Đang tải... (xem toàn văn)
This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and exclusive use by instructors in the CCNA Security course as part of an official Cisco Networking Academy Program. Network attacks have resulted in the loss of sensitive data and significant network downtime. When a network or the resources in it are inaccessible, worker productivity can suffer, and business income may be lost. Attackers have developed many tools over the...
CCNA Security Eric L. Stewart CCNA Security Exam Cram Copyright © 2009 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a retrieval sys- tem, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for dam- ages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-3800-4 ISBN-10: 0-7897-3800-7 Library of Congress Cataloging-in-Publication Data Stewart, Eric L. CCNA security exam cram / Eric L. Stewart. p. cm. Includes bibliographical references and index. ISBN-13: 978-0-7897-3800-4 (pbk. w/cd) ISBN-10: 0-7897-3800-7 (pbk. w/cd) 1. Computer networks--Security measures--Examinations--Study guides. 2. Cisco Systems, Inc. I. Title. TK5105.59.S758 2009 005.8076--dc22 2008038852 Printed in the United States of America First Printing: October 2008 Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Que Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Cisco, Cisco Systems, and CCNA are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this book are the property of their respective owners. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possi- ble, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information con- tained in this book or from the use of the CD or programs accompanying it. Bulk Sales Que Publishing offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the United States, please contact International Sales international@pearson.com Associate Publisher David Dusthimer Executive Editor Brett Bartow Development Editor Andrew Cupp Managing Editor Patrick Kanouse Project Editor Mandie Frank Copy Editor Water Crest Publishing Indexer Ken Johnson Proofreader Leslie Joseph Technical Editors William G. Huisman Ryan Lindfield Publishing Coordinator Vanessa Evans Multimedia Developer Dan Scherf Book Designer Gary Adair Composition TnT Design, Inc. Contents at a Glance Introduction 1 Self Assessment 5 Part I: Network Security Architecture CHAPTER 1: Network Insecurity 15 CHAPTER 2: Building a Secure Network Using Security Controls 51 Part II: Perimeter Security CHAPTER 3: Security at the Network Perimeter 87 CHAPTER 4: Implementing Secure Management and Hardening the Router 147 Part III: Augmenting Depth of Defense CHAPTER 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185 CHAPTER 6: Introducing Cryptographic Services 245 CHAPTER 7: Virtual Private Networks with IPsec 291 CHAPTER 8: Network Security Using Cisco IOS IPS 341 Part IV: Security Inside the Perimeter CHAPTER 9: Introduction to Endpoint, SAN, and Voice Security 395 CHAPTER 10: Protecting Switch Infrastructure 421 Part V: Practice Exams and Answers Practice Exam 1 443 Answers to Practice Exam 1 461 Practice Exam 2 471 Answers to Practice Exam 2 487 Part VI: Appendixes A: What’s on the CD-ROM 499 B: Need to Know More? 503 Index 507 Table of Contents Introduction .1 Organization and Elements of This Book 1 Contacting the Author 4 Self Assessment .5 Who Is a CCNA Security? 5 The Ideal CCNA Security Candidate .6 Put Yourself to the Test .8 Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security) .10 Strategy for Using This Exam Cram .12 Part I: Network Security Architecture Chapter 1: Network Insecurity 15 Exploring Network Security Basics and the Need for Network Security 16 The Threats .16 Other Reasons for Network Insecurity 18 The CIA Triad .18 Data Classification .21 Security Controls 22 Incident Response 25 Laws and Ethics .26 Exploring the Taxonomy of Network Attacks .29 Adversaries 30 How Do Hackers Think? .32 Concepts of Defense in Depth .32 IP Spoofing Attacks 34 Attacks Against Confidentiality .36 Attacks Against Integrity 38 Attacks Against Availability 42 Best Practices to Thwart Network Attacks 45 Administrative Controls .45 Technical Controls .46 Physical Controls 46 Exam Prep Questions 47 Answers to Exam Prep Questions .50 Chapter 2: Building a Secure Network Using Security Controls .51 Defining Operations Security Needs .52 Cisco System Development Life Cycle for Secure Networks .52 Operations Security Principles .54 Network Security Testing .55 Disaster Recovery and Business Continuity Planning 59 Establishing a Comprehensive Network Security Policy 61 Defining Assets 62 The Need for a Security Policy 63 Policies .64 Standards, Guidelines, and Procedures 65 Who Is Responsible for the Security Policy? .66 Risk Management 67 Principles of Secure Network Design .70 Examining Cisco’s Model of the Self-Defending Network 73 Where Is the Network Perimeter? 73 Building a Cisco Self-Defending Network .74 Components of the Cisco Self-Defending Network .75 Cisco Integrated Security Portfolio .79 Exam Prep Questions 81 Answers to Exam Prep Questions .84 Part II: Perimeter Security Chapter 3: Security at the Network Perimeter .87 Cisco IOS Security Features 88 Where Do You Deploy an IOS Router? .88 Cisco ISR Family and Features .90 vi CCNA Security Exam Cram Securing Administrative Access to Cisco Routers 91 Review Line Interfaces 92 Password Best Practices .94 Configuring Passwords 94 Setting Multiple Privilege Levels .97 Configuring Role-Based Access to the CLI 98 Configuring the Cisco IOS Resilient Configuration Feature .101 Protecting Virtual Logins from Attack .102 Configuring Banner Messages 104 Introducing Cisco SDM 105 Files Required to Run Cisco SDM from the Router 106 Using Cisco SDM Express .107 Launching Cisco SDM 108 Cisco SDM Smart Wizards .110 Advanced Configuration with SDM 111 Cisco SDM Monitor Mode .113 Configuring Local Database AAA on a Cisco Router 114 Authentication, Authorization, and Accounting (AAA) 114 Two Reasons for Implementing AAA on Cisco Routers .114 Cisco’s Implementation of AAA for Cisco Routers .115 Tasks to Configure Local Database AAA on a Cisco Router .116 Additional Local Database AAA CLI Commands 120 Configuring External AAA on a Cisco Router Using Cisco Secure ACS 121 Why Use Cisco Secure ACS? .123 Cisco Secure ACS Features .123 Cisco Secure ACS for Windows Installation Requirements 124 Cisco Secure ACS Solution Engine and Cisco Secure ACS Express 5.0 Comparison 125 TACACS+ or RADIUS? .125 Prerequisites for Cisco Secure ACS 126 Three Main Tasks for Setting Up External AAA .127 Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+ 140 AAA Configuration Snapshot .141 Exam Prep Questions .142 Answers to Exam Prep Questions 145 Contents vii Chapter 4: Implementing Secure Management and Hardening the Router .147 Planning for Secure Management and Reporting .148 What to Log .149 How to Log 150 Reference Architecture for Secure Management and Reporting .151 Secure Management and Reporting Guidelines 153 Logging with Syslog .153 Cisco Security MARS 154 Where to Send Log Messages .154 Log Message Levels .155 Log Message Format 156 Enabling Syslog Logging in SDM .156 Using SNMP .157 Configuring the SSH Daemon 161 Configuring Time Features .165 Using Cisco SDM and CLI Tools to Lock Down the Router .167 Router Services and Interface Vulnerabilities 167 Performing a Security Audit 172 Exam Prep Questions .180 Answers to Exam Prep Questions 182 Part III: Augmenting Depth of Defense Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy .185 Examining and Defining Firewall Technologies 187 What Is a Firewall? 188 Characteristics of a Firewall 189 Firewall Advantages .189 Firewall Disadvantages .190 Role of Firewalls in a Layered Defense Strategy .190 Types of Firewalls .190 Cisco Family of Firewalls .201 Firewall Implementation Best Practices 202 Creating Static Packet Filters with ACLs 203 Threat Mitigation with ACLs .203 Inbound Versus Outbound .203 viii CCNA Security Exam Cram Identifying ACLs .205 ACL Examples Using the CLI 205 ACL Guidelines 208 Using the Cisco SDM to Configure ACLs 209 Using ACLs to Filter Network Services 212 Using ACLs to Mitigate IP Address Spoofing Attacks 213 Using ACLs to Filter Other Common Services 216 Cisco Zone-Based Policy Firewall Fundamentals .218 Advantages of ZPF 220 Features of ZPF 221 ZPF Actions 221 Zone Behavior 221 Using the Cisco SDM Basic Firewall Wizard to Configure ZPF 224 Manually Configuring ZPF with the Cisco SDM 233 Monitoring ZPF 238 Exam Prep Questions .241 Answers to Exam Prep Questions 244 Chapter 6: Introducing Cryptographic Services .245 Cryptology Overview .246 Cryptanalysis .249 Encryption Algorithm (Cipher) Desirable Features 251 Symmetric Key Versus Asymmetric Key Encryption Algorithms .251 Block Versus Stream Ciphers .254 Which Encryption Algorithm Do I Choose? 255 Cryptographic Hashing Algorithms 256 Principles of Key Management 256 Other Key Considerations 257 SSL VPNs .259 Exploring Symmetric Key Encryption 261 DES 263 3DES .264 AES .265 Contents ix SEAL .266 Rivest Ciphers (RC) .267 Exploring Cryptographic Hashing Algorithms and Digital Signatures .268 HMACs .270 Message Digest 5 (MD5) .271 Secure Hashing Algorithm 1 (SHA-1) 272 Digital Signatures .272 Exploring Asymmetric Key Encryption and Public Key Infrastructure 275 Encryption with Asymmetric Keys .276 Authentication with Asymmetric Keys 277 Public Key Infrastructure Overview 277 PKI Topologies .278 PKI and Usage Keys .279 PKI Server Offload and Registration Authorities (RAs) .280 PKI Standards 280 Certificate Enrollment Process 282 Certificate-Based Authentication 283 Certificate Applications 284 Exam Prep Questions .286 Answers to Exam Prep Questions 289 Chapter 7: Virtual Private Networks with IPsec .291 Overview of VPN Technology .292 Cisco VPN Products 293 VPN Benefits 293 Site-to-Site VPNs .294 Remote-Access VPNs .295 Cisco IOS SSL VPN 296 Cisco VPN Product Positioning .297 VPN Clients .299 Hardware-Accelerated Encryption .300 IPsec Compared to SSL 301 . fundamental training, such as a full CCNA course book or a recommended CCNA course. And remember that CCNA is a prerequisite to CCNA Security certification. This. Network Security Architecture CHAPTER 1: Network Insecurity 15 CHAPTER 2: Building a Secure Network Using Security Controls 51 Part II: Perimeter Security