All the CCNA Security 640-554 commands in one compact, portable resource   Preparing for the latest CCNA® Security exam? Here are all the CCNA Security commands you need in one condensed, portable resource. Filled with valuable, easy-to-access information, the CCNA Security Portable Command Guide is portable enough for you to use whether you’re in the server room or the equipment closet.   Completely updated to reflect the new CCNA Security 640-554 exam, this quick reference summarizes relevant Cisco IOS® Software commands, keywords, command arguments, and associated prompts, and offers tips and examples for applying these commands to real-world security challenges. Throughout, configuration examples provide an even deeper understanding of how to use IOS to protect networks.   Topics covered include •  Networking security fundamentals: concepts, policies, strategies, and more •  Securing network infrastructure: network foundations, CCP, management plane and access, and data planes (IPv6/IPv4) •  Secure connectivity: VPNs, cryptography, IPsec, and more •  Threat control and containment: strategies, ACL threat mitigation, zone-based firewalls, and Cisco IOS IPS •  Securing networks with ASA: ASDM, basic and advanced settings, and ASA SSL VPNs   Bob Vachon is a professor at Cambrian College. He has held CCNP certification since 2002 and has collaborated on many Cisco Networking Academy courses. He was the lead author for the Academy’s CCNA Security v1.1 curriculum that aligns to the Cisco IOS Network Security (IINS) certification exam (640-554).   ·   Access all CCNA Security commands: use as a quick, offline resource for research and solutions ·   Logical how-to topic groupings provide one-stop research ·   Great for review before CCNA Security certification exams ·   Compact size makes it easy to carry with you, wherever you go ·   “Create Your Own Journal” section with blank, lined pages allows you to personalize the book for your needs ·    “What Do You Want to Do?” chart inside front cover helps you to quickly reference specific tasks   This book is part of the Cisco Press® Certification Self-Study Product Family, which offers readers a self-paced study routine for Cisco® certification exams. Titles in the Cisco Press Certification Self-Study Product Family are part of a recommended learning program from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press.    

Table of Contents:
    Introduction xvii Part I: Networking Security Fundamentals CHAPTER 1 Networking Security Concepts 1     Basic Security Concepts 2         Assets, Vulnerabilities, Threats, and Countermeasures 2         Confidentiality, Integrity, and Availability 2         Data Classification Criteria 2         Data Classification Levels 2         Classification Roles 3     Threat Classification 3         Preventive, Detective, and Corrective Controls 3         Risk Avoidance, Transfer, and Retention 4     Drivers for Network Security 4         Evolution of Threats 4         Tracking Threats 5     Malicious Code: Viruses, Worms, and Trojan Horses 5         Anatomy of a Worm 6         Mitigating Malware and Worms 6     Threats in Borderless Networks 7         Hacker Titles 7         Thinking Like a Hacker 8         Reconnaissance Attacks 8         Access Attacks 9         Password Cracking 10         Denial-of-Service Attacks 10     Principles of Secure Network Design 11     Defense in Depth 11 CHAPTER 2 Implementing Security Policies Using a Lifecycle Approach 13     Risk Analysis 13         Quantitative Risk Analysis Formula 14         Quantitative Risk Analysis Example 15         Regulatory Compliance 15     Security Policy 17         Standards, Guidelines, and Procedures 18         Security Policy Audience Responsibilities 19         Security Awareness 19     Secure Network Lifecycle Management 19         Models and Frameworks 21         Assessing and Monitoring the Network Security Posture 21         Testing the Security Architecture 22     Incident Response 22         Incident Response Phases 22         Computer Crime Investigation 23         Collection of Evidence and Forensics 23         Law Enforcement and Liability 23         Ethics 23     Disaster-Recovery and Business-Continuity Planning 23 CHAPTER 3 Building a Security Strategy for Borderless Networks 25     Cisco Borderless Network Architecture 25         Borderless Security Products 26     Cisco SecureX Architecture and Context-Aware Security 26         Cisco TrustSec 28         TrustSec Confidentiality 28         Cisco AnyConnect 29         Cisco Security Intelligence Operations 29     Threat Control and Containment 29     Cloud Security and Data-Loss Prevention 30     Secure Connectivity Through VPNs 31     Security Management 31 Part II: Protecting the Network Infrastructure CHAPTER 4 Network Foundation Protection 33     Threats Against the Network Infrastructure 33     Cisco Network Foundation Protection Framework 34     Control Plane Security 35         Control Plane Policing 36     Management Plane Security 36         Role-Based Access Control 37         Secure Management and Reporting 37     Data Plane Security 37         ACLs 37         Antispoofing 38         Layer 2 Data Plane Protection 38 CHAPTER 5 Protecting the Network Infrastructure Using CCP 39     Cisco Configuration Professional 39     Cisco Configuration Professional Express 40         Connecting to Cisco CP Express Using the GUI 41     Cisco Configuration Professional 44         Configuring an ISR for CCP Support 44         Installing CCP on a Windows PC 45         Connecting to an ISR Using CCP 45     CCP Features and User Interface 47         Application Menu Options 48         Toolbar Menu Options 48         Toolbar Configure Options 49         Toolbar Monitor Options 49     Using CCP to Configure IOS Device-Hardening Features 49         CCP Security Audit 49         CCP One-Step Lockdown 50     Using the Cisco IOS AutoSecure CLI Feature 51         Configuring AutoSecure via the CLI 51 CHAPTER 6 Securing the Management Plane 53     Planning a Secure Management and Reporting Strategy 54     Securing the Management Plane 54         Securing Passwords 55         Securing the Console Line and Disabling the Auxiliary Line 55         Securing VTY Access with SSH 56         Securing VTY Access with SSH Example 57         Securing VTY Access with SSH Using CCP Example 58         Securing Configuration and IOS Files 60         Restoring Bootset Files 61     Implementing Role-Based Access Control on Cisco Routers 62         Configuring Privilege Levels 62         Configuring Privilege Levels Example 62         Configuring RBAC via the CLI 62         Configuring RBAC via the CLI Example 63         Configuring Superviews 63         Configuring a Superview Example 64         Configuring RBAC Using CCP Example 64     Network Monitoring 67         Configuring a Network Time Protocol Master Clock 67         Configuring an NTP Client 67         Configuring an NTP Master and Client Example 67         Configuring an NTP Client Using CCP Example 68         Configuring Syslog 69         Configuring Syslog Example 71         Configuring Syslog Using CCP Example 71         Configuring SNMP 74         Configuring SNMP Using CCP 74 CHAPTER 7 Securing Management Access with AAA 77     Authenticating Administrative Access 78         Local Authentication 78         Server-Based Authentication 78         Authentication, Authorization, and Accounting Framework 79     Local AAA Authentication 79         Configuring Local AAA Authentication Example 80         Configuring Local AAA Authentication Using CCP Example 81     Server-Based AAA Authentication 86         TACACS+ Versus RADIUS 86         Configuring Server-Based AAA Authentication 87         Configuring Server-Based AAA Authentication Example 88         Configuring Server-Based AAA Authentication Using CCP Example 89         AAA Authorization 94         Configuring AAA Authorization Example 94         Configuring AAA Authorization Using CCP 94     AAA Accounting 98         Configuring AAA Accounting Example 98     Cisco Secure ACS 98         Adding a Router as a AAA Client 99         Configuring Identity Groups and an Identity Store 99         Configuring Access Service to Process Requests 100         Creating Identity and Authorization Policies 101 CHAPTER 8 Securing the Data Plane on Catalyst Switches 103     Common Threats to the Switching Infrastructure 104         Layer 2 Attacks 104         Layer 2 Security Guidelines 104     MAC Address Attacks 105         Configuring Port Security 105         Fine-Tuning Port Security 106         Configuring Optional Port Security Settings 107         Configuring Port Security Example 108     Spanning Tree Protocol Attacks 109         STP Enhancement Features 109         Configuring STP Enhancement Features 110         Configuring STP Enhancements Example 111     LAN Storm Attacks 112         Configuring Storm Control 112         Configuring Storm Control Example 113     VLAN Hopping Attacks 113         Mitigating VLAN Attacks 114         Mitigating VLAN Attacks Example 114     Advanced Layer 2 Security Features 115         ACLs and Private VLANs 116         Cisco Integrated Security Features 116         Secure the Switch Management Plane 117 CHAPTER 9 Securing the Data Plane in IPv6 Environments 119     Overview of IPv6 119         Comparison Between IPv4 and IPv6 119         The IPv6 Header 120         ICMPv6 121         Stateless Autoconfiguration 122         IPv4-to-IPv6 Transition Solutions 122         IPv6 Routing Solutions 122     IPv6 Threats 123         IPv6 Vulnerabilities 124     IPv6 Security Strategy 124         Configuring Ingress Filtering 124         Secure Transition Mechanisms 125         Future Security Enhancements 125 Part III: Threat Control and Containment CHAPTER 10 Planning a Threat Control Strategy 127     Threats 127         Trends in Information Security Threats 127     Threat Control Guidelines 128         Threat Control Design Guidelines 128     Integrated Threat Control Strategy 129         Cisco Security Intelligence Operations 130 CHAPTER 11 Confi guring ACLs for Threat Mitigation 131     Access Control List 131         Mitigating Threats Using ACLs 132         ACL Design Guidelines 132         ACL Operation 132     Configuring ACLs 134         ACL Configuration Guidelines 134         Filtering with Numbered Extended ACLs 134         Configuring a Numbered Extended ACL Example 135         Filtering with Named Extended ACLs 135         Configuring a Named Extended ACL Example 136         Configuring an Extended ACL Using CCP Example 136     Enhancing ACL Protection with Object Groups 140         Network Object Groups 140         Service Object Groups 140         Using Object Groups in Extended ACLs 141         Configuring Object Groups in ACLs Example 142         Configuring Object Groups in ACLs Using CCP Example 144     ACLs in IPv6 149         Mitigating IPv6 Attacks Using ACLs 149         IPv6 ACLs Implicit Entries 149         Filtering with IPv6 ACLs 149         Configuring an IPv6 ACL Example 151 CHAPTER 12 Confi guring Zone-Based Firewalls 153     Firewall Fundamentals 153         Types of Firewalls 154     Firewall Design 154         Firewall Policies 154         Firewall Rule Design Guidelines 155         Cisco IOS Firewall Evolution 155     Cisco IOS Zone-Based Policy Firewall 156         Cisco Common Classification Policy Language 156         ZFW Design Considerations 156         Default Policies, Traffic Flows, and Zone Interaction 157         Configuring an IOS ZFW 157         Configuring an IOS ZFW Using the CLI Example 160         Configuring an IOS ZFW Using CCP Example 161         Configuring NAT Services for ZFWs Using CCP Example 167 CHAPTER 13 Confi guring Cisco IOS IPS 171     IDS and IPS Fundamentals 171         Types of IPS Sensors 172         Types of Signatures 172         Types of Alarms 172     Intrusion Prevention Technologies 173         IPS Attack Responses 174         IPS Anti-Evasion Techniques 175         Managing Signatures 175         Cisco IOS IPS Signature Files 176         Implementing Alarms in Signatures 176         IOS IPS Severity Levels 177         Event Monitoring and Management 177         IPS Recommended Practices 178     Configuring IOS IPS 178         Creating an IOS IPS Rule and Specifying the IPS Signature File Location 179         Tuning Signatures per Category 180         Configuring IOS IPS Example 183         Configuring IOS IPS Using CCP Example 185         Signature Tuning Using CCP 193 Part IV: Secure Connectivity CHAPTER 14 VPNs and Cryptology 195     Virtual Private Networks 195         VPN Deployment Modes 196     Cryptology = Cryptography + Cryptanalysis 197         Historical Cryptographic Ciphers 197         Modern Substitution Ciphers 198         Encryption Algorithms 198         Cryptanalysis 199     Cryptographic Processes in VPNs 200         Classes of Encryption Algorithms 201         Symmetric Encryption Algorithms 201         Asymmetric Encryption Algorithm 202         Choosing an Encryption Algorithm 202         Choosing an Adequate Keyspace 202     Cryptographic Hashes 203         Well-Known Hashing Algorithms 203         Hash-Based Message Authentication Codes 203     Digital Signatures 204 CHAPTER 15 Asymmetric Encryption and PKI 207     Asymmetric Encryption 207         Public Key Confidentiality and Authentication 207         RSA Functions 208     Public Key Infrastructure 208         PKI Terminology 209         PKI Standards 209         PKI Topologies 210         PKI Characteristics 211 CHAPTER 16 IPsec VPNs 213     IPsec Protocol 213         IPsec Protocol Framework 214         Encapsulating IPsec Packets 215         Transport Versus Tunnel Mode 215         Confidentiality Using Encryption Algorithms 216         Data Integrity Using Hashing Algorithms 216         Peer Authentication Methods 217         Key Exchange Algorithms 217         NSA Suite B Standard 218     Internet Key Exchange 218         IKE Negotiation Phases 219         IKEv1 Phase 1 (Main Mode and Aggressive Mode) 219         IKEv1 Phase 2 (Quick Mode) 220         IKEv2 Phase 1 and 2 220         IKEv1 Versus IKEv2 221     IPv6 VPNs 221 CHAPTER 17 Confi guring Site-to-Site VPNs 223     Site-to-Site IPsec VPNs 223         IPsec VPN Negotiation Steps 223         Planning an IPsec VPN 224         Cipher Suite Options 225     Configuring IOS Site-to-Site VPNs 225         Verifying the VPN Tunnel 229         Configuring a Site-to-Site IPsec VPN Using IOS Example 230         Configuring a Site-to-Site IPsec VPN Using CCP Example 232         Generating a Mirror Configuration Using CCP 241         Testing and Monitoring IPsec VPNs 242         Monitoring Established IPsec VPN Connections Using CCP 244 Part V: Securing the Network Using the ASA CHAPTER 18 Introduction to the ASA 247     Adaptive Security Appliance 247         ASA Models 248         Routed and Transparent Firewall Modes 249         ASA Licensing 249     Basic ASA Configuration 251         ASA 5505 Front and Back Panel 251         ASA 5510 Front and Back Panel 252         ASA Security Levels 253         ASA 5505 Port Configuration 255         ASA 5505 Deployment Scenarios 255         ASA 5505 Configuration Options 255 CHAPTER 19 Introduction to ASDM 257     Adaptive Security Device Manager 257         Accessing ASDM 258         Factory Default Settings 258         Resetting the ASA 5505 to Factory Default Settings 259         Erasing the Factory Default Settings 259         Setup Initialization Wizard 259     Installing and Running ASDM 260         Running ASDM 262     ASDM Wizards 264         The Startup Wizard 264         VPN Wizards 265         Advanced Wizards 266 CHAPTER 20 Confi guring Cisco ASA Basic Settings 267     ASA Command-Line Interface 267         Differences Between IOS and ASA OS 268     Configuring Basic Settings 268         Configuring Basic Management Settings 269         Enabling the Master Passphrase 269     Configuring Interfaces 270         Configuring the Inside and Outside SVIs 270         Assigning Layer 2 Ports to VLANs 271         Configuring a Third SVI 272     Configuring the Management Plane 272         Enabling Telnet, SSH, and HTTPS Access 272         Configuring Time Services 274     Configuring the Control Plane 274         Configuring a Default Route 274     Basic Settings Example 274         Configuring Basic Settings Example Using the CLI 275         Configuring Basic Settings Example Using ASDM 277 CHAPTER 21 Confi guring Cisco ASA Advanced Settings 283     ASA DHCP Services 284         DHCP Client 284         DHCP Server Services 284         Configuring DHCP Server Example Using the CLI 285         Configuring DHCP Server Example Using ASDM 287     ASA Objects and Object Groups 289         Network and Service Objects 289         Network, Protocol, ICMP, and Service Object Groups 291         Configuring Objects and Object Groups Example Using ASDM 293     ASA ACLs 295         ACL Syntax 296         Configuring ACLs Example Using the CLI 297         Configuring ACLs with Object Groups Example Using the CLI 299         Configuring ACLs with Object Groups Example Using ASDM 300     ASA NAT Services 301         Auto-NAT 302         Dynamic NAT, Dynamic PAT, and Static NAT 302         Configuring Dynamic and Static NAT Example Using the CLI 304         Configuring Dynamic NAT Example Using ASDM 306     AAA Access Control 308         Local AAA Authentication 308         Server-Based AAA Authentication 309         Configuring AAA Server-Based Authentication Example Using the CLI 309         Configuring AAA Server-Based Authentication Example Using ASDM 310     Modular Policy Framework Service Policies 313         Class Maps, Policy Maps, and Service Policies 314         Default Global Policies 317         Configure Service Policy Example Using ASDM 318 CHAPTER 22 Confi guring Cisco ASA SSL VPNs 319     Remote-Access VPNs 319         Types of Remote-Access VPNs 319     ASA SSL VPN 320         Client-Based SSL VPN Example Using ASDM 321         Clientless SSL VPN Example Using ASDM 328 APPENDIX Create Your Own Journal Here 335 TOC, 9781587204487, 5/1/2012