CCIE Professional Development Series Network Security Technologies and Solutions by Yusuf Bhaiji - CCIE No 9305 Publisher: Cisco Press Pub Date: March 19, 2008 Print ISBN-10: 1-58705-246-6 Print ISBN-13: 978-1-58705-246-0 eText ISBN-10: 0-7686-8196-0 eText ISBN-13: 978-0-7686-8196-3 Pages: 840 Table of Contents | Index Overview CCIE Professional Development Network Security Technologies and Solutions A comprehensive, all-in-one reference for Cisco network security Yusuf Bhaiji, CCIE No 9305 Network Security Technologies and Solutions is a comprehensive reference to the most cutting-edge security products and methodologies available to networking professionals today This book helps you understand and implement current, state-of-the-art network security technologies to ensure secure communications throughout the network infrastructure With an easy-to-follow approach, this book serves as a central repository of security knowledge to help you implement end-toend security solutions and provides a single source of knowledge covering the entire range of the Cisco network security portfolio The book is divided into five parts mapping to Cisco security technologies and solutions: perimeter security, identity security and access management, data privacy, security monitoring, and security management Together, all these elements enable dynamic links between customer security policy, user or host identity, and network infrastructures With this definitive reference, you can gain a greater understanding of the solutions available and learn how to build integrated, secure networks in today's modern, heterogeneous networking environment This book is an excellent resource for those seeking a comprehensive reference on mature and emerging security tactics and is also a great study guide for the CCIE Security exam "Yusuf's extensive experience as a mentor and advisor in the security technology field has honed his ability to translate highly technical information into a straight-forward, easy-tounderstand format If you're looking for a truly comprehensive guide to network security, this is the one! " —Steve Gordon, Vice President, Technical Services, Cisco Yusuf Bhaiji, CCIE No 9305 (R&S and Security), has been with Cisco for seven years and is currently the program manager for Cisco CCIE Security certification He is also the CCIE Proctor in the Cisco Dubai Lab Prior to this, he was technical lead for the Sydney TAC Security and VPN team at Cisco Filter traffic with access lists and implement security features on switches Configure Cisco IOS router firewall features and deploy ASA and PIX Firewall appliances Understand attack vectors and apply Layer 2 and Layer 3 mitigation techniques Secure management access with AAA Secure access control using multifactor authentication technology Implement identity-based network access control Apply the latest wireless LAN security solutions Enforce security policy compliance with Cisco NAC Learn the basics of cryptography and implement IPsec VPNs, DMVPN, GET VPN, SSL VPN, and MPLS VPN technologies Monitor network activity and security incident response with network and host intrusion prevention, anomaly detection, and security monitoring and correlation Deploy security management solutions such as Cisco Security Manager, SDM, ADSM, PDM, and IDM Learn about regulatory compliance issues such as GLBA, HIPPA, and SOX This book is part of the Cisco CCIE Professional Development Series from Cisco Press, which offers expert-level instruction on network design, deployment, and support methodologies to help networking professionals manage complex networks and prepare for CCIE exams Category: Network Security Covers: CCIE Security Exam CCIE Professional Development Series Network Security Technologies and Solutions by Yusuf Bhaiji - CCIE No 9305 Publisher: Cisco Press Pub Date: March 19, 2008 Print ISBN-10: 1-58705-246-6 Print ISBN-13: 978-1-58705-246-0 eText ISBN-10: 0-7686-8196-0 eText ISBN-13: 978-0-7686-8196-3 Pages: 840 Table of Contents | Index Copyright About the Author Acknowledgments Icons Used in This Book Command Syntax Conventions Foreword Introduction Part I: Perimeter Security Chapter 1 Overview of Network Security Fundamental Questions for Network Security Transformation of the Security Paradigm Principles of Security—The CIA Model Policies, Standards, Procedures, Baselines, Guidelines Security Models Perimeter Security Security in Layers Security Wheel Summary References Chapter 2 Access Control Traffic Filtering Using ACLs IP Address Overview Subnet Mask Versus Inverse Mask Overview ACL Configuration Understanding ACL Processing Types of Access Lists Summary References Chapter 3 Device Security Device Security Policy Hardening the Device Securing Management Access for Security Appliance Device Security Checklist Summary References Chapter 4 Security Features on Switches Securing Layer 2 Port-Level Traffic Controls Private VLAN (PVLAN) Access Lists on Switches Spanning Tree Protocol Features Dynamic Host Configuration Protocol (DHCP) Snooping IP Source Guard Dynamic ARP Inspection (DAI) Advanced Integrated Security Features on High-End Catalyst Switches Control Plane Policing (CoPP) Feature CPU Rate Limiters Layer 2 Security Best Practices Summary References Chapter 5 Cisco IOS Firewall Router-Based Firewall Solution Context-Based Access Control (CBAC) CBAC Functions How CBAC Works CBAC-Supported Protocols Configuring CBAC IOS Firewall Advanced Features Zone-Based Policy Firewall (ZFW) Summary References Chapter 6 Cisco Firewalls: Appliance and Module Firewalls Overview Hardware Versus Software Firewalls Cisco PIX 500 Series Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances Cisco Firewall Services Module (FWSM) Firewall Appliance Software for PIX 500 and ASA 5500 Firewall Appliance OS Software Firewall Modes Stateful Inspection Application Layer Protocol Inspection Adaptive Security Algorithm Operation Security Context Security Levels Redundant Interface IP Routing Network Address Translation (NAT) Controlling Traffic Flow and Network Access Modular Policy Framework (MPF) Cisco AnyConnect VPN Client Redundancy and Load Balancing Firewall "Module" Software for Firewall Services Module (FWSM) Firewall Module OS Software Network Traffic Through the Firewall Module Installing the FWSM Router/MSFC Placement Configuring the FWSM Summary References Chapter 7 Attack Vectors and Mitigation Techniques Vulnerabilities, Threats, and Exploits Mitigation Techniques at Layer 3 Mitigation Techniques at Layer 2 Security Incident Response Framework Summary References Part II: Identity Security and Access Management Chapter 8 Securing Management Access AAA Security Services Authentication Protocols Implementing AAA Configuration Examples Summary References Chapter 9 Cisco Secure ACS Software and Appliance Cisco Secure ACS Software for Windows Advanced ACS Functions and Features Configuring ACS Cisco Secure ACS Appliance Summary References Chapter 10 Multifactor Authentication Identification and Authentication Two-Factor Authentication System Cisco Secure ACS Support for Two-Factor Authentication Systems Summary References Chapter 11 Layer 2 Access Control Trust and Identity Management Solutions Identity-Based Networking Services (IBNS) IEEE 802.1x Deploying an 802.1x Solution Implementing 802.1x Port-Based Authentication Summary References Chapter 12 Wireless LAN (WLAN) Security Wireless LAN (WLAN) WLAN Security Mitigating WLAN Attacks Cisco Unified Wireless Network Solution Summary References Chapter 13 Network Admission Control (NAC) Building the Self-Defending Network (SDN) Network Admission Control (NAC) Cisco NAC Appliance Solution Cisco NAC Framework Solution Summary References Part III: Data Privacy Chapter 14 Cryptography Secure Communication Virtual Private Network (VPN) Summary References Chapter 15 IPsec VPN Virtual Private Network (VPN) IPsec VPN (Secure VPN) Public Key Infrastructure (PKI) Implementing IPsec VPN Summary References Chapter 16 Dynamic Multipoint VPN (DMVPN) DMVPN Solution Architecture DMVPN Deployment Topologies Implementing DMVPN Hub-and-Spoke Designs Implementing Dynamic Mesh Spoke-to-Spoke DMVPN Designs Summary References Chapter 17 Group Encrypted Transport VPN (GET VPN) GET VPN Solution Architecture Implementing Cisco IOS GET VPN Summary References Chapter 18 Secure Sockets Layer VPN (SSL VPN) Secure Sockets Layer (SSL) Protocol SSL VPN Solution Architecture Implementing Cisco IOS SSL VPN Cisco AnyConnect VPN Client Summary References Chapter 19 Multiprotocol Label Switching VPN (MPLS VPN) Multiprotocol Label Switching (MPLS) MPLS VPN (Trusted VPN) Comparison of L3 and L2 VPNs Layer 3 VPN (L3VPN) Implementing L3VPN Layer 2 VPN (L2VPN) Implementing L2VPN Summary References Part IV: Security Monitoring Chapter 20 Network Intrusion Prevention Intrusion System Terminologies Network Intrusion Prevention Overview Cisco IPS 4200 Series Sensors Cisco IDS Services Module (IDSM-2) Cisco Advanced Inspection and Protection Security Services Module (AIP-SSM) Cisco IPS Advanced Integration Module (IPS-AIM) Cisco IOS IPS Deploying IPS Cisco IPS Sensor OS Software Cisco IPS Sensor Software IPS High Availability IPS Appliance Deployment Guidelines Cisco Intrusion Prevention System Device Manager (IDM) Configuring IPS Inline VLAN Pair Mode Configuring IPS Inline Interface Pair Mode Configuring Custom Signature and IPS Blocking Summary References Chapter 21 Host Intrusion Prevention Securing Endpoints Using a Signatureless Mechanism remote access IPsec VPN Cisco Easy VPN, implementing DVTI, implementing implementing replay attacks, countering with OTP reporting devices restrict mode (port security) RF bands in 802.11 standards RFC 1918 RFCs, IPsec VPN-related 2nd RIP, configuring on Cisco Security Appliance RIRs (Regional Internet Registries) risk assessment Layer 2 mitigation techniques ACLs, configuring BPDU Guard, configuring DAI DHCP snooping, configuring PEAP, enabling switch Port Security feature VLAN configuration, modifying VTP passwords Layer 3 mitigation techniques CAR IP source tracking IP spoofing MQC NBAR NetFlow PBR TCP Intercept traffic characterization traffic classification traffic policing uRPF risk assessment policies ROMMON security ROOT Guard, configuring for STP attack mitigation root guard Routed Firewall mode (Cisco Security Appliance) routed mode, multiple security contexts Router ACLs router security audit feature, Cisco SDM router-generated traffic inspection routers supported on Cisco NAC Framework solution routers supported on Cisco SDM RR (Risk Rating) RSA algorithm RSA SecurID token server, configuring Cisco Secure ACS RTT (Round Trip Time) rule modules rules Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] S/KEY Safe Blueprint script kiddies SDEE (Security Device Event Exchange) SDM (Cisco Router and Security Device Manager) features monitor mode one-step lockdown feature operation router security audit feature supported rotuers and IOS versions system requirements SDN (Cisco Self-Defending Network) Cisco NAC secondary VLANs secure VPN 2nd [See also IPsec VPN.] anti-replay service IKE IKEv2 ISAKMP profiles phase 1 negotiation phase 2 negotiation profiles protocol headers RFCs 2nd security contexts configuring routed mode transparent mode security incident response IRT 5-step reaction process security levels security models 2nd security policies 2nd 3rd 4th device security policy security checklist enforcement, Cisco NAC Framework solution NAC-L2-802.1x NAC-L2-IP 2nd NAC-L3-IP 2nd security violation modes (port security) security wheel security zones sensing interface (IPS) server groups, configuring service engine services accounting authentication authorization sessions, CS-MARS SFR (Signature Fidelity Rating) SHA (Secure Hash Algorithm) shared-key authentication shell command authorization sets shift in security paradigm show interfaces rate-limit command SHSD (single hub single DMVPN) topology shutdown mode (port security) signature engines signatureless endpoint security signatures custom, configuring single-channel TCP/UDP inspection site-to-site IPsec VPNs, implementing SLB (server load-balancing) topology, configuring SLIP-PPP banner messages smart cards smurf attacks, characterizing 2nd SNMP (Simple Network Management Protocol) software versioning, CS-MARS software-based firewalls versus hardware-based source routing source tracking SOX (Sarbanes-Oxley Act) Cisco solutions for penalties for violations requirements SPC (Shared Profile Components) SPI (stateful packet inspection) spread-spectrum technology SSH (Secure Shell) device access from Cisco PIX 500, ASA 5500 device access, configuring SSID (Service Set Identifiers) SSL VPNs access methods Cisco AnyConnect VPN Client Citrix support configuring deployment options features versus IPsec VPNs standalone deployment, CS-MARS standard ACLs standards 2nd state engine stateful failover mode stateful packet inspection static identity NAT static NAT, configuring static PAT static route tracking static routes static WEP STM (security threat mitigation) systems, CS-MARS storm control STP BPDU guard EtherChannel Guard Loop Guard Root Guard STP attacks, mitigating stream cipher string engine subnet masks SUP 720, CPU rate limiters supplicant (IEEE 802.1x) supported devices on Cisco Security Manager supported firewalls on Cisco ASDM supported routers on Cisco SDM SVTI (static VTI) sweep engine switches supported on Cisco NAC Framework solution switchport port-security command symmetric key cryptography SYN attacks, characterizing 2nd Syslog to Access Rule Correlation (Cisco ASDM) system requirements for Cisco IDM for Cisco SDM Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] TACACS+ command authorization, configuring communication login authentication, configuring packets security versus RADIUS tag switching TCP hijacking TCP Intercept as firewall feature configuring TCP normalization TCP/UDP small-servers TCV (Topology-Centric View) TDP (Tag Distribution Protocol) Telnet, configuring device access from Cisco PIX 500 TFTP (Trivial File Transfer Protocol) Thick Client Mode (SSL VPN) Thin Client Mode (SSL VPN) threat modeling time-based ACLs time-synchronized OTP TKIP (Temporal Key Integrity Protocol) TLS (Transport Layer Security) protocol tokens RADIUS-enabled token server, configuring Cisco Secure ACS RSA SecurID token server, configuring Cisco Secure ACS topological awareness of CS-MARS TR (Threat Rating) traffic anomaly engine traffic characterization using ACLs traffic classification 2nd traffic flow requirements, Cisco Security Manager 2nd traffic flows in CS-MARS traffic ICMP engine traffic marking traffic policing traffic, debugging transit ACLs Transparent Firewall mode (Cisco Security Appliance) transparent IOS Firewall transparent mode, multiple security contexts transport mode (IPsec) tree-based DMVPN topology, configuring trojan engine Trojans trusted VPNs 2nd comparing L2 and L3 VPNs L2VPN implementing service architectures L3 VPN components implementing VRF tables tunnel mode (IPsec) Turbo ACLs TVR (Target Value Rating) two-factor authentication systems Cisco Secure ACS, support for OTP S/KEY smart cards tokens Two-Rate Policing Type 5 passwords Type 7 passwords Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] unauthorized port state Unconditional Packet Discard feature (MQC) uRPF (Unicast RPF) antispoofing configuring user authentication user requirements, Cisco ASDM Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] VACLs (VLAN ACLs) configuring verifying CBAC configuration VFR (Virtual Fragmentation and Reassembly) virtualization viruses VLAN configuration, modifying for VLAN hopping attack mitigation VPLS (Virtual Private LAN Service) implementing VPN management (Cisco Security Manager) VPN Route Target Communities VPNs connection-oriented connectionless extranet VPNs GET VPNs benefits of deployment options DMVPN features of functional components GDOI 2nd group member ACL implementing IP header preservation versus IPsec VPNs hybrid VPNs Internet VPNs intranet VPNs IPsec VPN anti-replay service DMVPN IKE IKEv2 implementing ISAKMP profiles phase 1 negotiation phase 2 negotiation profiles protocol headers RFCs for WLANs MPLS VPN deployment scenarios versus IPsec VPN secure VPNs 2nd SSL access methods Cisco AnyConnect VPN Client Citrix support configuring deployment options features versus IPsec VPNs Trusted VPN technologies 2nd comparing L2 and L3 VPNs L2PN L2VPN L3 VPN VPWS (Virtual Private Wire Service) VRF tables VTP passwords, mitigating VTP attacks VTY port, interactive device access Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] web-based management interface, CS-MARS websites, IETF WEP (Wired Equivalent Privacy) Wi-FI Alliance wireless access points supported on Cisco NAC Framework solution wireless bridges wireless LAN controllers supported on Cisco NAC Framework solution wireless NIC wire-speed ACLs [See VACLs.] WLAN IPS solution WLANs AP Cisco Unitifed Wireless Network solution components of IEEE protocol standards NAC security attacks, mitigating available technologies client authentication EAP EAP-FAST 2nd EAP-MD5 EAP-TLS EAP-TTLS LEAP MAC authentication "open-access" policy PEAP 2nd SSID WEP WPA spread-spectrum technology VPN IPsec wireless NIC workflow mode (Cisco Security Manager) worms WPA (Wi-Fi Protected Access) WPA2 Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z] zero-day attacks, MyDoom worm ZFW (Zone-Based Policy Firewall) 2nd AIC configuring security zones zone filters, configuring on Cisco Traffic Anomaly Detector zones (AD) ... System (CS-MARS) Deploying CS-MARS Summary References Part V: Security Management Chapter 24 Security and Policy Management Cisco Security Management Solutions Cisco Security Manager Cisco Router and Security Device Manager (SDM)... comprehensive, end-to-end solutions Goals and Methods Cisco Network Security Technologies and Solutions is a comprehensive all-in-one reference book that covers all major Cisco Security products, technologies, and solutions. .. Whether you are an expert in networking and security or a novice, this book is a valuable resource Many books on network security are based primarily on concepts and theory Network Security Technologies and Solutions, however, goes far beyond that