SecuritySTUDY GUIDE

Tim Boyles

Covers All Exam Objectives for IINS 640-553

CCNA

Includes Real-World Scenarios, Hands-On and Written Labs, and Leading-Edge Exam Prep Software Featuring:

• Custom Test Engine

• Hundreds of Sample Questions

• Electronic Flashcards

• Entire Book in PDF

SERIOUS SKILLS.

IINS Exam 640-553

®

STUDY GUIDE

Boyles

IINS Exam 640-553

Validate your ability to secure Cisco networks with Cisco’s CCNA Security certifi cation. This in-depth study guide prepares you for exam 640-553, Implementing Cisco IOS Network Security (IINS). Topics include identifying threats and analyzing risks, creating a security policy, securing Cisco routers, confi guring AAA using Cisco Secure ACS, confi guring defenses against Layer 2 attacks, implementing a Cisco IOS fi rewall, and much more. Inside, you’ll fi nd:

Full coverage of all exam objectives in a systematic approach, so you can be confi dent you’re getting the instruction you need for the exam

Practical written and hands-on labs to reinforce critical skills

Real-world scenarios that put what you’ve learned in the contextof actual job roles

Challenging review questions in each chapter to prepare you for exam day

Exam Essentials, a key feature in each chapter that identifi es critical areas you must become profi cient in before taking the exam

A handy tear card that maps every offi cial exam objective to the corresponding chapter in the book, so you can track your exam prep objective by objective

Tim Boyles, CCNA, CCNA Security, CISSP, CISA, CISM, GCIH, GAWN, has over 20 years of professional IT experience, specializing in network administration and security. He is currently an IT manager based in the Dallas–Fort Worth area. Tim was previously the security practice leader for the South Central operation of BT Global Services and has been engaged for a number of years in consulting for numerous large corporate clients. He is also a mentor instructor for the SANS Institute, having conducted sessions on CISSP training, incident handling, wireless penetration testing, and web application security.

Prepare for Cisco’s CCNA Security certifi cation exam

SYBEX TEST ENGINE: Test your knowledge with advanced testing software. Includes all chapter review questions and bonus exams.

ELECTRONIC FLASHCARDS: Reinforce your understanding with electronic fl ashcards.

Also on CD, you’ll fi nd the entire book in searchable and printable PDF. Study anywhere, any time, and approach the exam with confi dence.

FEATURED ON THE CD

$49.99 US$59.99 CN

C A T E G O R YCOMPUTERS/Certifi cation Guides

A B O U T T H E A U T H O R

ISBN 978-0-470-52767-2

Look inside for complete coverage of all exam objectives.

CC

NA

® Security

www.sybex.com

spine=1.152"

ffirs.indd viffirs.indd vi 2/18/10 7:16:27 PM2/18/10 7:16:27 PM

OBJECTIVE CHAPTER

Describe the security threats facing modern network infrastructures

Describe and list mitigation methods for common network attacks 2, 6

Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks

2, 6

Describe the Cisco Self Defending Network architecture 2

Secure Cisco routers

Secure Cisco routers using the SDM Security Audit feature 5

Use the One-Step Lockdown feature in SDM to secure a Cisco router 5

Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

3

Secure administrative access to Cisco routers by confi guring multiple privilege levels

3

Secure administrative access to Cisco routers by confi guring role based CLI 3

Secure the Cisco IOS image and confi guration fi le 3

Implement AAA on Cisco routers using local router database and external ACS

Explain the functions and importance of AAA 4

Describe the features of TACACS+ and RADIUS AAA protocols 4

Confi gure AAA authentication 4

Confi gure AAA authorization 4

Confi gure AAA accounting 4

Mitigate threats to Cisco routers and networks using ACLs

Explain the functionality of standard, extended, and named IP ACLs used by routers to fi lter packets

7

Confi gure and verify IP ACLs to mitigate given threats (fi lter IP traffi c destined for Telnet, SNMP, and DDoS attacks) in a network using CLI

7

Confi gure IP ACLs to prevent IP address spoofi ng using CLI 7

Discuss the caveats to be considered when building ACLs 7

CCNA Security Study Guide

Exam IINS 640-553

perf.indd Sec1:1perf.indd Sec1:1 2/18/10 8:20:09 PM2/18/10 8:20:09 PM

OBJECTIVE CHAPTER

Implement secure network management and reporting

Use CLI and SDM to confi gure SSH on Cisco routers to enable secured management access

5

Use CLI and SDM to confi gure Cisco routers to send Syslog messages to a Syslog server

5

Mitigate common Layer 2 attacks

Describe how to prevent layer 2 attacks by confi guring basic Catalyst switch security features

6

Implement the Cisco IOS fi rewall feature set using SDM

Describe the operational strengths and weaknesses of the different fi rewall technologies

7

Explain stateful fi rewall operations and the function of the state table 7

Implement Zone Based Firewall using SDM 7

Implement the Cisco IOS IPS feature set using SDM

Defi ne network based vs. host based intrusion detection and prevention 8

Explain IPS technologies, attack responses, and monitoring options 8

Enable and verify Cisco IOS IPS operations using SDM 8

Implement site-to-site VPNs on Cisco Routers using SDM

Explain the different methods used in cryptography 9, 10

Explain IKE protocol functionality and phases 10

Describe the building blocks of IPSec and the security functions it provides 12

Confi gure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM

12

Exam specifications and content are subject to change at any time without prior notice and at Cisco’s sole discretion. Please visit Cisco’s website (www.cisco.com) for the most current information on exam content.

perf.indd Sec1:2perf.indd Sec1:2 2/18/10 8:20:10 PM2/18/10 8:20:10 PM

CCNA® SecurityStudy Guide

Tim Boyles

ffirs.indd iffirs.indd i 2/18/10 7:16:22 PM2/18/10 7:16:22 PM

Acquisitions Editor: Jeff KellumDevelopment Editor: Stef JonesTechnical Editors: Chris Carson, Billy HainesProduction Editor: Angela SmithCopy Editor: Judy FlynnEditorial Manager: Pete GaughanProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Publisher: Neil EddeMedia Project Manager 1: Laura Moss-HollisterMedia Associate Producer: Doug KuhnMedia Quality Assurance: Josh FrankBook Designers: Judy Fung and Bill GibsonProofreader: Rebecca RiderIndexer: Jack LewisProject Coordinator, Cover: Lynsey StanfordCover Designer: Ryan Sneed

Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-52767-2

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data is available from publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNA is a registered trademark of Cisco Technology, Inc. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

ffirs.indd iiffirs.indd ii 2/18/10 7:16:26 PM2/18/10 7:16:26 PM

To God and my family. Without the support and love from both, I would

not be able to do what I do. Thanks for the many blessings.

AcknowledgmentsWhen you take on a project like this, there are always a number of people involved, and this one is no exception. I could not have done this book without the help and support of several folks. First, I’d like to thank my technical editor, Chris Carson, for keeping me honest and offering candid feedback. Chris also contributed to this book by writing Chapter 10 and Chapter 11. His help was invaluable. I would also like to thank Patrick Conlan, who provided access to most of the equipment used in the writing of this book.

A special thanks goes out to Stef Jones, this book’s developmental editor. Stef was the one to keep me in line and was a tremendous help in shaping up some of the more diffi cult chapters.

And last but not least, thanks to the team at Sybex for supporting me in this endeavor: Pete Gaughan, editorial manager; Jeff Kellum, acquisitions editor; and Jenni Housh, Connor O’Brien, and Angela Smith, who are all on the editorial team. I’m sure I gave Jeff plenty of cause for concern over the course of the better part of a year, but we all survived—I think. Also, thanks to copyeditor Judy Flynn, proofreader Rebecca Rider, and indexer Jack Lewis.

ffirs.indd iiiffirs.indd iii 2/18/10 7:16:27 PM2/18/10 7:16:27 PM

About The AuthorTim Boyles is an IT manager at a large retailer based in the Dallas–Fort Worth Metroplex. He has been involved in networking and security for over 20 years. He is the holder of many certifi cations, including CISSP, CISA, CISM, GCIH, GAWN, and of course CCNA and CCNA-Security. Tim has worked on many networking and security books. He was previously the security practice leader for the South Central operation of BT Global Services and has been engaged with consulting for a number of years with numerous large corporate clients. He is also a mentor instructor for the SANS Institute, having conducted sessions on CISSP training, Incident Handling, Wireless Penetration Testing, and Web Application Security.

About the ContributorChris L. Carson, CCIE #19511, is a principal at Ethical Networks, a network and security consulting provider in the Dallas–Ft. Worth area. He has been in the network and security industry for more than 17 years and holds over 20 industry certifi cations, including CCIE, CCSP, CEH, and CCNA-Security. Most of his career has been spent working for large Cisco Gold partners throughout the United States. Chris’s previous position as a security practice manager and principal for one of the largest Cisco partners in North Texas has provided him with expertise in designing, implementing, and troubleshooting solutions for many Fortune 500 customers.

ffirs.indd ivffirs.indd iv 2/18/10 7:16:27 PM2/18/10 7:16:27 PM

Contents at a GlanceIntroduction xvii

Assessment Test xxiv

Chapter 1 Introduction to Network Security 1

Chapter 2 Creating the Secure Network 25

Chapter 3 Securing Administrative Access 51

Chapter 4 Configuring AAA Services 77

Chapter 5 Securing Your Router 117

Chapter 6 Layer 2 Security 159

Chapter 7 Implementing Cisco IOS Firewall 193

Chapter 8 Implementing Cisco IOS Intrusion Prevention 245

Chapter 9 Understanding Cryptographic Solutions 281

Chapter 10 Using Digital Signatures 299

Chapter 11 Using Asymmetric Encryption and PKI 323

Chapter 12 Implementing Site-to-Site IPsec VPN Solutions 377

Appendix A Securing Voice Solutions 425

Appendix B Introduction to SAN Security 441

Appendix C Exploring Endpoint Security 451

Appendix D Capstone Exercise 461

Appendix E About the Companion CD 483

Glossary 487

Index 495

ffirs.indd vffirs.indd v 2/18/10 7:16:27 PM2/18/10 7:16:27 PM

ffirs.indd viffirs.indd vi 2/18/10 7:16:27 PM2/18/10 7:16:27 PM

ContentsIntroduction xvii

Assessment Test xxiv

Chapter 1 Introduction to Network Security 1

Threats to Network Security 2External Threats 3Internal Threats 5Application Security 6

Network Security Objectives 6Classification of Data 8Security Controls 11

Security Controls by Type 11Security Controls by Purpose 12

Incident Response 13Preparation 13Identification 15Containment 16Eradication 17Recovery 17Lessons Learned 17

Law and Ethics 18Legal Matters 18Intellectual Property 19Ethics 20

Review Questions 21Answers to Review Questions 23

Chapter 2 Creating the Secure Network 25

Creating a Security Policy 26Goals of a Security Policy 26Policies and Procedures 27Other Documents 28Managing Risk 28Secure Network Design 32Creating Security Awareness 34

Maintaining Operational Security 35Defining the Systems Development Life Cycle 35Review of Operations Security 37

Evolution of Threats 38

ftoc.indd viiftoc.indd vii 2/18/10 7:19:07 PM2/18/10 7:19:07 PM

viii Contents

The Cisco Self-Defending Network 39Characteristics of the Cisco Self-Defending Network 40Components of the Cisco Self-Defending Network 42

Summary 42Exam Essentials 42Written Lab 43Review Questions 44Answers to Review Questions 48Answers to Written Lab 50

Chapter 3 Securing Administrative Access 51

Securing Administrative Access 52Methods of Accessing the Router 52Modes of Interaction with the Router 52Configuring Passwords 54Configuring Privilege Levels 56CLI Views 56Securing Router Files 58Login Features for Virtual Connections 58Configuring a Banner Message 59

Cisco ISR Routers 61Cisco Security Device Manager (SDM) 62

Prerequisites for Running SDM 62Introduction to SDM 64

Summary 67Exam Essentials 68Written Lab 68Hands-on Lab 69

Hands-on Lab 3.1: Configuring Passwords 69Review Questions 70Answers to Review Questions 74Answers to Written Lab 75

Chapter 4 Configuring AAA Services 77

Defining AAA Services 78Defining RADIUS and TACACS+ 79

RADIUS 80TACACS+ 81

Configuring AAA Using Cisco Secure ACS 82Introduction to Cisco Secure ACS for Windows 83Preparation and Installation of Cisco Secure

ACS for Windows 86

ftoc.indd viiiftoc.indd viii 2/18/10 7:19:08 PM2/18/10 7:19:08 PM

Contents ix

Configuring Authentication 91AAA Local User Authentication 92Using Method Lists 93

Configuring Authorization 94Configuring Accounting 95Configuring TACACS+ 96

Configuring AAA Services from the Command Line 97Configuring AAA Services with Cisco SDM 98

Troubleshooting AAA on Cisco Routers 104Summary 106Exam Essentials 106Written Lab 107Hands-on Labs 108

Hands-on Lab 4.1: Configuring AAA Authentication with a Local Database 108

Hands-on Lab 4.2: Configuring TACACS+ Authentication, Authorization, and Accounting 109

Review Questions 110Answers to Review Questions 114Answers to Written Lab 116

Chapter 5 Securing Your Router 117

Using the Command-Line Interface to Lock Down the Router 118

Locking Down the Management Plane 118Locking Down the Forwarding Plane 121

Understanding One-Step Lockdown 128Configuring One-Step Lockdown with SDM 128Differences between One-Step Lockdown

and AutoSecure 131Securing Management and Logging 131

Configuring Syslog Support on a Cisco Router 131Using SNMP v3 to Secure Management Traffic 134Securing Administration Using SSH 136Using SDM to Configure a Syslog Server, SSH,

SNMP, and NTP 138Summary 149Exam Essentials 150Written Lab 151Hands-on Lab 151

Hands-on Lab 5.1: Configuring a Router for SSH Administrative Access 151

Review Questions 153Answers to Review Questions 157Answers to Written Lab 158

ftoc.indd ixftoc.indd ix 2/18/10 7:19:08 PM2/18/10 7:19:08 PM

x Contents

Chapter 6 Layer 2 Security 159

Basic Protection of Layer 2 Switches 160How to Prevent VLAN Attacks 161

Double Tagging 161Switch Spoofing 162

Mitigating STP Attacks 163Mitigating DHCP Server Spoofing 165

Configuring DCHP Snooping 166Dynamic ARP Inspection 166

Protecting against CAM Table Attacks 167Preventing MAC Spoofing 168Configuring Port Security 169Configuring SPAN, RSPAN, and Storm Control 173

Configuring Switched Port Analyzer (SPAN) 173Configuring Remote Switched Port Analyzer (RSPAN) 175Configuring Storm Control 178

Summary 179Exam Essentials 179Written Lab 181Hands-on Labs 181

Hands-on Lab 6.1: Configuring Protection against a Spanning Tree Attack 181

Hands-on Lab 6.2: Configuring SPAN on a Cisco Switch to Do Troubleshooting 182

Hands-on Lab 6.3: Configuring Port Security on a Cisco Switch 183

Review Questions 185Answers to Review Questions 189Answers to Written Lab 191

Chapter 7 Implementing Cisco IOS Firewall 193

Firewall Basics 194Packet Filtering Firewall 196Application-Layer Firewall 197Stateful Firewall 197

Access Control Lists 198Basic ACLs 198Turbo ACLs 200How to Develop ACLs 201Applying ACLs to Router Interfaces 201Filtering Traffic with ACLs 202Logical and Performance Considerations for ACLs 204

ftoc.indd xftoc.indd x 2/18/10 7:19:09 PM2/18/10 7:19:09 PM

Contents xi

The Cisco IOS Firewall 205Authentication Proxy 206Transparent Firewall 206Stateful Packet Inspection 206

Configure Cisco IOS Firewall with SDM 211Basic Firewall 212Advanced Firewall 218

Verify Cisco IOS Firewall Configurations 226Basic Firewall 227Advanced Firewall 231

Implementing Zone-Based Firewall 235Summary 236Exam Essentials 237Written Lab 237Hands-on Lab 238

Hands-on Lab 7.1: Configuring an Access List 238Review Questions 239Answers to Review Questions 242Answers to Written Lab 243

Chapter 8 Implementing Cisco IOS Intrusion Prevention 245

IDS and IPS 246Introducing the Intrusion Detection System 246Basic Functions of the Intrusion Prevention System 247Using IDS and IPS Together 249Benefits and Drawbacks of IPS/IDS Sensors 250Types of IDS and IPS Sensors 250IPS Signatures 254

Configuring IOS IPS 259Summary 273Exam Essentials 273Written Lab 274Hands-on Lab 274

Hands-on Lab 8.1: Configuring an IPS Policy Using Cisco SDM 274

Review Questions 275Answers to Review Questions 278Answers to Written Lab 280

Chapter 9 Understanding Cryptographic Solutions 281

Introduction to Cryptography 282Caesar’s Cipher 282Vigenère Cipher 284

ftoc.indd xiftoc.indd xi 2/18/10 7:19:09 PM2/18/10 7:19:09 PM