatures ........................................... 715 Handling Distributed Denial of Service (DDOS) attacks ...... 715 Cisco Traffic Anomaly Detectors ........................................... 716 Cisco Traffic Anomaly Detector Module.................................. 717 Cisco Guard DDoS Mitigation Appliance ................................. 718 Cisco Anomaly Guard Module ............................................... 719 Cisco Security Management ............................................... 720 Cisco Adaptive Security Device Manager (ASDM) .................... 720 Cisco Router & Security Device Manager (SDM) ..................... 722 Cisco Security Manager (CSM) ............................................. 728 IDM .................................................................................... 733 IME .................................................................................... 733 CCP .................................................................................... 734 ACS SE................................................................................ 734 AnyConnect ........................................................................ 734 FPM .................................................................................... 743 GETVPN .............................................................................. 755 Key Server Configuration ................................................... 758 Group Member Configuration ............................................. 760 VRF-aware Technologies .................................................... 762 VXLAN ................................................................................ 762 Netflow .............................................................................. 767 Chapter 8 Questions: .................................................................. 770 Chapter 8 Answers: .................................................................... 777 INDEX .............................................................................. 779 www.ccbootcamp.com Toll Free 1.877.654.2243 [email protected] Copyright ©2014, Network Learning, Incorporated xxiii