Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam. --Master Cisco CCNA Security 210-260 Official Cert Guide exam topics --Assess your knowledge with chapter-opening quizzes --Review key concepts with exam preparation tasks   This is the eBook edition of the CCNA Security 210-260 Official Cert Guide. This eBook does not include the companion CD-ROM with practice exam that comes with the print edition.     CCNA Security 210-260 Official Cert Guide presents you with an organized test-preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.   CCNA Security 210-260 Official Cert Guide focuses specifically on the objectives for the Cisco CCNA Security exam. Networking Security experts Omar Santos and John Stuppi share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.   Well regarded for its level of detail, assessment features, comprehensive design scenarios, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.     The official study guide helps you master all the topics on the CCNA Security exam, including   --Networking security concepts --Common security threats --Implementing AAA using IOS and ISE --Bring Your Own Device (BYOD) --Fundamentals of VPN technology and cryptography --Fundamentals of IP security --Implementing IPsec site-to-site VPNs --Implementing SSL remote-access VPNs using Cisco ASA --Securing Layer 2 technologies --Network Foundation Protection (NFP) --Securing the management plane on Cisco IOS devices --Securing the data plane --Securing routing protocols and the control plane --Understanding firewall fundamentals --Implementing Cisco IOS zone-based firewalls --Configuring basic firewall policies on Cisco ASA --Cisco IPS fundamentals --Mitigation technologies for e-mail- and web-based threats --Mitigation technologies for endpoint threats    CCNA Security 210-260 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit http://www.cisco.com/web/learning/index.html.

Table of Contents:
Introduction xxvi Part I Fundamentals of Network Security Chapter 1 Networking Security Concepts 3 “Do I Know This Already?” Quiz 3 Foundation Topics 6 Understanding Network and Information Security Basics 6     Network Security Objectives 6     Confidentiality, Integrity, and Availability 6     Cost-Benefit Analysis of Security 7     Classifying Assets 8     Classifying Vulnerabilities 10     Classifying Countermeasures 10     What Do We Do with the Risk? 11 Recognizing Current Network Threats 12     Potential Attackers 12     Attack Methods 13     Attack Vectors 14     Man-in-the-Middle Attacks 14     Other Miscellaneous Attack Methods 15 Applying Fundamental Security Principles to Network Design 16     Guidelines 16     Network Topologies 17     Network Security for a Virtual Environment 20     How It All Fits Together 22 Exam Preparation Tasks 23 Review All the Key Topics 23 Complete the Tables and Lists from Memory 23 Define Key Terms 23 Chapter 2 Common Security Threats 25 “Do I Know This Already?” Quiz 25 Foundation Topics 27 Network Security Threat Landscape 27 Distributed Denial-of-Service Attacks 27 Social Engineering Methods 28     Social Engineering Tactics 29     Defenses Against Social Engineering 29 Malware Identification Tools 30     Methods Available for Malware Identification 30     Data Loss and Exfiltration Methods 31 Summary 32 Exam Preparation Tasks 33 Review All the Key Topics 33 Complete the Tables and Lists from Memory 33 Define Key Terms 33 Part II Secure Access Chapter 3 Implementing AAA in Cisco IOS 35 “Do I Know This Already?” Quiz 35 Foundation Topics 38 Cisco Secure ACS, RADIUS, and TACACS 38     Why Use Cisco ACS? 38     On What Platform Does ACS Run? 38     What Is ISE? 39     Protocols Used Between the ACS and the Router 39     Protocol Choices Between the ACS Server and the Client (the Router) 40 Configuring Routers to Interoperate with an ACS Server 41 Configuring the ACS Server to Interoperate with a Router 51 Verifying and Troubleshooting Router-to-ACS Server Interactions 60 Exam Preparation Tasks 67 Review All the Key Topics 67 Complete the Tables and Lists from Memory 67 Define Key Terms 67 Command Reference to Check Your Memory 67 Chapter 4 Bring Your Own Device (BYOD) 71 “Do I Know This Already?” Quiz 71 Foundation Topics 73 Bring Your Own Device Fundamentals 73 BYOD Architecture Framework 74     BYOD Solution Components 74 Mobile Device Management 76     MDM Deployment Options 76         On-Premise MDM Deployment 77         Cloud-Based MDM Deployment 78 Exam Preparation Tasks 80 Review All the Key Topics 80 Complete the Tables and Lists from Memory 80 Define Key Terms 80 Part III Virtual Private Networks (VPN) Chapter 5 Fundamentals of VPN Technology and Cryptography 83 “Do I Know This Already?” Quiz 83 Foundation Topics 87 Understanding VPNs and Why We Use Them 87     What Is a VPN? 87     Types of VPNs 88         Two Main Types of VPNs 88     Main Benefits of VPNs 89         Confidentiality 89         Data Integrity 90         Authentication 90         Antireplay Protection 90 Cryptography Basic Components 91     Ciphers and Keys 91         Ciphers 91         Keys 92     Block and Stream Ciphers 92         Block Ciphers 92         Stream Ciphers 92     Symmetric and Asymmetric Algorithms 92         Symmetric 93         Asymmetric 93     Hashes 94     Hashed Message Authentication Code 95     Digital Signatures 95         Digital Signatures in Action 95     Key Management 96         Next-Generation Encryption Protocols 97     IPsec and SSL 97         IPsec 97         SSL 98 Public Key Infrastructure 99     Public and Private Key Pairs 99     RSA Algorithm, the Keys, and Digital Certificates 99         Who Has Keys and a Digital Certificate? 100         How Two Parties Exchange Public Keys 100         Creating a Digital Signature 100     Certificate Authorities 100     Root and Identity Certificates 101         Root Certificate 101         Identity Certificate 102         Using the Digital Certificates to Get the Peer’s Public Key 103         X.500 and X.509v3 Certificates 103     Authenticating and Enrolling with the CA 104     Public Key Cryptography Standards 105     Simple Certificate Enrollment Protocol 105     Revoked Certificates 105     Uses for Digital Certificates 106     PKI Topologies 106         Single Root CA 107         Hierarchical CA with Subordinate CAs 107         Cross-Certifying CAs 107 Putting the Pieces of PKI to Work 107     ASA’s Default Certificate 108     Viewing the Certificates in ASDM 108     Adding a New Root Certificate 109     Easier Method for Installing Both Root and Identity Certificates 111 Exam Preparation Tasks 116 Review All the Key Topics 116 Complete the Tables and Lists from Memory 117 Define Key Terms 117 Command Reference to Check Your Memory 117 Chapter 6 Fundamentals of IP Security 119 “Do I Know This Already?” Quiz 119 Foundation Topics 122 IPsec Concepts, Components, and Operations 122     The Goal of IPsec 122     The Internet Key Exchange (IKE) Protocol 123     The Play by Play for IPsec 124         Step 1: Negotiate the IKEv1 Phase 1 Tunnel 124         Step 2: Run the DH Key Exchange 125         Step 3: Authenticate the Peer 126         What About the User’s Original Packet? 126         Leveraging What They Have Already Built 126         Now IPsec Can Protect the User’s Packets 127         Traffic Before IPsec 127         Traffic After IPsec 127     Summary of the IPsec Story 128 Configuring and Verifying IPsec 129     Tools to Configure the Tunnels 129     Start with a Plan 129     Applying the Configuration 129     Viewing the CLI Equivalent at the Router 137     Completing and Verifying IPsec 139 Exam Preparation Tasks 146 Review All the Key Topics 146 Complete the Tables and Lists from Memory 146 Define Key Terms 146 Command Reference to Check Your Memory 147 Chapter 7 Implementing IPsec Site-to-Site VPNs 149 “Do I Know This Already?” Quiz 149 Foundation Topics 152 Planning and Preparing an IPsec Site-to-Site VPN 152     Customer Needs 152     Planning IKEv1 Phase 1 154     Planning IKEv1 Phase 2 154 Implementing and Verifying an IPsec Site-to-Site VPN in Cisco IOS Devices 155     Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS 164 Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA 179     Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA 193 Exam Preparation Tasks 199 Review All the Key Topics 199 Complete the Tables and Lists from Memory 199 Define Key Terms 199 Command Reference to Check Your Memory 199 Chapter 8 Implementing SSL VPNs Using Cisco ASA 203 “Do I Know This Already?” Quiz 203 Foundation Topics 206 Functions and Use of SSL for VPNs 206     Is IPsec Out of the Picture? 206     SSL and TLS Protocol Framework 207     The Play by Play of SSL for VPNs 207     SSL VPN Flavors 208 Configuring Clientless SSL VPNs on ASA 209     Using the SSL VPN Wizard 209     Digital Certificates 211     Accessing the Connection Profile 211     Authenticating Users 211     Logging In 215     Seeing the VPN Activity from the Server 217 Using the Cisco AnyConnect Secure Mobility Client 217     Types of SSL VPNs 218     Configuring the Cisco ASA to Terminate the Cisco AnyConnect Secure Mobility Client Connections 218     Groups, Connection Profiles, and Defaults 225     One Item with Three Different Names 226     Split Tunneling 227 Troubleshooting SSL VPN 228     Troubleshooting SSL Negotiations 228     Troubleshooting AnyConnect Client Issues 228         Initial Connectivity Issues 228         Traffic-Specific Issues 230 Exam Preparation Tasks 231 Review All the Key Topics 231 Complete the Tables and Lists from Memory 231 Define Key Terms 231 Part IV Secure Routing and Switching Chapter 9 Securing Layer 2 Technologies 233 “Do I Know This Already?” Quiz 233 Foundation Topics 236 VLAN and Trunking Fundamentals 236     What Is a VLAN? 236     Trunking with 802.1Q 238     Following the Frame, Step by Step 239     The Native VLAN on a Trunk 239     So, What Do You Want to Be? (Asks the Port) 239     Inter-VLAN Routing 240     The Challenge of Using Physical Interfaces Only 240     Using Virtual “Sub” Interfaces 240 Spanning-Tree Fundamentals 241     Loops in Networks Are Usually Bad 241     The Life of a Loop 241     The Solution to the Layer 2 Loop 242     STP Is Wary of New Ports 245     Improving the Time Until Forwarding 245 Common Layer 2 Threats and How to Mitigate Them 246     Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 246     Layer 2 Best Practices 246     Do Not Allow Negotiations 247     Layer 2 Security Toolkit 248     Specific Layer 2 Mitigation for CCNA Security 248         BPDU Guard 248         Root Guard 249         Port Security 250 CDP and LLDP 251 DHCP Snooping 253 Dynamic ARP Inspection 254 Exam Preparation Tasks 257 Review All the Key Topics 257 Complete the Tables and Lists from Memory 258 Review the Port Security Video Included with This Book 258 Define Key Terms 258 Command Reference to Check Your Memory 258 Chapter 10 Network Foundation Protection 261 “Do I Know This Already?” Quiz 261 Foundation Topics 264 Using Network Foundation Protection to Secure Networks 264     The Importance of the Network Infrastructure 264     The Network Foundation Protection Framework 264     Interdependence 265     Implementing NFP 265 Understanding the Management Plane 266     First Things First 266     Best Practices for Securing the Management Plane 267 Understanding the Control Plane 268     Best Practices for Securing the Control Plane 268 Understanding the Data Plane 270     Best Practices for Protecting the Data Plane 271     Additional Data Plane Protection Mechanisms 271 Exam Preparation Tasks 272 Review All the Key Topics 272 Complete the Tables and Lists from Memory 272 Define Key Terms 272 Chapter 11 Securing the Management Plane on Cisco IOS Devices 275 “Do I Know This Already?” Quiz 275 Foundation Topics 278 Securing Management Traffic 278     What Is Management Traffic and the Management Plane? 278     Beyond the Blue Rollover Cable 278     Management Plane Best Practices 278     Password Recommendations 281     Using AAA to Verify Users 281         AAA Components 282         Options for Storing Usernames, Passwords, and Access Rules 282         Authorizing VPN Users 283         Router Access Authentication 284         The AAA Method List 285     Role-Based Access Control 286         Custom Privilege Levels 287         Limiting the Administrator by Assigning a View 287     Encrypted Management Protocols 287     Using Logging Files 288     Understanding NTP 289     Protecting Cisco IOS Files 289 Implementing Security Measures to Protect the Management Plane 290     Implementing Strong Passwords 290     User Authentication with AAA 292     Using the CLI to Troubleshoot AAA for Cisco Routers 296     RBAC Privilege Level/Parser View 301     Implementing Parser Views 303     SSH and HTTPS 305     Implementing Logging Features 308         Configuring Syslog Support 308     SNMP Features 310     Configuring NTP 313     Secure Copy Protocol 315     Securing the Cisco IOS Image and Configuration Files 315 Exam Preparation Tasks 317 Review All the Key Topics 317 Complete the Tables and Lists from Memory 318 Define Key Terms 318 Command Reference to Check Your Memory 318 Chapter 12 Securing the Data Plane in IPv6 321 “Do I Know This Already?” Quiz 321 Foundation Topics 324 Understanding and Configuring IPv6 324     Why IPv6? 324     The Format of an IPv6 Address 325         Understanding the Shortcuts 327         Did We Get an Extra Address? 327         IPv6 Address Types 327 Configuring IPv6 Routing 330     Moving to IPv6 331 Developing a Security Plan for IPv6 332     Best Practices Common to Both IPv4 and IPv6 332     Threats Common to Both IPv4 and IPv6 333     The Focus on IPv6 Security 334     New Potential Risks with IPv6 334     IPv6 Best Practices 336     IPv6 Access Control Lists 337 Exam Preparation Tasks 338 Review All the Key Topics 338 Complete the Tables and Lists from Memory 338 Define Key Terms 338 Command Reference to Check Your Memory 338 Chapter 13 Securing Routing Protocols and the Control Plane 341 “Do I Know This Already?” Quiz 341 Foundation Topics 344 Securing the Control Plane 344     Minimizing the Impact of Control Plane Traffic on the CPU 344 Control Plane Policing 346     Control Plane Protection 348 Securing Routing Protocols 348     Implement Routing Update Authentication on OSPF 348     Implement Routing Update Authentication on EIGRP 349     Implement Routing Update Authentication on RIP 350     Implement Routing Update Authentication on BGP 351 Exam Preparation Tasks 353 Review All the Key Topics 353 Complete the Tables and Lists from Memory 353 Define Key Terms 353 Part V Cisco Firewall Technologies and Intrusion Prevention System Technologies Chapter 14 Understanding Firewall Fundamentals 355 “Do I Know This Already?” Quiz 355 Foundation Topics 358 Firewall Concepts and Technologies 358     Firewall Technologies 358     Objectives of a Good Firewall 358     Firewall Justifications 359     The Defense-in-Depth Approach 360     Firewall Methodologies 361         Static Packet Filtering 362         Application Layer Gateway 363         Stateful Packet Filtering 363         Application Inspection 364         Transparent Firewalls 365         Next-Generation Firewalls 365 Using Network Address Translation 366     NAT Is About Hiding or Changing the Truth About Source Addresses 366     Inside, Outside, Local, Global 367     Port Address Translation 368     NAT Options 369 Creating and Deploying Firewalls 370     Firewall Technologies 370     Firewall Design Considerations 370     Firewall Access Rules 371     Packet-Filtering Access Rule Structure 372     Firewall Rule Design Guidelines 372     Rule Implementation Consistency 373 Exam Preparation Tasks 375 Review All the Key Topics 375 Complete the Tables and Lists from Memory 375 Define Key Terms 375 Chapter 15 Implementing Cisco IOS Zone-Based Firewalls 377 “Do I Know This Already?” Quiz 377 Foundation Topics 379 Cisco IOS Zone-Based Firewalls 379     How Zone-Based Firewall Operates 379     Specific Features of Zone-Based Firewalls 379     Zones and Why We Need Pairs of Them 380     Putting the Pieces Together 381     Service Policies 382     The Self Zone 384 Configuring and Verifying Cisco IOS Zone-Based Firewalls 385     First Things First 385     Using CCP to Configure the Firewall 386     Verifying the Firewall 399     Verifying the Configuration from the Command Line 400     Implementing NAT in Addition to ZBF 404     Verifying Whether NAT Is Working 407 Exam Preparation Tasks 409 Review All the Key Topics 409 Complete the Tables and Lists from Memory 409 Define Key Terms 409 Command Reference to Check Your Memory 409 Chapter 16 Configuring Basic Firewall Policies on Cisco ASA 413 “Do I Know This Already?” Quiz 413 Foundation Topics 416 The ASA Appliance Family and Features 416     Meet the ASA Family 416     ASA Features and Services 417 ASA Firewall Fundamentals 419     ASA Security Levels 419     The Default Flow of Traffic 420     Tools to Manage the ASA 422     Initial Access 422     Packet Filtering on the ASA 422     Implementing a Packet-Filtering ACL 423     Modular Policy Framework 424     Where to Apply a Policy 425 Configuring the ASA 425     Beginning the Configuration 425     Getting to the ASDM GUI 433     Configuring the Interfaces 435     IP Addresses for Clients 443     Basic Routing to the Internet 444     NAT and PAT 445     Permitting Additional Access Through the Firewall 447     Using Packet Tracer to Verify Which Packets Are Allowed 449     Verifying the Policy of No Telnet 453 Exam Preparation Tasks 454 Review All the Key Topics 454 Complete the Tables and Lists from Memory 454 Define Key Terms 454 Command Reference to Check Your Memory 455 Chapter 17 Cisco IDS/IPS Fundamentals 457 “Do I Know This Already?” Quiz 457 Foundation Topics 460 IPS Versus IDS 460     What Sensors Do 460     Difference Between IPS and IDS 460     Sensor Platforms 462     True/False Negatives/Positives 463     Positive/Negative Terminology 463 Identifying Malicious Traffic on the Network 463     Signature-Based IPS/IDS 464     Policy-Based IPS/IDS 464     Anomaly-Based IPS/IDS 464     Reputation-Based IPS/IDS 464     When Sensors Detect Malicious Traffic 465     Controlling Which Actions the Sensors Should Take 467     Implementing Actions Based on the Risk Rating 468     Circumventing an IPS/IDS 468 Managing Signatures 469     Signature or Severity Levels 470 Monitoring and Managing Alarms and Alerts 471     Security Intelligence 471     IPS/IDS Best Practices 472 Cisco Next-Generation IPS Solutions 472 Exam Preparation Tasks 474 Review All the Key Topics 474 Complete the Tables and Lists from Memory 474 Define Key Terms 474 Part VI Content and Endpoint Security Chapter 18 Mitigation Technologies for E-mail-Based and Web-Based Threats 477 “Do I Know This Already?” Quiz 477 Foundation Topics 479 Mitigation Technology for E-mail-Based Threats 479     E-mail-Based Threats 479     Cisco Cloud E-mail Security 479     Cisco Hybrid E-mail Security 480     Cisco E-mail Security Appliance 480     Cisco ESA Initial Configuration 483 Mitigation Technology for Web-Based Threats 486     Cisco CWS 486     Cisco WSA 487 Cisco Content Security Management Appliance 491 Exam Preparation Tasks 493 Review All the Key Topics 493 Complete the Tables and Lists from Memory 493 Define Key Terms 493 Command Reference to Check Your Memory 493 Chapter 19 Mitigation Technologies for Endpoint Threats 495 “Do I Know This Already?” Quiz 495 Foundation Topics 497 Antivirus and Antimalware Solutions 497 Personal Firewalls and Host Intrusion Prevention Systems 498 Advanced Malware Protection for Endpoints 499 Hardware and Software Encryption of Endpoint Data 500     E-mail Encryption 500     Encrypting Endpoint Data at Rest 501     Virtual Private Networks 501 Exam Preparation Tasks 503 Review All the Key Topics 503 Complete the Tables and Lists from Memory 503 Define Key Terms 503 Part VII Final Preparation Chapter 20 Final Preparation 505 Tools for Final Preparation 505 Exam Engine and Questions on the CD 505     Install the Exam Engine 505     Activate and Download the Practice Exam 506     Activating Other Exams 506     Premium Edition 506 The Cisco Learning Network 507 Memory Tables 507 Chapter-Ending Review Tools 507 Study Plan 507 Recall the Facts 507 Practice Configurations 508 Using the Exam Engine 508 Part VIII Appendixes Appendix A Answers to the “Do I Know This Already?” Quizzes 511 Appendix B CCNA Security 210-260 (IINS) Exam Updates 517 Glossary 521   On the CD Glossary Appendix C Memory Tables Appendix D Memory Tables Answer Key Appendix E Study Planner   9781587205668   TOC   8/14/2015