CCNP Security Firewall 642-617 Official Cert Guide

CCNP Security Firewall 642-617 Official Cert Guide

4.83 (6 ratings by Goodreads)
By (author)  , By (author)  , By (author) 

List price: US$69.99

Currently unavailable

Add to wishlist

AbeBooks may have this title (opens in new window).

Try AbeBooks


CCNP Security FIREWALL 642-617 Official Cert Guide David Hucaby, CCIE(R) No. 4594 Dave Garneau Anthony Sequeira, CCIE No. 15626 Learn, prepare, and practice for exam success * Master CCNP Security FIREWALL 642-617 exam topics * Assess your knowledge with chapter-opening quizzes * Review key concepts with exam preparation tasks * Practice with realistic exam questions on the CD-ROM CCNP Security FIREWALL 642-617 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNP Security FIREWALL exam. Senior security consultants and instructors David Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. CCNP Security FIREWALL 642-617 Official Cert Guide presents you with an organized test-preparation routine through the use of proven series elements and techniques. "Do I Know This Already?" quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. The companion CD-ROM contains the powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time. CCNP Security FIREWALL 642-617 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including * ASA interfaces * IP connectivity * ASA management * Recording ASA activity * Address translation * Access control * Proxy services * Traffic inspection and handling * Transparent firewall mode * Virtual firewalls * High availability * ASA service modules Companion CD-ROM The CD-ROM contains a free, complete practice exam. Includes Exclusive Offer for 70% Off Premium Edition eBook and Practice Test Pearson IT Certification Practice Test minimum system requirements: Windows XP (SP3), Windows Vista (SP2), or Windows 7; Microsoft .NET Framework 4.0 Client; Microsoft SQL Server Compact 4.0; Pentium class 1GHz processor (or equivalent); 512 MB RAM; 650 MB disc space plus 50 MB for each downloaded practice exam This volume is part of the Official Cert Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears. Category: Cisco Press--Cisco Certification Covers: CCNP Security FIREWALL 642-617show more

Product details

  • Mixed media product | 768 pages
  • 187.96 x 233.68 x 45.72mm | 1,383.45g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587142791
  • 9781587142796
  • 686,838

Table of contents

Introduction xxiii Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3 "Do I Know This Already?" Quiz 3 Foundation Topics 7 Firewall Overview 7 Firewall Techniques 11 Stateless Packet Filtering 11 Stateful Packet Filtering 12 Stateful Packet Filtering with Application Inspection and Control 12 Network Intrusion Prevention System 13 Network Behavior Analysis 14 Application Layer Gateway (Proxy) 14 Cisco ASA Features 15 Selecting a Cisco ASA Model 18 ASA 5505 18 ASA 5510, 5520, and 5540 19 ASA 5550 20 ASA 5580 21 Security Services Modules 22 Advanced Inspection and Prevention (AIP) SSM 22 Content Security and Control (CSC) SSM 23 4-Port Gigabit Ethernet (4GE) SSM 24 ASA 5585-X 24 ASA Performance Breakdown 25 Selecting ASA Licenses 28 Exam Preparation Tasks 31 Review All Key Topics 31 Define Key Terms 31 Chapter 2 Working with a Cisco ASA 33 "Do I Know This Already?" Quiz 33 Foundation Topics 38 Using the CLI 38 Entering Commands 39 Command Help 41 Command History 43 Searching and Filtering Command Output 43 Terminal Screen Format 45 Using Cisco ASDM 45 Understanding the Factory Default Configuration 50 Working with Configuration Files 52 Clearing an ASA Configuration 55 Working with the ASA File System 56 Navigating an ASA Flash File System 57 Working with Files in an ASA File System 58 Reloading an ASA 61 Upgrading the ASA Software at the Next Reload 63 Performing a Reload 64 Manually Upgrading the ASA Software During a Reload 65 Exam Preparation Tasks 69 Review All Key Topics 69 Define Key Terms 69 Command Reference to Check Your Memory 69 Chapter 3 Configuring ASA Interfaces 73 "Do I Know This Already?" Quiz 73 Foundation Topics 77 Configuring Physical Interfaces 77 Default Interface Configuration 78 Configuring Physical Interface Parameters 80 Mapping ASA 5505 Interfaces to VLANs 80 Configuring Interface Redundancy 81 Configuring VLAN Interfaces 83 VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84 VLAN Interfaces and Trunks on an ASA 5505 86 Configuring Interface Security Parameters 88 Naming the Interface 88 Assigning an IP Address 89 Setting the Security Level 90 Interface Security Parameters Example 94 Configuring the Interface MTU 94 Verifying Interface Operation 96 Exam Preparation Tasks 99 Review All Key Topics 99 Define Key Terms 99 Command Reference to Check Your Memory 99 Chapter 4 Configuring IP Connectivity 103 "Do I Know This Already?" Quiz 103 Foundation Topics 107 Deploying DHCP Services 107 Configuring a DHCP Relay 107 Configuring a DHCP Server 108 Using Routing Information 111 Configuring Static Routing 115 Tracking a Static Route 117 Routing with RIPv2 122 Routing with EIGRP 125 Routing with OSPF 134 An Example OSPF Scenario 140 Verifying the ASA Routing Table 144 Exam Preparation Tasks 147 Review All Key Topics 147 Define Key Terms 147 Command Reference to Check Your Memory 148 Chapter 5 Managing a Cisco ASA 155 "Do I Know This Already?" Quiz 155 Foundation Topics 159 Basic Device Settings 159 Configuring Device Identity 159 Configuring Basic Authentication 160 Verifying Basic Device Settings 162 Configuring Name-to-Address Mappings 162 Configuring Local Name-to-Address Mappings 162 Configuring DNS Server Groups 164 Verifying Name-to-Address Mappings 166 File System Management 166 File System Management Using ASDM 166 File System Management Using the CLI 167 dir 168 more 168 copy 168 delete 168 rename 168 mkdir 169 rmdir 169 cd 170 pwd 170 fsck 170 format or erase 171 Managing Software and Feature Activation 171 Managing Cisco ASA Software and ASDM Images 171 Upgrading Files from a Local PC or Directly from 173 License Management 175 Upgrading the Image and Activation Key at the Same Time 176 Cisco ASA Software and License Verification 176 Configuring Management Access 179 Overview of Basic Procedures 179 Configuring Remote Management Access 181 Configuring an Out-of-Band Management Interface 182 Configuring Remote Access Using Telnet 182 Configuring Remote Access Using SSH 185 Configuring Remote Access Using HTTPS 187 Creating a Permanent Self-Signed Certificate 187 Obtaining an Identity Certificate by PKI Enrollment 189 Deploying an Identity Certificate 190 Configuring Management Access Banners 191 Controlling Management Access with AAA 194 Creating Users in the Local Database 196 Using Simple Password-Only Authentication 197 Configuring AAA Access Using the Local Database 198 Configuring AAA Access Using Remote AAA Server(s) 200 Step 1: Create an AAA Server Group and Configure How Servers in the Group Are Accessed 201 Step 2: Populate the Server Group with Member Servers 202 Step 3: Enable User Authentication for Each Remote Management Access Channel 203 Configuring Cisco Secure ACS for Remote Authentication 204 Configuring AAA Command Authorization 207 Configuring Local AAA Command Authorization 208 Configuring Remote AAA Command Authorization 211 Configuring Remote AAA Accounting 214 Verifying AAA for Management Access 215 Configuring Monitoring Using SNMP 216 Troubleshooting Remote Management Access 221 Cisco ASA Password Recovery 223 Performing Password Recovery 223 Enabling or Disabling Password Recovery 224 Exam Preparation Tasks 225 Review All Key Topics 225 Command Reference to Check Your Memory 225 Chapter 6 Recording ASA Activity 233 "Do I Know This Already?" Quiz 233 Foundation Topics 237 System Time 237 NTP 237 Verifying System Time Settings 241 Managing Event and Session Logging 242 NetFlow Support 243 Logging Message Format 244 Message Severity 244 Configuring Event and Session Logging 245 Configuring Global Logging Properties 245 Altering Settings of Specific Messages 247 Configuring Event Filters 250 Configuring Individual Event Destinations 252 Internal Buffer 252 ASDM 253 Syslog Server(s) 255 Email 257 NetFlow 259 Telnet or SSH Sessions 260 Verifying Event and Session Logging 261 Implementation Guidelines 262 Troubleshooting Event and Session Logging 263 Troubleshooting Commands 263 Exam Preparation Tasks 265 Review All Key Topics 265 Command Reference to Check Your Memory 265 Chapter 7 Using Address Translation 269 "Do I Know This Already?" Quiz 270 Foundation Topics 277 Understanding How NAT Works 277 Enforcing NAT 279 Address Translation Deployment Options 280 NAT Versus PAT 281 Input Parameters 283 Deployment Choices 283 NAT Exemption 284 Configuring NAT Control 285 Configuring Dynamic Inside NAT 287 Configuring Dynamic Inside PAT 292 Configuring Dynamic Inside Policy NAT 297 Verifying Dynamic Inside NAT and PAT 300 Configuring Static Inside NAT 301 Configuring Network Static Inside NAT 304 Configuring Static Inside PAT 307 Configuring Static Inside Policy NAT 310 Verifying Static Inside NAT and PAT 313 Configuring No-Translation Rules 313 Configuring Dynamic Identity NAT 314 Configuring Static Identity NAT 316 Configuring NAT Bypass (NAT Exemption) 318 NAT Rule Priority with NAT Control Enabled 319 Configuring Outside NAT 320 Other NAT Considerations 323 DNS Rewrite (Also Known as DNS Doctoring) 323 Integrating NAT with ASA Access Control 325 Integrating NAT with MPF 326 Integrating NAT with AAA (Cut-Through Proxy) 326 Troubleshooting Address Translation 326 Improper Translation 327 Protocols Incompatible with NAT or PAT 327 Proxy ARP 327 NAT-Related Syslog Messages 328 Exam Preparation Tasks 329 Review All Key Topics 329 Define Key Terms 330 Command Reference to Check Your Memory 330 Chapter 8 Controlling Access Through the ASA 333 "Do I Know This Already?" Quiz 333 Foundation Topics 338 Understanding How Access Control Works 338 State Tables 338 Connection Table 339 TCP Connection Flags 342 Inside and Outside, Inbound and Outbound 343 Local Host Table 344 State Table Logging 345 Understanding Interface Access Rules 346 Stateful Filtering 347 Interface Access Rules and Interface Security Levels 349 Interface Access Rules Direction 349 Configuring Interface Access Rules 350 Access Rule Logging 356 Cisco ASDM Public Server Wizard 363 Configuring Access Control Lists from the CLI 364 Implementation Guidelines 365 Time-Based Access Rules 366 Configuring Time Ranges from the CLI 370 Verifying Interface Access Rules 371 Managing Rules in Cisco ASDM 372 Managing Access Rules from the CLI 375 Organizing Access Rules Using Object Groups 376 Verifying Object Groups 387 Configuring and Verifying Other Basic Access Controls 390 uRPF 390 Shunning 392 Troubleshooting Basic Access Control 393 Examining Syslog Messages 393 Packet Capture 395 Packet Tracer 397 Suggested Approach to Access Control Troubleshooting 399 Exam Preparation Tasks 400 Review All Key Topics 400 Command Reference to Check Your Memory 401 Chapter 9 Inspecting Traffic 409 "Do I Know This Already?" Quiz 409 Foundation Topics 415 Understanding the Modular Policy Framework 415 Configuring the MPF 418 Configuring a Policy for Inspecting OSI Layers 3 and 4 420 Step 1: Define a Layer 3--4 Class Map 421 Step 2: Define a Layer 3--4 Policy Map 423 Step 3: Apply the Policy Map to the Appropriate Interfaces 426 Creating a Security Policy in ASDM 427 Tuning Basic Layer 3--4 Connection Limits 431 Inspecting TCP Parameters with the TCP Normalizer 435 Configuring ICMP Inspection 441 Configuring Dynamic Protocol Inspection 441 Configuring Custom Protocol Inspection 450 Configuring a Policy for Inspecting OSI Layers 5--7 451 Configuring HTTP Inspection 452 Configuring HTTP Inspection Policy Maps Using the CLI 454 Configuring HTTP Inspection Policy Maps Using ASDM 461 Configuring FTP Inspection 473 Configuring FTP Inspection Using the CLI 474 Configuring FTP Inspection Using ASDM 476 Configuring DNS Inspection 479 Creating and Applying a DNS Inspection Policy Map Using the CLI 480 Creating and Applying a DNS Inspection Policy Map Using ASDM 482 Configuring ESMTP Inspection 487 Configuring an ESMTP Inspection with the CLI 487 Configuring an ESMTP Inspection with ASDM 489 Configuring a Policy for ASA Management Traffic 492 Detecting and Filtering Botnet Traffic 497 Configuring Botnet Traffic Filtering with the CLI 498 Step 1: Configure the Dynamic Database 498 Step 2: Configure the Static Database 499 Step 3: Enable DNS Snooping 499 Step 4: Enable the Botnet Traffic Filter 499 Configuring Botnet Traffic Filtering with ASDM 501 Step 1: Configure the Dynamic Database 501 Step 2: Configure the Static Database 501 Step 3: Enable DNS Snooping 502 Step 4: Enable the Botnet Traffic Filter 502 Using Threat Detection 503 Configuring Threat Detection with the CLI 504 Step 1: Configure Basic Threat Detection 504 Step 2: Configure Advanced Threat Detection 506 Step 3: Configure Scanning Threat Detection 507 Configuring Threat Detection in ASDM 509 Step 1: Configure Basic Threat Detection 509 Step 2: Configure Advanced Threat Detection 509 Step 3: Configure Scanning Threat Detection 510 Exam Preparation Tasks 512 Review All Key Topics 512 Define Key Terms 513 Command Reference to Check Your Memory 513 Chapter 10 Using Proxy Services to Control Access 515 "Do I Know This Already?" Quiz 515 Foundation Topics 518 User-Based (Cut-Through) Proxy Overview 518 User Authentication 518 AAA on the ASA 519 AAA Deployment Options 519 User-Based Proxy Preconfiguration Steps and Deployment Guidelines 520 User-Based Proxy Preconfiguration Steps 520 User-Based Proxy Deployment Guidelines 520 Direct HTTP Authentication with the Cisco ASA 521 HTTP Redirection 521 Virtual HTTP 522 Direct Telnet Authentication 522 Configuration Steps of User-Based Proxy 522 Configuring User Authentication 522 Configuring an AAA Group 523 Configuring an AAA Server 524 Configuring the Authentication Rules 524 Verifying User Authentication 526 Configuring HTTP Redirection 527 Configuring the Virtual HTTP Server 527 Configuring Direct Telnet 528 Configuring Authentication Prompts and Timeouts 528 Configuring Authentication Prompts 529 Configuring Authentication Timeouts 529 Configuring User Authorization 530 Configuring Downloadable ACLs 531 Configuring User Session Accounting 531 Using Proxy for IP Telephony and Unified TelePresence 532 Exam Preparation Tasks 534 Review All Key Topics 534 Define Key Terms 534 Command Reference to Check Your Memory 534 Chapter 11 Handling Traffic 537 "Do I Know This Already?" Quiz 537 Foundation Topics 541 Handling Fragmented Traffic 541 Prioritizing Traffic 543 Controlling Traffic Bandwidth 547 Configuring Traffic Policing Parameters 550 Configuring Traffic Shaping Parameters 553 Exam Preparation Tasks 557 Review All Key Topics 557 Define Key Terms 557 Command Reference to Check Your Memory 557 Chapter 12 Using Transparent Firewall Mode 561 "Do I Know This Already?" Quiz 561 Foundation Topics 564 Firewall Mode Overview 564 Configuring Transparent Firewall Mode 567 Controlling Traffic in Transparent Firewall Mode 569 Using ARP Inspection 571 Disabling MAC Address Learning 575 Exam Preparation Tasks 579 Review All Key Topics 579 Define Key Terms 579 Command Reference to Check Your Memory 580 Chapter 13 Creating Virtual Firewalls on the ASA 583 "Do I Know This Already?" Quiz 583 Foundation Topics 586 Cisco ASA Virtualization Overview 586 The System Configuration, the System Context, and Other Security Contexts 586 Virtual Firewall Deployment Guidelines 587 Deployment Choices 587 Deployment Guidelines 588 Limitations 588 Configuration Tasks Overview 589 Configuring Security Contexts 589 The Admin Context 590 Configuring Multiple Mode 590 Creating a Security Context 590 Verifying Security Contexts 592 Managing Security Contexts 592 Packet Classification 592 Changing the Admin Context 593 Configuring Resource Management 594 The Default Class 594 Creating a New Resource Class 594 Verifying Resource Management 596 Troubleshooting Security Contexts 596 Exam Preparation Tasks 598 Review All Key Topics 598 Define Key Terms 598 Command Reference to Check Your Memory 598 Chapter 14 Deploying High Availability Features 601 "Do I Know This Already?" Quiz 601 Foundation Topics 605 ASA Failover Overview 605 Failover Roles 605 Detecting an ASA Failure 611 Configuring Active-Standby Failover Mode 612 Step 1: Configure the Primary Failover Unit 613 Step 2: Configure Failover on the Secondary Device 614 Scenario for Configuring Active-Standby Failover Mode 614 Configuring Active-Standby Failover with the ASDM Wizard 616 Configuring Active-Standby Failover Manually in ASDM 618 Configuring Active-Active Failover Mode 621 Step 1: Configure the Primary ASA Unit 622 Step 2: Configure the Secondary ASA Unit 623 Scenario for Configuring Active-Active Failover Mode 623 Tuning Failover Operation 630 Configuring Failover Timers 630 Configuring Failover Health Monitoring 631 Detecting Asymmetric Routing 632 Administering Failover 634 Verifying Failover Operation 635 Leveraging Failover for a Zero Downtime Upgrade 637 Exam Preparation Tasks 639 Review All Key Topics 639 Define Key Terms 639 Command Reference to Check Your Memory 639 Chapter 15 Integrating ASA Service Modules 645 "Do I Know This Already?" Quiz 645 Foundation Topics 648 Cisco ASA Security Services Modules Overview 648 Module Components 648 General Deployment Guidelines 649 Overview of the Cisco ASA Content Security and Control SSM 649 Cisco Content Security and Control SSM Licensing 649 Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 649 Inline Operation 650 Promiscuous Operation 650 Supported Cisco IPS Software Features 650 Installing the ASA AIP-SSM and AIP-SSC 651 The Cisco AIP-SSM and AIP-SSC Ethernet Connections 651 Failure Management Modes 652 Managing Basic Features 652 Initializing the AIP-SSM and AIP-SSC 653 Configuring the AIP-SSM and AIP-SSC 653 Integrating the ASA CSC-SSM 653 Installing the CSC-SSM 653 Ethernet Connections 654 Managing the Basic Features 654 Initializing the Cisco CSC-SSM 654 Configuring the CSC-SSM 655 Exam Preparation Tasks 656 Review All Key Topics 656 Definitions of Key Terms 656 Command Reference to Check Your Memory 656 Chapter 16 Final Preparation 659 Tools for Final Preparation 659 Pearson Cert Practice Test Engine and Questions on the CD 659 Install the Software from the CD 659 Activate and Download the Practice Exam 660 Activating Other Exams 660 Premium Edition 660 The Cisco Learning Network 661 Chapter-Ending Review Tools 661 Suggested Plan for Final Review/Study 661 Using the Exam Engine 662 Summary 663 Appendix A Answers to the "Do I Know This Already?" Quizzes 665 Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671 Appendix C Traffic Analysis Tools 675 Glossary 707 9781587142796 TOC 8/25/2011show more

About David Hucaby

David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and Unified Wireless product lines. David has a bachelor of science degree and master of science degree in electrical engineering from the University of Kentucky. He is the author of several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor; and CCNP SWITCH Exam Certification Guide. David lives in Kentucky with his wife, Marci, and two daughters. Dave Garneau is a senior member of the Network Security team at Rackspace Hosting, Inc., a role he started during the creation of this book. Before that, he was the principal consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave trained more than 3000 students in nine countries on Cisco technologies, mostly focusing on the Cisco security products line, and worked closely with Cisco in establishing the new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave has a bachelor of science degree in mathematics from Metropolitan State College of Denver (now being renamed Denver State University). Dave lives in San Antonio, Texas with his wife, Vicki. Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion--teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next generation of KnowledgeNet, StormWind more

Rating details

6 ratings
4.83 out of 5 stars
5 83% (5)
4 17% (1)
3 0% (0)
2 0% (0)
1 0% (0)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X