CCNA Security Course Booklet Version 1.2

CCNA Security Course Booklet Version 1.2

By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 2 business days
When will my order arrive?

Description

CCNA Security Course Booklet Version 1.2 Your Cisco Networking Academy Course Booklet is designed as a study resource you can easily read, highlight, and review on the go, wherever the Internet is not available or practical: --The text is extracted directly, word-for-word, from the online course so you can highlight important points and take notes in the "Your Chapter Notes" section. --Headings with the exact page correlations provide a quick reference to the online course for your classroom discussions and exam preparation. --An icon system directs you to the online curriculum to take full advantage of the images embedded within the Networking Academy online course interface and reminds you to perform the labs and Packet Tracer activities. The Course Booklet is a basic, economical paper-based resource to help you succeed with the Cisco Networking Academy online course. Related Titles: CCNA Security Lab Manual Version 1.2ISBN-13: 978-1-58713-347-3ISBN-10: 1-58713-347-4 CCNA Security (640-554) Portable Command GuideISBN-13: 978-1-58720-448-7ISBN-10: 1-58720-448-7 Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide, Second Edition ISBN-13: 978-1-58714-272-7ISBN-10: 1-58714-272-4 CCNA Security 640-554 Official Cert GuideISBN-13: 978-1-58720-446-3ISBN-10: 1-58720-446-0show more

Product details

  • Paperback | 552 pages
  • 215.9 x 269.24 x 33.02mm | 1,224.69g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 3rd edition
  • 1587133466
  • 9781587133466
  • 1,286,814

Table of contents

Chapter 1 Modern Network Security Threats 1 1.0 Introduction 1 1.1 Fundamental Principles of a Secure Network 2 1.1.1 Evolution of Network Security 2 1.1.1.1 Code Red Worm Attack 2 1.1.1.2 Evolution of Security Threats 2 1.1.1.3 Evolution of Network Security Tools 3 1.1.1.4 Threats to Networks 4 1.1.1.5 Encryption and Cryptography 4 1.1.2 Drivers for Network Security 5 1.1.2.1 The Hacker 5 1.1.2.2 Evolution of Hacking 5 1.1.2.3 First Network Attacks 6 1.1.2.4 Network Security Professionals 6 1.1.3 Network Security Organizations 7 1.1.3.1 Network Security Organizations 7 1.1.3.2 SANS Institute 7 1.1.3.3 CERT 8 1.1.3.4 (ISC)2 8 1.1.3.5 RSS 9 1.1.4 Domains of Network Security 9 1.1.4.1 Network Security Domains 9 1.1.4.2 Security Policy 10 1.1.5 Network Security Policies 10 1.1.5.1 Network Security Policy 10 1.1.5.2 Cisco SecureX Architecture 10 1.1.5.3 Cisco SecureX Product Categories 11 1.1.5.4 Network Security Policy Objectives 11 1.2 Viruses, Worms, and Trojan horses 11 1.2.1 Viruses 11 1.2.1.1 Primary Vulnerabilities for End User Devices 11 1.2.1.2 Comparison of a Human Virus and a Computer Virus 12 1.2.2 Worms 12 1.2.2.1 Worms 12 1.2.2.2 Worm Components 13 1.2.2.3 Worm and Virus Exploit Comparison 13 1.2.3 Trojan horses 14 1.2.3.1 Trojan Horse Concept 14 1.2.3.2 Trojan Horse Classifications 15 1.2.4 Mitigating Viruses, Worms, and Trojan Horses 15 1.2.4.1 Buffer Overflows 15 1.2.4.2 Antivirus Software 15 1.2.4.3 Worm Mitigation 16 1.2.4.4 SQL Slammer Worm 16 1.3 Attack Methodologies 17 1.3.1 Reconnaissance Attacks 17 1.3.1.1 Types of Attacks 17 1.3.1.2 Types of Reconnaissance Attacks 18 1.3.1.3 Packet Sniffer 18 1.3.1.4 Ping Sweeps and Port Scans 18 1.3.1.5 Mitigating Reconnaissance Attacks 19 1.3.2 Access Attacks 19 1.3.2.1 Access Attacks 19 1.3.2.2 Types of Access Attacks 20 1.3.2.3 Mitigating Access Attacks 20 1.3.3 Denial of Service Attacks 21 1.3.3.1 DoS Attacks 21 1.3.3.2 DoS and DDoS 21 1.3.3.3 Types of DoS Attacks 22 1.3.3.4 DoS Attack Symptoms 22 1.3.4 Mitigating Network Attacks 23 1.3.4.1 Mitigating Network Attacks 23 1.3.4.2 Mitigating Reconnaissance Attacks 23 1.3.4.3 Mitigating Access Attacks 24 1.3.4.4 Mitigating DoS Attacks 24 1.3.4.5 Defending the Network 24 1.4 Cisco Network Foundation Protection Framework 25 1.4.1 NFP 25 1.4.1.1 NFP Framework 25 1.4.1.2 Control Plane 26 1.4.1.3 Management Plane 26 1.4.1.4 Data Plane 27 1.5 Chapter Summary 28 1.5.1.1 Lab - Researching Network Attacks and Security Audit Tools 28 1.5.1.2 Chapter Summary 28 Your Chapter Notes 30 Chapter 2 Securing Network Devices 31 2.0 Chapter Introduction 31 2.1 Securing Device Access 31 2.1.1 Securing the Edge Router 31 2.1.1.1 Securing the Network Infrastructure 31 2.1.1.2 Implementing Security 32 2.1.1.3 Securing Routers 33 2.1.1.4 Secure Administrative Access 34 2.1.1.5 Secure Local and Remote Access 34 2.1.2 Configuring Secure Administrative Access 35 2.1.2.1 Securing Passwords 35 2.1.2.2 Securing Administrative Access 36 2.1.2.3 Increase Password Security 37 2.1.2.4 Configuring Secure Local Database Entries 38 2.1.3 Configuring Enhanced Security for Virtual Logins 39 2.1.3.1 Enhancing the Login Process 39 2.1.3.2 Configuring Login Enhancement Features 39 2.1.3.3 Enable Login Enhancements 39 2.1.3.4 Logging Failed Attempts 40 2.1.3.5 Provide Legal Notification 41 2.1.4 Configuring SSH 41 2.1.4.1 Configuring Before SSH Is Implemented 41 2.1.4.2 Configuring SSH 42 2.1.4.3 Additional SSH Commands 43 2.1.4.4 Connecting to an SSH-Enabled Router 43 2.1.4.5 Enabling SSH Using CCP 44 2.2 Assigning Administrative Roles 45 2.2.1 Configuring Privilege Levels 45 2.2.1.1 Limiting Command Availability 45 2.2.1.2 Privilege Levels 45 2.2.1.3 Configuring Privilege Levels 46 2.2.1.4 Assigning Privilege Levels 47 2.2.1.5 Limitations of Privilege Levels 48 2.2.2 Configuring Role-Based CLI 48 2.2.2.1 Role-Based CLI Access 48 2.2.2.2 Role-Based Views 49 2.2.2.3 Configuring Role-Based Views 50 2.2.2.4 Configuring Role-Based CLI Superviews 50 2.2.2.5 Verify Role-Based CLI Views 51 2.3 Monitoring and Managing Devices 51 2.3.1 Securing Cisco IOS Image and Configuration Files 51 2.3.1.1 Cisco IOS Resilient Configuration Feature 51 2.3.1.2 Enabling the IOS Image Resilience Feature 52 2.3.1.3 Restoring a Primary Bootset Image 53 2.3.1.4 Recovering a Router Password 53 2.3.1.5 Disabling Password Recovery 54 2.3.2 Secure Management and Reporting 55 2.3.2.1 Managing and Monitoring Network Devices 55 2.3.2.2 Management Access 56 2.3.2.3 In-Band and Out-of-Band Access 57 2.3.3 Using Syslog for Network Security 57 2.3.3.1 Introduction to Syslog 57 2.3.3.2 Syslog Operation 58 2.3.3.3 Syslog Message 59 2.3.3.4 Syslog Systems 60 2.3.3.5 Configuring System Logging 60 2.3.3.6 Configuring Syslog Using CCP 60 2.3.3.7 Monitor Syslog Messages Using CCP 61 2.3.4 Using SNMP for Network Security 61 2.3.4.1 Introduction to SNMP 61 2.3.4.2 SNMP Operation 62 2.3.4.3 SNMP Agent Traps 62 2.3.4.4 SNMP Vulnerabilities 63 2.3.4.5 SNMP Community Strings 63 2.3.4.6 SNMPv3 64 2.3.4.7 Enabling SNMP Using CCP 64 2.3.4.8 Setting SNMP Traps 65 2.3.5 Using NTP 66 2.3.5.1 Network Time Protocol 66 2.3.5.2 NTP Server 66 2.3.5.3 NTP Authentication 67 2.3.5.4 Enabling NTP Using CCP 68 2.4 Using Automated Security Features 68 2.4.1 Performing a Security Audit 68 2.4.1.1 Cisco Discovery Protocol 68 2.4.1.2 Protocols and Services Default Settings 69 2.4.1.3 Cisco IOS Security Tools 69 2.4.1.4 CCP Security Audit Wizard 70 2.4.2 Locking Down a Router Using AutoSecure 70 2.4.2.1 Cisco AutoSecure 70 2.4.2.2 Using the Cisco AutoSecure Feature 71 2.4.2.3 Using the auto secure Command 72 2.4.3 Locking Down a Router Using CCP 72 2.4.3.1 Cisco One-Step Lockdown in CCP 72 2.4.3.2 Cisco AutoSecure Versus CCP One-Step Lockdown 73 2.5 Summary 74 2.5.1.1 Lab - Securing the Router for Administrative Access.pdf 74 2.5.1.2 Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations 75 2.5.1.3 Summary 75 Your Chapter Notes 76 Chapter 3 Authentication, Authorization, and Accounting 77 3.0 Introduction 77 3.1 Purpose of AAA 77 3.1.1 AAA Overview 77 3.1.1.1 Authentication without AAA 77 3.1.1.2 AAA Components 78 3.1.2 AAA Characteristics 79 3.1.2.1 Authentication Modes 79 3.1.2.2 Authorization 79 3.1.2.3 Accounting 80 3.2 Local AAA Authentication 80 3.2.1 Configuring Local AAA Authentication with CLI 80 3.2.1.1 Authenticating Administrative Access 80 3.2.1.2 Authentication Methods 81 3.2.1.3 Default and Named Methods 82 3.2.1.4 Fine-Tuning the Authentication Configuration 82 3.2.2 Configuring Local AAA Authentication with CCP 83 3.2.2.1 Enable AAA 83 3.2.2.2 Add User Accounts 83 3.2.2.3 Configure Method Lists 84 3.2.3 Troubleshooting Local AAA Authentication 84 3.2.3.1 Debug Options 84 3.2.3.2 Debugging AAA Authentication 84 3.3 Server-Based AAA 85 3.3.1 Server-Based AAA Characteristics 85 3.3.1.1 Comparing Local AAA and Server-Based AAA Implementations 85 3.3.1.2 Introducing Cisco Secure Access Control Server 85 3.3.2 Server-Based AAA Communication Protocols 85 3.3.2.1 Introducing TACACS+ and RADIUS 85 3.3.2.2 TACACS+ Authentication 86 3.3.2.3 RADIUS Authentication 86 3.3.3 Cisco Secure ACS 87 3.3.3.1 TACACS+ and RADIUS with Cisco Secure ACS 87 3.3.3.2 Cisco Secure ACS Features 87 3.3.3.3 Cisco Secure ACS as a TrustSec Component 88 3.3.3.4 Cisco Secure ACS, High-Performance, and Scalability 88 3.3.3.5 Cisco Secure ACS Software and Hardware Implementation Options 89 3.3.4 Configuring Cisco Secure ACS 89 3.3.4.1 Software and Network Requirements for Cisco Secure ACS 89 3.3.4.2 Cisco Secure ACS Home Page 90 3.3.4.3 Adding Cisco Secure ACS Clients 91 3.3.4.4 Cisco Secure ACS Databases 92 3.3.5 Configuring Cisco Secure ACS Users and Groups 93 3.3.5.1 Cisco Secure ACS User Database Setup 93 3.3.5.2 Cisco Secure ACS Group Setup 93 3.3.5.3 Cisco Secure ACS User Setup 94 3.4 Server-Based AAA Authentication 94 3.4.1 Configuring Server-Based AAA Authentication with CLI 94 3.4.1.1 Steps for Configuring Server-Based AAA Authentication with CLI 94 3.4.1.2 Configuring the CLI for TACACS+ and RADIUS Servers 94 3.4.2 Configuring Server-Based AAA Authentication with CCP 96 3.4.2.1 Configuring CCP for TACACS+ 96 3.4.2.2 Configuring Method Lists with CCP 96 3.4.2.3 Configuring Lines with Method Lists using CCP 97 3.4.3 Troubleshooting Server-Based AAA Authentication 98 3.4.3.1 Monitoring Authentication Traffic 98 3.4.3.2 Debugging TACACS+ and RADIUS 98 3.5 Server-Based AAA Authorization and Accounting 98 3.5.1 Configuring Server-Based AAA Authorization 98 3.5.1.1 Introduction to Server-Based AAA Authorization 98 3.5.1.2 AAA Authorization Types 99 3.5.1.3 AAA Authorization Fundamentals with CCP 99 3.5.1.4 AAA Authorization Methods with CCP 100 3.5.2 Configuring Server-Based AAA Accounting 100 3.5.2.1 Introduction to Server-Based AAA Accounting 100 3.5.2.2 AAA Accounting Configuration with the CLI 101 3.6 Summary 102 3.6.1.1 Lab - Securing Administrative Access Using AAA and RADIUS 102 3.6.1.2 Packet Tracer - Configure AAA Authentication on Cisco Routers 102 3.6.1.3 Summary 102 Your Chapter Notes 103 Chapter 4 Implementing Firewall Technologies 105 4.0 Introduction 105 4.1 Access Control Lists 105 4.1.1 Configuring Standard and Extended IPv4 ACLs with CLI 105 4.1.1.1 Introduction to Access Control Lists 105 4.1.1.2 Standard and Extended Numbered IP ACLs 106 4.1.1.3 Standard and Extended Named IP ACLs 107 4.1.1.4 Logging ACL Matches 108 4.1.1.5 Access Control Entry Rules 108 4.1.1.6 Standard ACL Example 109 4.1.1.7 Extended ACL Example 110 4.1.1.8 Editing Extended ACLs 110 4.1.1.9 How Cisco Routers Parse Standard ACLs 111 4.1.2 Topology and Flow for ACLs 112 4.1.2.1 How Cisco Routers Handle ACL Matches 112 4.1.2.2 ACL Placement 112 4.1.2.3 ACL Design 113 4.1.2.4 Verifying ACL Functionality 113 4.1.3 Configuring Standard and Extended ACLs with Cisco Configuration Professional 113 4.1.3.1 Introduction to Configuring ACLs with Cisco Configuration Professional 113 4.1.3.2 Cisco Configuration Professional Rules 114 4.1.3.3 Creating a Rule 114 4.1.3.4 Applying a Rule to an Interface 115 4.1.3.5 Delivering a Rule 116 4.1.4 Configuring TCP Established and Reflexive ACLs 116 4.1.4.1 First Generation Approach to Stateful Firewall 116 4.1.4.2 Monitoring TCP Flag Settings 117 4.1.4.3 TCP Established in Action 117 4.1.4.4 Reflexive ACLs 117 4.1.4.5 Using Reflexive ACLs 118 4.1.5 Configuring Dynamic ACLs 119 4.1.5.1 Introducing Dynamic ACLs 119 4.1.5.2 Dynamic ACL Operation 120 4.1.5.3 Steps for Configuring a Dynamic ACL 120 4.1.5.4 Dynamic ACL Timeouts 121 4.1.6 Configuring Time-Based ACLs 122 4.1.6.1 Introduction to Time-Based ACLs 122 4.1.6.2 Time-Based ACL Configuration 122 4.1.6.3 Time-Based ACL Scenario 123 4.1.7 Troubleshooting Complex ACL Implementations 124 4.1.7.1 Commands to Verify and Troubleshoot ACLs 124 4.1.7.2 Monitoring ACL Matches 124 4.1.7.3 Debugging ACLs 124 4.1.8 Mitigating Attacks with ACLs 125 4.1.8.1 Mitigating Spoofing and DoS Attacks 125 4.1.8.2 Antispoofing with ACLs 125 4.1.8.3 Permitting Necessary Traffic Through a Firewall 126 4.1.8.4 Mitigating ICMP Abuse 126 4.1.8.5 Mitigating SNMP Exploits 126 4.1.9 IPv6 ACLs 127 4.1.9.1 Introducing IPv6 ACLs 127 4.1.9.2 Extended IPv6 ACLs 128 4.1.9.3 Configuring IPv6 ACLs 128 4.1.10 Using Object Groups in ACEs 128 4.1.10.1 Introducing Object Groups 128 4.1.10.2 Network and Service Object Groups 129 4.1.10.3 Configuring Network and Service Object Groups 129 4.1.10.4 Creating an Object Group-Based ACL 130 4.2 Firewall Technologies 131 4.2.1 Securing Networks with Firewalls 131 4.2.1.1 Defining Firewalls 131 4.2.1.2 Benefits and Limitations of Firewalls 131 4.2.2 Types of Firewalls 132 4.2.2.1 Descriptions of Firewall Types 132 4.2.2.2 Packet Filtering Firewall 133 4.2.2.3 Stateful Firewalls 134 4.2.2.4 Cisco Firewall Solutions 135 4.2.3 Classic Firewall 136 4.2.3.1 Introducing Classic Firewall 136 4.2.3.2 Classic Firewall Operation 137 4.2.3.3 Classic Firewall Inspection Rules 138 4.2.3.4 Classic Firewall Configuration 139 4.2.4 Firewalls in Network Design 140 4.2.4.1 Demilitarized Zones 140 4.2.4.2 Layered Defense 141 4.2.4.3 Firewalls and the Security Policy 141 4.3 Zone-Based Policy Firewalls 142 4.3.1 Zone-Based Policy Firewall Characteristics 142 4.3.1.1 Introducing Zone-Based Policy Firewall 142 4.3.1.2 Benefits of Zone-Based Policy Firewall 142 4.3.1.3 Zone-Based Policy Firewall Design 143 4.3.2 Zone-Based Policy Firewall Operation 144 4.3.2.1 Zone-Based Policy Firewall Actions 144 4.3.2.2 Zone-Based Policy Firewall Rules 144 4.3.2.3 Zone-Based Policy Firewall Rules for Routers 145 4.3.3 Configuring a Zone-Based Policy Firewall with CLI 146 4.3.3.1 Steps for Configuring Zone-Based Policy Firewalls with CLI 146 4.3.3.2 Create Zones 147 4.3.3.3 Defining Traffic Classes 147 4.3.3.4 Specify Firewall Policies 148 4.3.3.5 Apply Firewall Policies and Assign Router Interfaces 148 4.3.4 Configuring Zone-Based Policy Firewall with Cisco Configuration Professional Wizard 149 4.3.4.1 Basic and Advanced Firewall Wizards 149 4.3.4.2 Firewall Interface Configuration 150 4.3.4.3 Security Level Configuration 150 4.3.4.4 Deliver Configuration 151 4.3.4.5 Manual Configuration with Cisco Configuration Professional 151 4.3.4.6 Defining Zones 151 4.3.4.7 Configuring Class Maps 152 4.3.4.8 Creating Policy Maps 153 4.3.4.9 Defining Zone Pairs 153 4.3.4.10 Editing Firewall Policy View 154 4.3.4.11 View Firewall Activity 154 4.3.4.12 Viewing the Zone-Based Policy Firewall State Table 154 4.4 Summary 155 4.4.1.1 Lab - Configuring Zone-Based Policy Firewalls 155 4.4.1.2 Packet Tracer - Configure IP ACLs to Mitigate Attacks 155 4.4.1.3 Packet Tracer - Configuring a Zone-Based Policy Firewall 155 4.4.1.4 Summary 156 Your Chapter Notes 157 Chapter 5 Implementing Intrusion Prevention 159 5.0 Introduction 159 5.1 IPS Technologies 160 5.1.1 IDS and IPS Characteristics 160 5.1.1.1 Zero-Day Attacks 160 5.1.1.2 Monitor for Attacks 160 5.1.1.3 Detect and Stop Attacks 160 5.1.1.4 IDS and IPS Characteristics 161 5.1.1.5 Advantages and Disadvantages of IDS and IPS 161 5.1.2 Network-Based IPS Implementations 162 5.1.2.1 Network IPS Sensors 162 5.1.2.2 Cisco IPS Solutions 163 5.1.2.3 Choose an IPS Solution 164 5.1.2.4 IPS Advantages and Disadvantages 164 5.2 IPS Signatures 165 5.2.1 IPS Signature Characteristics 165 5.2.1.1 Signature Attributes 165 5.2.1.2 Signature Types 165 5.2.1.3 Signature File 166 5.2.1.4 Signature Micro-Engines 166 5.2.1.5 Acquire the Signature File 167 5.2.2 IPS Signature Alarms 168 5.2.2.1 Signature Alarm 168 5.2.2.2 Pattern-Based Detection 168 5.2.2.3 Anomaly-Based Detection 169 5.2.2.4 Policy-Based Detection 169 5.2.2.5 Benefits of Implementing an IPS 170 5.2.3 Tuning IPS Signature Alarms 170 5.2.3.1 Trigger False Alarms 170 5.2.3.2 Tune Signatures 171 5.2.4 IPS Signature Actions 172 5.2.4.1 Signature Actions 172 5.2.4.2 Generate an Alert 172 5.2.4.3 Log the Activity 173 5.2.4.4 Drop or Prevent the Activity 173 5.2.4.5 Reset, Block, and Allow Traffic 173 5.2.5 Manage and Monitor IPS 174 5.2.5.1 Monitor Activity 174 5.2.5.2 Monitoring Considerations 174 5.2.5.3 Monitor IPS Using Cisco Configuration Professional 175 5.2.5.4 Secure Device Event Exchange 176 5.2.5.5 IPS Configuration Best Practices 176 5.2.6 IPS Global Correlation 177 5.2.6.1 Cisco Global Correlation 177 5.2.6.2 Cisco SensorBase Network 177 5.2.6.3 Cisco Security Intelligence Operation 178 5.3 Implement IPS 178 5.3.1 Configure Cisco IOS IPS with CLI 178 5.3.1.1 Implement IOS IPS 178 5.3.1.2 Download the IOS IPS Files 179 5.3.1.3 Configure an IPS Crypto Key 179 5.3.1.4 Enable IOS IPS 180 5.3.1.5 Load the IPS Signature Package in RAM 181 5.3.2 Configure Cisco IOS IPS with Cisco Configuration Professional 181 5.3.2.1 Implement IOS IPS Using Cisco Configuration Professional 181 5.3.2.2 Launch the IPS Rule Wizard 182 5.3.2.3 Specify the Signature File 183 5.3.2.4 Configure the Crypto Key 183 5.3.2.5 Complete the IOS IPS Wizard 183 5.3.3 Modifying Cisco IOS IPS Signatures 184 5.3.3.1 Retire and Unretire Signatures 184 5.3.3.2 Change Signature Actions 184 5.3.3.3 Edit Signatures 185 5.3.3.4 Tune a Signature 185 5.3.3.5 Access and Configure Signature Parameters 185 5.4 Verify and Monitor IPS 186 5.4.1 Verify Cisco IOS IPS 186 5.4.1.1 Verify IOS IPS 186 5.4.1.2 Verify IOS IPS Using Cisco Configuration Professional 186 5.4.2 Monitoring Cisco IOS IPS 187 5.4.2.1 Report IPS Alerts 187 5.4.2.2 Enable SDEE 187 5.4.2.3 Monitor IOS IPS Using Cisco Configuration Professional 188 5.5 Summary 188 5.5.1.1 Lab - Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP 188 5.5.1.2 Packet Tracer - Configure IOS Intrusion Prevention System (IPS) using CLI 188 5.5.1.3 Summary 188 Your Chapter Notes 189 Chapter 6 Securing the Local-Area Network 191 6.0 Introduction 191 6.1 Endpoint Security 191 6.1.1 Introducing Endpoint Security 191 6.1.1.1 Introducing Endpoint Security 191 6.1.1.2 SecureX Architecture 192 6.1.1.3 Trusted Code and Trusted Path 192 6.1.1.4 Operating System Vulnerabilities 193 6.1.1.5 Cisco Endpoint Security Solutions 194 6.1.2 Endpoint Security with Cisco ESA and WSA 194 6.1.2.1 Cisco Email and Web Security Appliances 194 6.1.2.2 Cisco Email Security Appliance 195 6.1.2.3 Cisco Web Security Appliance 195 6.1.3 Endpoint Security with Network Admission Control 196 6.1.3.1 Cisco Network Admission Control 196 6.1.3.2 Cisco NAC Functions 196 6.1.3.3 Cisco NAC Components 197 6.1.3.4 Cisco NAC Guest Server 197 6.1.3.5 Cisco NAC Profiler 198 6.2 Layer 2 Security Considerations 199 6.2.1 Introducing Layer 2 Security 199 6.2.1.1 Mitigating Layer 2 Attacks 199 6.2.1.2 Buffer Overflow 199 6.2.2 MAC Address Spoofing 200 6.2.2.1 Switch MAC Address Table 200 6.2.2.2 MAC Address Spoofing Attacks 200 6.2.3 MAC Address Table Overflow 201 6.2.3.1 MAC Address Overflow Attacks 201 6.2.3.2 macof Tool 201 6.2.4 Spanning Tree Protocol Manipulation 202 6.2.4.1 Spanning Tree Algorithm: Introduction 202 6.2.4.2 Spanning Tree Algorithm: Port Roles 203 6.2.4.3 Spanning Tree Algorithm: Root Bridge 204 6.2.4.4 Spanning Tree Algorithm: Path Cost 205 6.2.4.5 802.1D BPDU Frame Format 206 6.2.4.6 BPDU Propagation and Process 206 6.2.4.7 Extended System ID 207 6.2.4.8 Video Demonstration - Observing Spanning Tree Protocol Operation 209 6.2.4.9 STP Manipulation Attacks 209 6.2.5 LAN Storms 209 6.2.5.1 LAN Storm Attacks 209 6.2.5.2 Storm Control 209 6.2.6 VLAN Attacks 210 6.2.6.1 VLAN Functions 210 6.2.6.2 VLAN Hopping Attack 210 6.2.6.3 VLAN Double-Tagging Attack 211 6.3 Configuring Layer 2 Security 211 6.3.1 Configuring Port Security 211 6.3.1.1 Port Security Operation 211 6.3.1.2 Basic Port Security Configuration 212 6.3.1.3 Advanced Port Security Configuration 212 6.3.1.4 Port Security Aging 214 6.3.1.5 Port Security with IP Phones 214 6.3.2 Verifying Port Security 214 6.3.2.1 Verify Port Security for Interfaces 214 6.3.2.2 Verify Port Security for Addresses 215 6.3.2.3 SNMP MAC Address Notification 215 6.3.3 Configuring BPDU Guard, BPDU Filter, and Root Guard 215 6.3.3.1 PortFast 215 6.3.3.2 Configure BPDU Guard 216 6.3.3.3 Verify BPDU Guard 216 6.3.3.4 BPDU Filtering 216 6.3.3.5 Root Guard 217 6.3.4 Configuring Storm Control 217 6.3.4.1 Broadcast, Multicast, and Unicast Traffic Rates 217 6.3.4.2 Storm Control Configuration 218 6.3.4.3 Verify Storm Control 219 6.3.5 Configuring VLAN Trunk Security 219 6.3.5.1 VLAN Trunk Security Guidelines 219 6.3.5.2 VLAN Trunk Security Configuration 219 6.3.6 Configuring Cisco Switched Port Analyzer 220 6.3.6.1 Port Mirroring 220 6.3.6.2 Cisco SPAN Configuration and Verification 220 6.3.6.3 SPAN with Intrusion Detection 220 6.3.7 Configuring PVLAN Edge 221 6.3.7.1 Verify Protected Ports 221 6.3.7.2 Verifying Protected Ports 221 6.3.8 Recommended Practices for Layer 2 221 6.3.8.1 Layer 2 Guidelines for Endpoint Security 221 6.3.8.2 VLAN and Trunk Guidelines 222 6.4 Wireless, VoIP, and SAN Security 222 6.4.1 Enterprise Advanced Technology Security Considerations 222 6.4.1.1 Advanced Technology Topologies 222 6.4.1.2 Wireless Security Introduction 222 6.4.1.3 VoIP Security Introduction 223 6.4.1.4 SAN Security Introduction 223 6.4.2 Wireless Security Considerations 223 6.4.2.1 Wireless NICs 223 6.4.2.2 Wireless Home Router 224 6.4.2.3 Business Wireless Solutions 224 6.4.2.4 Wireless Access Points 225 6.4.2.5 Lightweight Access Points and Wireless LAN Controllers 225 6.4.2.6 War Driving 226 6.4.2.7 Wireless Hacking 226 6.4.3 Wireless Security Solutions 227 6.4.3.1 History of Wireless Technologies 227 6.4.3.2 Wireless Security Guidelines 227 6.4.4 VoIP Security Considerations 228 6.4.4.1 VoIP Business Advantages 228 6.4.4.2 VoIP Components and Protocols 229 6.4.4.3 VoIP Security Threats 229 6.4.4.4 Spam over Internet Telephony 230 6.4.4.5 Vishing, Toll Fraud, and SIP Vulnerabilities 231 6.4.5 VoIP Security Solutions 232 6.4.5.1 Voice VLANs 232 6.4.5.2 VoIP with Cisco Adaptive Security Appliance 232 6.4.5.3 VoIP with Encryption 233 6.4.5.4 Hardening Voice Devices 233 6.4.6 SAN Security Considerations 234 6.4.6.1 Introducing SANs 234 6.4.6.2 SAN Transport Technologies 234 6.4.6.3 SAN World Wide Names 235 6.4.6.4 Fiber Channel Zoning 236 6.4.6.5 Virtual SANs 236 6.4.7 SAN Security Solutions 236 6.4.7.1 SAN Security Guidelines 236 6.4.7.2 SAN Management Tools 237 6.4.7.3 Securing Fabric and Target Access 237 6.4.7.4 VSANs with Zones 237 6.4.7.5 Security with iSCSI and FCIP 238 6.5 Summary 238 6.5.1.1 Lab - Securing Layer 2 Switches 238 6.5.1.2 Packet Tracer - Layer 2 Security 238 6.5.1.3 Packet Tracer - Layer 2 VLAN Security 239 6.5.1.4 Summary 239 Your Chapter Notes 240 Chapter 7 Cryptographic Systems 241 7.0 Introduction 241 7.1 Cryptographic Services 241 7.1.1 Securing Communications 241 7.1.1.1 Authentication, Integrity, and Confidentiality 241 7.1.1.2 Authentication 242 7.1.1.3 Data Integrity 243 7.1.1.4 Data Confidentiality 243 7.1.2 Cryptography 243 7.1.2.1 Creating Cipher Text 243 7.1.2.2 Transposition Ciphers 245 7.1.2.3 Substitution Ciphers 245 7.1.2.4 One-Time Pad Ciphers 246 7.1.3 Cryptanalysis 247 7.1.3.1 Cracking Code 247 7.1.3.2 Methods for Cracking Code 247 7.1.3.3 Cracking Code Example 248 7.1.4 Cryptology 249 7.1.4.1 Making and Breaking Secret Codes 249 7.1.4.2 Cryptanalysis 249 7.1.4.3 The Secret Is in the Keys 249 7.2 Basic Integrity and Authenticity 250 7.2.1 Cryptographic Hashes 250 7.2.1.1 Cryptographic Hash Function 250 7.2.1.2 Cryptographic Hash Function Properties 250 7.2.1.3 Well-Known Hash Functions 251 7.2.2 Integrity with MD5 and SHA-1 251 7.2.2.1 Message Digest 5 Algorithm 251 7.2.2.2 Secure Hash Algorithm 252 7.2.2.3 MD5 Versus SHA 252 7.2.3 Authenticity with HMAC 253 7.2.3.1 Keyed-Hash Message Authentication Code 253 7.2.3.2 HMAC Operation 254 7.2.3.3 Hashing in Cisco Products 254 7.2.4 Key Management 254 7.2.4.1 Characteristics of Key Management 254 7.2.4.2 The Keyspace 255 7.2.4.3 Types of Cryptographic Keys 256 7.2.4.4 Choosing Cryptographic Keys 256 7.3 Confidentiality 257 7.3.1 Encryption 257 7.3.1.1 Cryptographic Encryption 257 7.3.1.2 Symmetric and Asymmetric Encryption 258 7.3.1.3 Symmetric Encryption 259 7.3.1.4 Symmetric Block Ciphers and Stream Ciphers 259 7.3.1.5 Choosing an Encryption Algorithm 260 7.3.2 Data Encryption Standard 261 7.3.2.1 DES Symmetric Encryption 261 7.3.2.2 DES Operation 261 7.3.2.3 DES Summary 262 7.3.3 3DES 262 7.3.3.1 Improving DES with 3DES 262 7.3.3.2 3DES Operation 263 7.3.4 Advanced Encryption Standard 263 7.3.4.1 AES Origins 263 7.3.4.2 AES Summary 264 7.3.5 Alternate Encryption Algorithms 264 7.3.5.1 Software-Optimized Encryption Algorithm (SEAL) 264 7.3.5.2 RC Algorithms 264 7.3.6 Diffie-Hellman Key Exchange 265 7.3.6.1 Diffie-Hellman (DH) Algorithm 265 7.3.6.2 DH Operation 266 7.4 Public Key Cryptography 266 7.4.1 Symmetric Versus Asymmetric Encryption 266 7.4.1.1 Asymmetric Key Algorithms 266 7.4.1.2 Public Key + Private Key = Confidentiality 267 7.4.1.3 Private Key + Public Key = Authentication 267 7.4.1.4 Asymmetric Algorithms 268 7.4.2 Digital Signatures 269 7.4.2.1 Using Digital Signatures 269 7.4.2.2 Digital Signature Specifics 270 7.4.2.3 Digital Signature Process 270 7.4.2.4 Digitally Signed Code 271 7.4.2.5 Digital Signature Algorithm 271 7.4.3 Rivest, Shamir, and Alderman 272 7.4.3.1 RSA Asymmetric Algorithms 272 7.4.3.2 RSA Summary 272 7.4.4 Public Key Infrastructure 272 7.4.4.1 Public Key Infrastructure Overview 272 7.4.4.2 PKI Framework 273 7.4.4.3 Components of a PKI 274 7.4.4.4 PKI Usage Scenarios 274 7.4.5 PKI Standards 275 7.4.5.1 Interoperability of Different PKI Vendors 275 7.4.5.2 X.509 Standard 275 7.4.5.3 Public-Key Cryptography Standards 276 7.4.5.4 Simple Certificate Enrollment Protocol 276 7.4.6 Certificate Authorities 277 7.4.6.1 Single-Root PKI Topology 277 7.4.6.2 Hierarchical CA Topology 277 7.4.6.3 Complex PKI Topology 278 7.4.7 Digital Certificates and CAs 279 7.4.7.1 Step 1: Retrieve CA Certificates 279 7.4.7.2 Step 2: Submit Certificate Requests to the CA 279 7.4.7.3 Step 3: Authenticate End Points 279 7.4.7.4 PKI Summary 280 7.5 Summary 280 7.5.1.1 Lab - Exploring Encryption Methods 280 7.5.1.2 Summary 281 Your Chapter Notes 282 Chapter 8 Implementing Virtual Private Networks 283 8.0 Introduction 283 8.1 VPNs 283 8.1.1 VPN Overview 283 8.1.1.1 Introducing VPNs 283 8.1.1.2 Types of VPNs 284 8.1.2 VPN Topologies 285 8.1.2.1 Site-to-Site and Remote-Access VPNs 285 8.1.2.2 Site-to-Site VPN 285 8.1.2.3 Remote-Access VPN 285 8.1.2.4 VPN Client Software Options 286 8.1.2.5 Cisco IOS SSL VPN 286 8.1.3 VPN Solutions 287 8.1.3.1 Cisco VPN Product Lines 287 8.1.3.2 Cisco IOS VPN Feature Support 288 8.1.3.3 VPN Services with Cisco ASA 288 8.1.3.4 Cisco IPsec VPN Clients 289 8.1.3.5 Cisco VPN Hardware Modules 290 8.2 GRE VPNs 290 8.2.1 Configuring a Site-to-Site GRE Tunnel 290 8.2.1.1 Introduction to GRE Tunnels 290 8.2.1.2 GRE Header 291 8.2.1.3 Configuring GRE 291 8.2.1.4 GRE with IPsec 291 8.3 IPsec VPN Components and Operation 292 8.3.1 Introducing IPsec 292 8.3.1.1 IPsec as an IETF Standard 292 8.3.1.2 Confidentiality 293 8.3.1.3 Integrity 293 8.3.1.4 Authentication 294 8.3.1.5 Secure Key Exchange 295 8.3.2 IPsec Security Protocols 296 8.3.2.1 IPsec Framework Protocols 296 8.3.2.2 Authentication Header 296 8.3.2.3 ESP 297 8.3.2.4 Encryption and Authentication with ESP 297 8.3.2.5 Transport and Tunnel Modes 297 8.3.3 Internet Key Exchange 298 8.3.3.1 Security Associations 298 8.3.3.2 IKE Phase 1 and Phase 2 299 8.3.3.3 Three Key Exchanges 299 8.3.3.4 Aggressive Mode 300 8.3.3.5 IKE Phase 2 300 8.4 Implementing Site-to-Site IPsec VPNs with CLI 301 8.4.1 Configuring a Site-to-Site IPsec VPN 301 8.4.1.1 IPsec VPN Negotiation 301 8.4.1.2 IPsec Configuration Tasks 301 8.4.2 Task 1 - Configure Compatible ACLs 302 8.4.2.1 Protocols 50 and 51 and UDP Port 500 302 8.4.2.2 Configure Compatible ACLs 302 8.4.3 Task 2 - Configure IKE 303 8.4.3.1 IKE Parameters for ISAKMP 303 8.4.3.2 Negotiating ISAKMP Policies 303 8.4.3.3 Pre-Shared Keys 304 8.4.4 Task 3 - Configure the Transform Sets 304 8.4.4.1 Defining Transform Sets 304 8.4.4.2 Configuring the Transform Sets 305 8.4.5 Task 4 - Configure the Crypto ACLs 305 8.4.5.1 Defining Crypto ACLs 305 8.4.5.2 Crypto ACL Syntax 305 8.4.5.3 Symmetric Crypto ACLs 306 8.4.6 Task 5 - Apply the Crypto Map 306 8.4.6.1 Defining Crypto Maps 306 8.4.6.2 Crypto Map Syntax 307 8.4.6.3 Applying the Crypto Map 308 8.4.7 Verify and Troubleshoot the IPsec Configuration 308 8.4.7.1 Commands to Verify and Troubleshoot IPsec Configuration 308 8.4.7.2 IPsec show Commands 308 8.4.7.3 Verifying Security Associations 309 8.4.7.4 Troubleshooting VPN Connectivity 309 8.5 Implementing Site-to-Site IPsec VPNs with CCP 309 8.5.1 Configuring IPsec Using CCP 309 8.5.1.1 Steps for IPsec VPN Configuration with CCP 309 8.5.1.2 CCP VPN Wizards 309 8.5.1.3 Site-to-Site VPN Wizard 310 8.5.1.4 Quick Setup and Step-by-Step Wizard 310 8.5.2 VPN Wizard - Quick Setup 310 8.5.2.1 Quick Setup 310 8.5.2.2 Finishing Quick Setup 311 8.5.3 VPN Wizard - Step by Step Setup 311 8.5.3.1 Step by Step Wizard 311 8.5.3.2 IKE Proposal 312 8.5.3.3 Transform Set 312 8.5.3.4 Traffic to Protect 312 8.5.3.5 Configuration Summary 313 8.5.4 Verifying, Monitoring, and Troubleshooting VPNs 313 8.5.4.1 Testing the Tunnel 313 8.5.4.2 View IPsec Tunnels 313 8.6 Implementing Remote-Access VPNs 314 8.6.1 A Shift to Telecommuting 314 8.6.1.1 Advantages of Telecommuting 314 8.6.1.2 Benefits of Telecommuting 314 8.6.1.3 Teleworker WAN Connection Options 314 8.6.2 Introducing Remote-Access VPNs 315 8.6.2.1 Remote-Access VPN Options 315 8.6.2.2 Access Requirements Determine Remote-Access VPN 315 8.6.3 SSL VPNs 316 8.6.3.1 Cisco IOS SSL VPN Technology 316 8.6.3.2 Types of SSL VPN Access 317 8.6.3.3 Full Client Access Mode 317 8.6.3.4 Steps to Establishing SSL VPN 318 8.6.3.5 SSL VPN Design 318 8.6.4 Cisco Easy VPN 319 8.6.4.1 Introducing Cisco Easy VPN 319 8.6.4.2 Cisco Easy VPN Endpoints 320 8.6.4.3 Cisco Easy VPN Connection Steps 320 8.6.5 Configuring a VPN Server with CCP 321 8.6.5.1 CCP Tasks for Cisco Easy VPN Server 321 8.6.5.2 Initial Easy VPN Server Steps 321 8.6.5.3 Selecting the Transform Set 321 8.6.5.4 Group Authorization and Group Policy Lookup 322 8.6.5.5 Easy VPN Server Summary 322 8.6.6 Connecting with a VPN Client 322 8.6.6.1 Introducing Cisco VPN Client 322 8.6.6.2 Connection Status 323 8.7 Summary 323 8.7.1.1 Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP 323 8.7.1.2 Lab - Configuring a Remote Access VPN Server and Client 323 8.7.1.3 Lab - (Optional) Configuring a Remote Access VPN Server and Client 324 8.7.1.4 Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN using CLI 324 8.7.1.5 Summary 324 Your Chapter Notes 326 Chapter 9 Implementing the Cisco Adaptive Security Appliance 327 9.0 Introduction 327 9.1 Introduction to the ASA 328 9.1.1 Overview of the ASA 328 9.1.1.1 Overview of ASA Firewalls 328 9.1.1.2 Review of Firewalls in Network Design 329 9.1.1.3 Stateful Firewall Review 330 9.1.1.4 ASA Firewall Modes and Features 331 9.1.1.5 ASA Licensing Requirements 332 9.1.2 Basic ASA Configuration 332 9.1.2.1 Overview of ASA 5505 332 9.1.2.2 ASA Security Levels 333 9.1.2.3 ASA 5505 Deployment Scenarios 334 9.2 ASA Firewall Configuration 335 9.2.1 Introduction to the ASA Firewall Configuration 335 9.2.1.1 Introduce Basic ASA Settings 335 9.2.1.2 ASA Default Configuration 336 9.2.1.3 ASA Interactive Setup Initialization Wizard 337 9.2.2 Configuring Management Settings and Services 337 9.2.2.1 Configuring Basic Settings 337 9.2.2.2 Configuring Interfaces 338 9.2.2.3 Verifying Basic Settings 340 9.2.2.4 Configuring a Default Static Route 340 9.2.2.5 Configuring Remote Access Services 340 9.2.2.6 Configuring Network Time Protocol Services 341 9.2.2.7 Configuring DHCP Services 341 9.2.3 Introduction to ASDM 342 9.2.3.1 Overview of ASDM 342 9.2.3.2 Starting ASDM 343 9.2.3.3 ASDM Dashboard 344 9.2.3.4 Configuring Management Settings in ASDM 345 9.2.3.5 Configuring Management Services in ASDM 346 9.2.4 ASDM Wizards 346 9.2.4.1 ASDM Wizards 346 9.2.4.2 The Startup Wizard 346 9.2.4.3 Different Types of VPN Wizards 347 9.2.4.4 Other Wizards 348 9.2.5 Object Groups 348 9.2.5.1 Introduction to Objects and Object Groups 348 9.2.5.2 Configuring Network Objects 349 9.2.5.3 Configuring Service Objects 349 9.2.5.4 Object Groups 350 9.2.5.5 Configuring Object Groups 351 9.2.5.6 Objects in ASDM 352 9.2.6 ACLs 352 9.2.6.1 ASA ACLs 352 9.2.6.2 Types of ASA ACL Filtering 353 9.2.6.3 Types of ASA ACLs 353 9.2.6.4 Configuring ACLs 354 9.2.6.5 ACL and Object Groups 355 9.2.6.6 ACL Using Object Groups Examples 355 9.2.6.7 Configuring ACLs Using ASDM 356 9.2.7 NAT Services on an ASA 356 9.2.7.1 ASA NAT Overview 356 9.2.7.2 Configuring NAT and PAT 357 9.2.7.3 Configuring NAT and PAT Examples 358 9.2.7.4 Configuring Static NAT Example 358 9.2.7.5 Configuring Dynamic NAT and PAT in ASDM 359 9.2.7.6 Configuring Static NAT in ASDM 360 9.2.8 AAA in ASDM 360 9.2.8.1 AAA Review 360 9.2.8.2 Local Database and Servers 361 9.2.8.3 Sample AAA Configuration 362 9.2.8.4 Configuring AAA Authentication 362 9.2.8.5 Binding the Authentication 362 9.2.9 Service Policies on an ASA 363 9.2.9.1 Overview of MPF 363 9.2.9.2 Configuring Class Maps 363 9.2.9.3 Configuring the Policy Map and Service Policy 365 9.2.9.4 ASA Default Policy 366 9.2.9.5 Configuring a Service Policy Using ASDM 366 9.3 ASA VPN Configuration 366 9.3.1 ASA Remote-Access VPN Options 366 9.3.1.1 Implementing SSL VPNs Using Cisco ASA 366 9.3.1.2 IPsec versus SSL 367 9.3.1.3 Remote-Access Solutions 368 9.3.1.4 Cisco AnyConnect 368 9.3.1.5 AnyConnect for Mobile Devices 369 9.3.2 Configuring Clientless SSL VPN 369 9.3.2.1 Configuring SSL VPN on ASA Using the AnyConnect Client 369 9.3.2.2 Sample VPN Topology 370 9.3.2.3 Clientless SSL VPN 370 9.3.2.4 Clientless SSL VPN (Cont.) 370 9.3.2.5 Verifying Clientless SSL VPN 371 9.3.2.6 Generated CLI Config 372 9.3.3 Configuring AnyConnect SSL VPN 372 9.3.3.1 Configuring SSL VPN AnyConnect 372 9.3.3.2 Sample SSL VPN Topology 373 9.3.3.3 AnyConnect SSL VPN 373 9.3.3.4 AnyConnect SSL VPN (Cont.) 374 9.3.3.5 Verifying AnyConnect Connection 375 9.3.3.6 Verifying AnyConnect Connection (Cont.) 375 9.3.3.7 Generated CLI Configuration 376 9.4 Summary 376 9.4.1.1 Lab - Configuring ASA Basic Settings and Firewall Using CLI 376 9.4.1.2 Lab - Configuring ASA Basic Settings and Firewall Using ASDM 377 9.4.1.3 Lab - Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM 377 9.4.1.4 Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM 377 9.4.1.5 Packet Tracer - Configuring ASA Basic Settings and Firewall Using CLI 377 9.4.1.6 Summary 378 Your Chapter Notes 379 Chapter 10 Managing a Secure Network 381 10.0 Introduction 381 10.1 Principles of Secure Network Design 382 10.1.1 Ensuring a Network Is Secure 382 10.1.1.1 Security Policies 382 10.1.1.2 Avoid Wrong Assumptions 383 10.1.2 Threat Identification and Risk Analysis 384 10.1.2.1 Identifying Threats 384 10.1.2.2 Risk Analysis in IT 384 10.1.2.3 Single Loss Expectancy Quantitative Risk Analysis 385 10.1.2.4 Annualized Rate of Occurrence Quantitative Risk Analysis 386 10.1.2.5 Why Perform a Quantitative Risk Analysis? 387 10.1.3 Risk Management and Risk Avoidance 387 10.1.3.1 Methods of Handling Risks 387 10.1.3.2 Risk Management 388 10.1.3.3 Risk Avoidance 388 10.2 Security Architecture 389 10.2.1 Introducing the Cisco SecureX Architecture 389 10.2.1.1 Borderless Networks 389 10.2.1.2 SecureX Security Architecture 389 10.2.1.3 Centralized Context-Aware Network Scanning Element 390 10.2.1.4 Cisco Security Intelligence Operations 391 10.2.2 Solutions for the Cisco SecureX Architecture 391 10.2.2.1 SecureX Products 391 10.2.2.2 Cisco Secure Edge and Branch 392 10.2.2.3 Secure Email and Web 392 10.2.2.4 Secure Access 392 10.2.2.5 Secure Mobility 393 10.2.2.6 Secure Data Center and Virtualization 394 10.2.2.7 Network Security Services 395 10.3 Operations Security 395 10.3.1 Introducing Operations Security 395 10.3.1.1 Operation Security 395 10.3.1.2 Overview of the Operations Team 396 10.3.2 Principles of Operations Security 396 10.3.2.1 Separation of Duties 396 10.3.2.2 Rotation of Duties 397 10.3.2.3 Trusted Recovery 397 10.3.2.4 Configuration and Change Control 398 10.4 Network Security Testing 399 10.4.1 Introducing Network Security Testing 399 10.4.1.1 Network Security Testing 399 10.4.1.2 Types of Network Tests 399 10.4.1.3 Applying Network Test Results 400 10.4.2 Network Security Testing Tools 400 10.4.2.1 Network Testing Tools 400 10.4.2.2 Nmap 401 10.4.2.3 SuperScan 402 10.5 Business Continuity Planning and Disaster Recovery 402 10.5.1 Continuity Planning and Disaster Recovery 402 10.5.1.1 Business Continuity Planning 402 10.5.1.2 Disaster Recovery 403 10.5.2 Recovery Plans and Redundancy 403 10.5.2.1 Recovery Plans 403 10.5.2.2 Redundancy 403 10.5.3 Secure Copy 404 10.5.3.1 Secure Copy 404 10.5.3.2 SCP Server Configuration 404 10.6 System Development Life Cycle 405 10.6.1 Introducing the SDLC 405 10.6.1.1 System Life Cycle 405 10.6.1.2 Phases of SDLC 405 10.6.2 Phases of the SDLC 406 10.6.2.1 Initiation 406 10.6.2.2 Acquisition and Development 406 10.6.2.3 Implementation 407 10.6.2.4 Operations and Maintenance 407 10.6.2.5 Disposition 408 10.7 Developing a Comprehensive Security Policy 408 10.7.1 Security Policy Overview 408 10.7.1.1 Secure Network Life Cycle 408 10.7.1.2 Security Policy 408 10.7.1.3 Security Policy Audience 409 10.7.2 Structure of a Security Policy 410 10.7.2.1 Security Policy Hierarchy 410 10.7.2.2 Governing Policy 410 10.7.2.3 Technical Policies 410 10.7.2.4 End User Policies 411 10.7.3 Standards, Guidelines, and Procedures 411 10.7.3.1 Security Policy Documents 411 10.7.3.2 Standards Documents 412 10.7.3.3 Guideline Documents 412 10.7.3.4 Procedure Documents 412 10.7.4 Roles and Responsibilities 413 10.7.4.1 Organizational Reporting Structure 413 10.7.4.2 Common Executive Titles 413 10.7.5 Security Awareness and Training 413 10.7.5.1 Security Awareness Program 413 10.7.5.2 Awareness Campaigns 414 10.7.5.3 Security Training Course 414 10.7.5.4 Educational Program 415 10.7.6 Laws and Ethics 416 10.7.6.1 Laws 416 10.7.6.2 Ethics 416 10.7.6.3 Code of Ethics 417 10.7.7 Responding to a Security Breach 418 10.7.7.1 Motive, Opportunity, and Means 418 10.7.7.2 Collecting Data 419 10.8 Summary 419 10.8.1.1 Lab - CCNA Security Comprehensive Lab 419 10.8.1.2 Packet Tracer - Skills Integration Challenge 420 10.8.1.3 Summary 420 Your Chapter Notes 422 Glossary 423 9781587133466 TOC 9/8/2014show more