This is the eBook version of the printed book.Note that this eBook does not contain the practice test software that accompanies the print book.   CCNA Security Official Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the CCNA® Security IINS exam. Senior security instructors Michael Watkins and Kevin Wallace share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. Master the IINS 640-553 exam with this official study guide Assess your knowledge with chapter-opening quizzes Review key concepts with Exam Preparation Tasks CCNA Security Official Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks sections help drill you on key concepts you must know thoroughly.   Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.   CCNA Security Official Exam Certification Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.   Michael Watkins, CCNA/CCNP®/CCVP®/CCSP®, is a full-time senior technical instructor with SkillSoft Corporation. With 13 years of network management, training, and consulting experience, Michael has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the United States Air Force to help them implement and learn the latest network technologies.   Kevin Wallace, CCIE® No. 7945, is a certified Cisco instructor working full time for SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19 years of Cisco networking experience, Kevin has been a network design specialist for the Walt Disney World Resort and a network manager for Eastern Kentucky University. Kevin also is a CCVP, CCSP, CCNP, and CCDP with multiple Cisco security and IP communications specializations.   The official study guide helps you master all the topics on the IINS exam, including Network security threats Security policies Network perimeter defense AAA configuration Router security Switch security Endpoint security SAN security VoIP security IOS firewalls Cisco IOS® IPS Cryptography Digital signatures PKI and asymmetric encryption IPsec VPNs This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.  

Table of Contents:
Foreword Introduction Part I Network Security Concepts Chapter 1 Understanding Network Security Principles “Do I Know This Already?” Quiz Foundation Topics Exploring Security Fundamentals     Why Network Security Is a Necessity         Types of Threats         Scope of the Challenge         Nonsecured Custom Applications     The Three Primary Goals of Network Security         Confidentiality         Integrity         Availability     Categorizing Data         Classification Models         Classification Roles     Controls in a Security Solution     Responding to a Security Incident     Legal and Ethical Ramifications         Legal Issues to Consider Understanding the Methods of Network Attacks     Vulnerabilities     Potential Attackers     The Mind-set of a Hacker     Defense in Depth     Understanding IP Spoofing         Launching a Remote IP Spoofing Attack with IP Source Routing         Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack         Protecting Against an IP Spoofing Attack     Understanding Confidentiality Attacks     Understanding Integrity Attacks     Understanding Availability Attacks     Best-Practice Recommendations Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 2 Developing a Secure Network “Do I Know This Already?” Quiz Foundation Topics Increasing Operations Security     System Development Life Cycle 49         Initiation 49         Acquisition and Development 49         Implementation 50         Operations and Maintenance 50         Disposition 51     Operations Security Overview 51     Evaluating Network Security 52         Nmap 54     Disaster Recovery Considerations 55         Types of Disruptions 56         Types of Backup Sites 56 Constructing a Comprehensive Network Security Policy 57     Security Policy Fundamentals 57     Security Policy Components 58         Governing Policy 58         Technical Policies 58         End-User Policies 59         More-Detailed Documents 59     Security Policy Responsibilities 59     Risk Analysis, Management, and Avoidance 60         Quantitative Analysis 60         Qualitative Analysis 61         Risk Analysis Benefits 61         Risk Analysis Example: Threat Identification 61         Managing and Avoiding Risk 62     Factors Contributing to a Secure Network Design 62         Design Assumptions 63         Minimizing Privileges 63         Simplicity Versus Complexity 64     User Awareness and Training 64 Creating a Cisco Self-Defending Network 66     Evolving Security Threats 66     Constructing a Cisco Self-Defending Network 67         Cisco Security Management Suite 69     Cisco Integrated Security Products 70 Exam Preparation Tasks 74 Review All the Key Topics 74 Complete the Tables and Lists from Memory 75 Definition of Key Terms 75 Chapter 3 Defending the Perimeter 77 “Do I Know This Already?” Quiz 77 Foundation Topics 81 ISR Overview and Providing Secure Administrative Access 81     IOS Security Features 81     Cisco Integrated Services Routers 81         Cisco 800 Series 82         Cisco 1800 Series 83         Cisco 2800 Series 84         Cisco 3800 Series 84         ISR Enhanced Features 85     Password-Protecting a Router 86     Limiting the Number of Failed Login Attempts 92     Setting a Login Inactivity Timer 92     Configuring Privilege Levels 93     Creating Command-Line Interface Views 93     Protecting Router Files 95     Enabling Cisco IOS Login Enhancements for Virtual Connections 96     Creating a Banner Message 98 Cisco Security Device Manager Overview 99     Introducing SDM 99     Preparing to Launch Cisco SDM     Exploring the Cisco SDM Interface Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 4 Configuring AAA “Do I Know This Already?” Quiz Foundation Topics Configuring AAA Using the Local User Database     Authentication, Authorization, and Accounting     AAA for Cisco Routers     Router Access Authentication     Using AAA to Configure Local User Database Authentication         Defining a Method List         Setting AAA Authentication for Login         Configuring AAA Authentication on Serial Interfaces Running PPP         Using the aaa authentication enable default Command         Implementing the aaa authorization Command         Working with the aaa accounting Command     Using the CLI to Troubleshoot AAA for Cisco Routers     Using Cisco SDM to Configure AAA Configuring AAA Using Cisco Secure ACS     Overview of Cisco Secure ACS for Windows         Additional Features of Cisco Secure ACS 4.0 for Windows     Cisco Secure ACS 4.0 for Windows Installation     Overview of TACACS+ and RADIUS         TACACS+ Authentication         Command Authorization with TACACS+         TACACS+ Attributes         Authentication and Authorization with RADIUS         RADIUS Message Types         RADIUS Attributes         Features of RADIUS     Configuring TACACS+         Using the CLI to Configure AAA Login Authentication on Cisco Routers         Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM         Defining the AAA Servers Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 5 Securing the Router “Do I Know This Already?” Quiz Foundation Topics Locking Down the Router     Identifying Potentially Vulnerable Router Interfaces and Services     Locking Down a Cisco IOS Router         AutoSecure         Cisco SDM One-Step Lockdown Using Secure Management and Reporting     Planning for Secure Management and Reporting     Secure Management and Reporting Architecture     Configuring Syslog Support     Securing Management Traffic with SNMPv3     Enabling Secure Shell on a Router     Using Cisco SDM to Configure Management Features         Configuring Syslog Logging with Cisco SDM         Configuring SNMP with Cisco SDM         Configuring NTP with Cisco SDM         Configuring SSH with Cisco SDM Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Part II Constructing a Secure Infrastructure Chapter 6 Securing Layer 2 Devices “Do I Know This Already?” Quiz Foundation Topics Defending Against Layer 2 Attacks     Review of Layer 2 Switch Operation     Basic Approaches to Protecting Layer 2 Switches     Preventing VLAN Hopping         Switch Spoofing         Double Tagging     Protecting Against an STP Attack     Combating DHCP Server Spoofing     Using Dynamic ARP Inspection     Mitigating CAM Table Overflow Attacks     Spoofing MAC Addresses     Additional Cisco Catalyst Switch Security Features         Using the SPAN Feature with IDS         Enforcing Security Policies with VACLs         Isolating Traffic Within a VLAN Using Private VLANs         Traffic Policing         Notifying Network Managers of CAM Table Updates     Port Security Configuration     Configuration Recommendations Cisco Identity-Based Networking Services     Introduction to Cisco IBNS     Overview of IEEE 802.1x     Extensible Authentication Protocols         EAP-MD5         EAP-TLS         PEAP (MS-CHAPv2)         EAP-FAST     Combining IEEE 802.1x with Port Security Features     Using IEEE 802.1x for VLAN Assignment     Configuring and Monitoring IEEE 802.1x Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 7 Implementing Endpoint Security “Do I Know This Already?” Quiz Foundation Topics Examining Endpoint Security     Defining Endpoint Security         Examining Operating System Vulnerabilities         Examining Application Vulnerabilities     Understanding the Threat of Buffer Overflows         Buffer Overflow Defined         The Anatomy of a Buffer Overflow Exploit         Understanding the Types of Buffer Overflows         Additional Forms of Attack Securing Endpoints with Cisco Technologies     Understanding IronPort         The Architecture Behind IronPort     Examining the Cisco NAC Appliance     Working with the Cisco Security Agent         Understanding Cisco Security Agent Interceptors         Examining Attack Response with the Cisco Security Agent     Best Practices for Securing Endpoints         Application Guidelines         Apply Application Protection Methods Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 8 Providing SAN Security “Do I Know This Already?” Quiz Foundation Topics Overview of SAN Operations     Fundamentals of SANs     Organizational Benefits of SAN Usage     Understanding SAN Basics     Fundamentals of SAN Security         Classes of SAN Attacks Implementing SAN Security Techniques     Using LUN Masking to Defend Against Attacks     Examining SAN Zoning Strategies         Examining Soft and Hard Zoning     Understanding World Wide Names     Defining Virtual SANs         Combining VSANs and Zones     Identifying Port Authentication Protocols         Understanding DHCHAP         CHAP in Securing SAN Devices     Working with Fibre Channel Authentication Protocol     Understanding Fibre Channel Password Authentication Protocol     Assuring Data Confidentiality in SANs         Incorporating Encapsulating Security Payload (ESP)         Providing Security with Fibre Channel Security Protocol Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 9 Exploring Secure Voice Solutions “Do I Know This Already?” Quiz Foundation Topics Defining Voice Fundamentals     Defining VoIP     The Need for VoIP     VoIP Network Components     VoIP Protocols Identifying Common Voice Vulnerabilities     Attacks Targeting Endpoints     VoIP Spam     Vishing and Toll Fraud     SIP Attack Targets Securing a VoIP Network     Protecting a VoIP Network with Auxiliary VLANs     Protecting a VoIP Network with Security Appliances     Hardening Voice Endpoints and Application Servers     Summary of Voice Attack Mitigation Techniques Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 10 Using Cisco IOS Firewalls to Defend the Network “Do I Know This Already?” Quiz Foundation Topics Exploring Firewall Technology     The Role of Firewalls in Defending Networks     The Advance of Firewall Technology     Transparent Firewalls     Application Layer Firewalls         Benefits of Using Application Layer Firewalls         Working with Application Layer Firewalls         Application Firewall Limitations     Static Packet-Filtering Firewalls     Stateful Packet-Filtering Firewalls         Stateful Packet Filtering and the State Table         Disadvantages of Stateful Filtering         Uses of Stateful Packet-Filtering Firewalls     Application Inspection Firewalls         Application Inspection Firewall Operation         Effective Use of an Application Inspection Firewall     Overview of the Cisco ASA Adaptive Security Appliance     The Role of Firewalls in a Layered Defense Strategy     Creating an Effective Firewall Policy Using ACLs to Construct Static Packet Filters     The Basics of ACLs     Cisco ACL Configuration         Working with Turbo ACLs         Developing ACLs     Using the CLI to Apply ACLs to the Router Interface     Considerations When Creating ACLs     Filtering Traffic with ACLs     Preventing IP Spoofing with ACLs     Restricting ICMP Traffic with ACLs     Configuring ACLs to Filter Router Service Traffic         vty Filtering         SNMP Service Filtering         RIPv2 Route Filtering     Grouping ACL Functions Implementing a Cisco IOS Zone-Based Firewall     Understanding Cisco IOS Firewalls         Traffic Filtering         Traffic Inspection         The Role of Alerts and Audit Trails         Classic Firewall Process         SPI and CBAC     Examining the Principles Behind Zone-Based Firewalls         Changes to Firewall Configuration         Zone Membership Rules         Understanding Security Zones         Zones and Inspection         Security Zone Restrictions         Working with Zone Pairs         Security Zone Firewall Policies         Class Maps     Verifying Zone-Based Firewall Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Chapter 11 Using Cisco IOS IPS to Secure the Network “Do I Know This Already?” Quiz Foundation Topics Examining IPS Technologies     IDS Versus IPS     IDS and IPS Device Categories         Detection Methods         Network-Based Versus Host-Based IPS         Deploying Network-Based and Host-Based Solutions     IDS and IPS Appliances         Cisco IDS 4215 Sensor         Cisco IPS 4240 Sensor         Cisco IPS 4255 Sensor         Cisco IPS 4260 Sensor     Signatures         Exploit Signatures         Connection Signatures         String Signatures         Denial-of-Service Signatures     Signature Definition Files     Alarms Using SDM to Configure Cisco IOS IPS     Launching the Intrusion Prevention Wizard     IPS Policies Wizard     Creating IPS Rules     Manipulating Global IPS Settings     Signature Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Part III Extending Security and Availability with Cryptography and VPNs Chapter 12 Designing a Cryptographic Solution “Do I Know This Already?” Quiz Foundation Topics Introducing Cryptographic Services     Understanding Cryptology         Cryptography Through the Ages         The Substitution Cipher         The Vigenère Cipher         Transposition Ciphers         Working with the One-Time Pad         The Encryption Process         Cryptanalysis         Understanding the Features of Encryption Algorithms     Symmetric and Asymmetric Encryption Algorithms         Encryption Algorithms and Keys         Symmetric Encryption Algorithms         Asymmetric Encryption Algorithms     The Difference Between Block and Stream Ciphers         Block Ciphers         Stream Ciphers Exploring Symmetric Encryption     Functionality of Symmetric Encryption Algorithms         Key Lengths     Features and Functions of DES         Working with the DES Key         Modes of Operation for DES         Working with DES Stream Cipher Modes         Usage Guidelines for Working with DES         Understanding How 3DES Works         Encrypting with 3DES     AES         The Rijndael Cipher         Comparing AES and 3DES         Availability of AES in the Cisco Product Line     SEAL         SEAL Restrictions     The Rivest Ciphers Understanding Security Algorithms     Selecting an Encryption Algorithm     Understanding Cryptographic Hashes     Working with Hashing     Designing Key Management         Components of Key Management         Understanding Keyspaces         Issues Related to Key Length     SSL VPNs     Establishing an SSL Tunnel Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 13 Implementing Digital Signatures “Do I Know This Already?” Quiz Foundation Topics Examining Hash Algorithms     Exploring Hash Algorithms and HMACs         Anatomy of a Hash Function         Application of Hash Functions         Cryptographic Hash Functions         Application of Cryptographic Hashes         HMAC Explained     MD5 Features and Functionality         Origins of MD5         Vulnerabilities of MD5         Usage of MD5     SHA-1 Features and Functionality         Overview of SHA-1         Vulnerabilities of SHA-1         Usage of SHA-1 Using Digital Signatures     Understanding Digital Signatures         Digital Signature Scheme         Authentication and Integrity     Examining RSA Signatures         Exploring the History of RSA         Understanding How RSA Works         Encrypting and Decrypting Messages with RSA         Signing Messages with RSA         Vulnerabilities of RSA     Exploring the Digital Signature Standard         Using the DSA Algorithm Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 14 Exploring PKI and Asymmetric Encryption “Do I Know This Already?” Quiz Foundation Topics Understanding Asymmetric Algorithms     Exploring Asymmetric Encryption Algorithms         Using Public-Key Encryption to Achieve Confidentiality         Providing Authentication with a Public Key     Understanding the Features of the RSA Algorithm         Working with RSA Digital Signatures         Guidelines for Working with RSA     Examining the Features of the Diffie-Hellman Key Exchange Algorithm         Steps of the Diffie-Hellman Key Exchange Algorithm Working with a PKI     Examining the Principles Behind a PKI         Understanding PKI Terminology         Components of a PKI         Classes of Certificates         Examining the PKI Topology of a Single Root CA         Examining the PKI Topology of Hierarchical CAs         Examining the PKI Topology of Cross-Certified CAs         Understanding PKI Usage and Keys         Working with PKI Server Offload     Understanding PKI Standards         Understanding X.509v3         Understanding Public Key Cryptography Standards (PKCS)         Understanding Simple Certificate Enrollment Protocol (SCEP)     Exploring the Role of Certificate Authorities and Registration Authorities in a PKI         Examining Identity Management         Retrieving the CA Certificate         Understanding the Certificate Enrollment Process         Examining Authentication Using Certificates         Examining Features of Digital Certificates and CAs         Understanding the Caveats of Using a PKI         Understanding How Certificates Are Employed Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Chapter 15 Building a Site-to-Site IPsec VPN Solution “Do I Know This Already?” Quiz Foundation Topics Exploring the Basics of IPsec     Introducing Site-to-Site VPNs     Overview of IPsec     IKE Modes and Phases     Authentication Header and Encapsulating Security Payload     Cisco VPN Product Offerings         Cisco VPN-Enabled Routers and Switches         Cisco VPN 3000 Series Concentrators         Cisco ASA 5500 Series Appliances         Cisco 500 Series PIX Security Appliances         Hardware Acceleration Modules     VPN Design Considerations and Recommendations         Best-Practice Recommendations for Identity and IPsec Access Control         Best-Practice Recommendations for IPsec         Best-Practice Recommendations for Network Address Translation         Best-Practice Recommendations for Selecting a Single-Purpose Versus         Multipurpose Device Constructing an IPsec Site-to-Site VPN     The Five Steps in the Life of an IPsec Site-to-Site VPN     The Five Steps of Configuring an IPsec Site-to-Site VPN     Configuring an IKE Phase 1 Tunnel     Configuring an IKE Phase 2 Tunnel     Applying Crypto Maps Using Cisco SDM to Configure IPsec on a Site-to-Site VPN     Introduction to the Cisco SDM VPN Wizard     Quick Setup     Step-by-Step Setup         Configuring Connection Settings         Selecting an IKE Proposal         Selecting a Transform Set         Selecting Traffic to Protect in the IPsec Tunnel         Applying the Generated Configuration         Monitoring the Configuration Exam Preparation Tasks Review All the Key Topics Complete the Tables and Lists from Memory Definition of Key Terms Command Reference to Check Your Memory Part IV Final Preparation Chapter 16 Final Preparation Exam Engine and Questions on the CD     Install the Software from the CD     Activate and Download the Practice Exam     Activating Other Exams Study Plan     Recall the Facts     Use the Exam Engine         Choosing Study or Simulation Mode         Passing Scores for the IINS Exam Part V Appendixes Appendix A Answers to “Do I Know This Already?” Questions Appendix B Glossary Appendix C CCNA Security Exam Updates: Version 1.0 Appendix D Memory Tables (CD only) Appendix E Memory Tables Answer Key (CD only)   1587202204     TOC    5/19/2008