CCNA Security 640-554 Official Cert Guide Premium Edition eBook and Practice Test
- By Keith Barker, Scott Morris
- Published Jul 6, 2012 by Cisco Press.
- Copyright 2013
- Edition: 1st
- Premium Edition eBook
- ISBN-10: 0-13-296608-5
- ISBN-13: 978-0-13-296608-5
The exciting new CCNA Security 640-554 Official Cert Guide, Premium Edition eBook and Practice Test is a digital-only certification preparation product combining an eBook with enhanced Pearson IT Certification Practice Test. The Premium Edition eBook and Practice Test contains the following items:
- The CCNA Security 640-554Premium Edition Practice Test, including four full practice exams (over 250 questions) and enhanced practice test features
- PDF and EPUB formats of the CCNA Security 640-554 Official Cert Guide from Cisco Press, which are accessible via your PC, tablet, and Smartphone
About the Premium Edition Practice Test
This Premium Edition contains an enhanced version of the Pearson IT Certification Practice Test (PCPT) software with four full practice exams. In addition, it contains all the chapter-opening assessment questions from the book. This integrated learning package:
- Allows you to focus on individual topic areas or take complete, timed exams
- Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
- Provides unique sets of exam-realistic practice questions
- Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
About the Premium Edition eBook
CCNA Security 640-554 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNA Security IINS exam. Cisco Certified Internetwork Experts (CCIE) Keith Barker and Scott Morris share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCNA Security 640-554 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
This eBook comes complete with 90 minutes of video training on CCP, NAT, object groups, ACLs, port security on a Layer 2 switch, CP3L, and zone-based firewalls. See the last page of the eBook file for instructions on downloading the videos.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
This official study guide helps you master all the topics on the CCNA Security IINS exam, including:
- Network security concepts
- Security policies and strategies
- Network foundation protection (NFP)
- Cisco Configuration Professional (CCP)
- Management plane security
- AAA security
- Layer 2 security threats
- IPv6 security
- Threat mitigation and containment
- Access Control Lists (ACLs)
- Network Address Translation (NAT)
- Cisco IOS zone-based firewalls and ASA firewalls
- Intrusion prevention and detection systems
- Public Key Infrastructure (PKI) and cryptography
- Site-to-site IPsec VPNs and SSL VPNs
Table of Contents
Introduction xxv
Part I Fundamentals of Network Security
Chapter 1 Networking Security Concepts
“Do I Know This Already?” Quiz 5
Foundation Topics 8
Understanding Network and Information Security Basics 8
Network Security Objectives 8
Confidentiality, Integrity, and Availability 8
Cost-Benefit Analysis of Security 9
Classifying Assets 10
Classifying Vulnerabilities 11
Classifying Countermeasures 12
What Do We Do with the Risk? 12
Recognizing Current Network Threats 13
Potential Attackers 13
Attack Methods 14
Attack Vectors 15
Man-in-the-Middle Attacks 15
Other Miscellaneous Attack Methods 16
Applying Fundamental Security Principles to Network Design 17
Guidelines 17
How It All Fits Together 19
Exam Preparation Tasks 20
Review All the Key Topics 20
Complete the Tables and Lists from Memory 20
Define Key Terms 20
Chapter 2 Understanding Security Policies Using a Lifecycle Approach
“Do I Know This Already?” Quiz 23
Foundation Topics 25
Risk Analysis and Management 25
Secure Network Lifecycle 25
Risk Analysis Methods 25
Security Posture Assessment 26
An Approach to Risk Management 27
Regulatory Compliance Affecting Risk 28
Security Policies 28
Who, What, and Why 28
Specific Types of Policies 29
Standards, Procedures, and Guidelines 30
Testing the Security Architecture 31
Responding to an Incident on the Network 32
Collecting Evidence 32
Reasons for Not Being an Attacker 32
Liability 33
Disaster Recovery and Business Continuity Planning 33
Exam Preparation Tasks 34
Review All the Key Topics 34
Complete the Tables and Lists from Memory 34
Define Key Terms 34
Chapter 3 Building a Security Strategy
“Do I Know This Already?” Quiz 37
Foundation Topics 40
Securing Borderless Networks 40
The Changing Nature of Networks 40
Logical Boundaries 40
SecureX and Context-Aware Security 42
Controlling and Containing Data Loss 42
An Ounce of Prevention 42
Secure Connectivity Using VPNs 43
Secure Management 43
Exam Preparation Tasks 44
Review All the Key Topics 44
Complete the Tables and Lists from Memory 44
Define Key Terms 44
Part II Protecting the Network Infrastructure
Chapter 4 Network Foundation Protection
“Do I Know This Already?” Quiz 49
Foundation Topics 52
Using Network Foundation Protection to Secure Networks 52
The Importance of the Network Infrastructure 52
The Network Foundation Protection (NFP) Framework 52
Interdependence 53
Implementing NFP 53
Understanding the Management Plane 55
First Things First 55
Best Practices for Securing the Management Plane 55
Understanding the Control Plane 56
Best Practices for Securing the Control Plane 56
Understanding the Data Plane 57
Best Practices for Protecting the Data Plane 59
Additional Data Plane Protection Mechanisms 59
Exam Preparation Tasks 60
Review All the Key Topics 60
Complete the Tables and Lists from Memory 60
Define Key Terms 60
Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure
“Do I Know This Already?” Quiz 63
Foundation Topics 65
Introducing Cisco Configuration Professional 65
Understanding CCP Features and the GUI 65
The Menu Bar 66
The Toolbar 67
Left Navigation Pane 68
Content Pane 69
Status Bar 69
Setting Up New Devices 69
CCP Building Blocks 70
Communities 70
Templates 74
User Profiles 78
CCP Audit Features 81
One-Step Lockdown 84
A Few Highlights 84
Exam Preparation Tasks 88
Review All the Key Topics 88
Complete the Tables and Lists from Memory 88
Define Key Terms 88
Command Reference to Check Your Memory 89
Chapter 6 Securing the Management Plane on Cisco IOS Devices
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Securing Management Traffic 94
What Is Management Traffic and the Management Plane? 94
Beyond the Blue Rollover Cable 94
Management Plane Best Practices 95
Password Recommendations 97
Using AAA to Verify Users 97
AAA Components 98
Options for Storing Usernames, Passwords, and Access Rules 98
Authorizing VPN Users 99
Router Access Authentication 100
The AAA Method List 101
Role-Based Access Control 102
Custom Privilege Levels 103
Limiting the Administrator by Assigning a View 103
Encrypted Management Protocols 103
Using Logging Files 104
Understanding NTP 105
Protecting Cisco IOS Files 106
Implement Security Measures to Protect the Management Plane 106
Implementing Strong Passwords 106
User Authentication with AAA 108
Using the CLI to Troubleshoot AAA for Cisco Routers 113
RBAC Privilege Level/Parser View 118
Implementing Parser Views 120
SSH and HTTPS 122
Implementing Logging Features 125
Configuring Syslog Support 125
SNMP Features 128
Configuring NTP 131
Securing the Cisco IOS Image and Configuration Files 133
Exam Preparation Tasks 134
Review All the Key Topics 134
Complete the Tables and Lists from Memory 135
Define Key Terms 135
Command Reference to Check Your Memory 135
Chapter 7 Implementing AAA Using IOS and the ACS Server
“Do I Know This Already?” Quiz 137
Foundation Topics 140
Cisco Secure ACS, RADIUS, and TACACS 140
Why Use Cisco ACS? 140
What Platform Does ACS Run On? 141
What Is ISE? 141
Protocols Used Between the ACS and the Router 141
Protocol Choices Between the ACS Server and the Client (the Router) 142
Configuring Routers to Interoperate with an ACS Server 143
Configuring the ACS Server to Interoperate with a Router 154
Verifying and Troubleshooting Router-to-ACS Server Interactions 164
Exam Preparation Tasks 171
Review All the Key Topics 171
Complete the Tables and Lists from Memory 171
Define Key Terms 171
Command Reference to Check Your Memory 172
Chapter 8 Securing Layer 2 Technologies
“Do I Know This Already?” Quiz 175
Foundation Topics 178
VLAN and Trunking Fundamentals 178
What Is a VLAN? 178
Trunking with 802.1Q 180
Following the Frame, Step by Step 181
The Native VLAN on a Trunk 181
So, What Do You Want to Be? (Says the Port) 182
Inter-VLAN Routing 182
The Challenge of Using Physical Interfaces Only 182
Using Virtual “Sub” Interfaces 182
Spanning-Tree Fundamentals 183
Loops in Networks Are Usually Bad 184
The Life of a Loop 184
The Solution to the Layer 2 Loop 184
STP Is Wary of New Ports 187
Improving the Time Until Forwarding 187
Common Layer 2 Threats and How to Mitigate Them 188
Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188
Layer 2 Best Practices 189
Do Not Allow Negotiations 190
Layer 2 Security Toolkit 190
Specific Layer 2 Mitigation for CCNA Security 191
BPDU Guard 191
Root Guard 192
Port Security 192
Exam Preparation Tasks 195
Review All the Key Topics 195
Complete the Tables and Lists from Memory 195
Review the Port Security Video Included with This Book 196
Define Key Terms 196
Command Reference to Check Your Memory 196
Chapter 9 Securing the Data Plane in IPv6
“Do I Know This Already?” Quiz 199
Foundation Topics 202
Understanding and Configuring IPv6 202
Why IPv6? 202
The Format of an IPv6 Address 203
Understanding the Shortcuts 205
Did We Get an Extra Address? 205
IPv6 Address Types 206
Configuring IPv6 Routing 208
Moving to IPv6 210
Developing a Security Plan for IPv6 210
Best Practices Common to Both IPv4 and IPv6 210
Threats Common to Both IPv4 and IPv6 212
The Focus on IPv6 Security 213
New Potential Risks with IPv6 213
IPv6 Best Practices 214
Exam Preparation Tasks 216
Review All the Key Topics 216
Complete the Tables and Lists from Memory 216
Define Key Terms 217
Command Reference to Check Your Memory 217
Part III Mitigating and Controlling Threats
Chapter 10 Planning a Threat Control Strategy
“Do I Know This Already?” Quiz 221
Foundation Topics 224
Designing Threat Mitigation and Containment 224
The Opportunity for the Attacker Is Real 224
Many Potential Risks 224
The Biggest Risk of All 224
Where Do We Go from Here? 225
Securing a Network via Hardware/Software/Services 226
Switches 227
Routers 228
ASA Firewall 230
Other Systems and Services 231
Exam Preparation Tasks 232
Review All the Key Topics 232
Complete the Tables and Lists from Memory 232
Define Key Terms 232
Chapter 11 Using Access Control Lists for Threat Mitigation
“Do I Know This Already?” Quiz 235
Foundation Topics 238
Access Control List Fundamentals and Benefits 238
Access Lists Aren’t Just for Breakfast Anymore 238
Stopping Malicious Traffic with an Access List 239
What Can We Protect Against? 240
The Logic in a Packet-Filtering ACL 241
Standard and Extended Access Lists 242
Line Numbers Inside an Access List 243
Wildcard Masks 244
Object Groups 244
Implementing IPv4 ACLs as Packet Filters 244
Putting the Policy in Place 244
Monitoring the Access Lists 255
To Log or Not to Log 257
Implementing IPv6 ACLs as Packet Filters 259
Exam Preparation Tasks 263
Review All the Key Topics 263
Complete the Tables and Lists from Memory 263
Review the NAT Video Included with This Book 263
Define Key Terms 264
Command Reference to Check Your Memory 264
Chapter 12 Understanding Firewall Fundamentals
“Do I Know This Already?” Quiz 267
Foundation Topics 270
Firewall Concepts and Technologies 270
Firewall Technologies 270
Objectives of a Good Firewall 270
Firewall Justifications 271
The Defense-in-Depth Approach 272
Five Basic Firewall Methodologies 273
Static Packet Filtering 274
Application Layer Gateway 275
Stateful Packet Filtering 276
Application Inspection 277
Transparent Firewalls 277
Using Network Address Translation 278
NAT Is About Hiding or Changing the Truth About Source Addresses 278
Inside, Outside, Local, Global 279
Port Address Translation 280
NAT Options 281
Creating and Deploying Firewalls 283
Firewall Technologies 283
Firewall Design Considerations 283
Firewall Access Rules 284
Packet-Filtering Access Rule Structure 285
Firewall Rule Design Guidelines 285
Rule Implementation Consistency 286
Exam Preparation Tasks 288
Review All the Key Topics 288
Complete the Tables and Lists from Memory 288
Define Key Terms 288
Chapter 13 Implementing Cisco IOS Zone-Based Firewalls
“Do I Know This Already?” Quiz 291
Foundation Topics 294
Cisco IOS Zone-Based Firewall 294
How Zone-Based Firewall Operates 294
Specific Features of Zone-Based Firewalls 294
Zones and Why We Need Pairs of Them 295
Putting the Pieces Together 296
Service Policies 297
The Self Zone 300
Configuring and Verifying Cisco IOS Zone-Based Firewall 300
First Things First 301
Using CCP to Configure the Firewall 301
Verifying the Firewall 314
Verifying the Configuration from the Command Line 315
Implementing NAT in Addition to ZBF 319
Verifying Whether NAT Is Working 322
Exam Preparation Tasks 324
Review All the Key Topics 324
Review the Video Bonus Material 324
Complete the Tables and Lists from Memory 324
Define Key Terms 325
Command Reference to Check Your Memory 325
Chapter 14 Configuring Basic Firewall Policies on Cisco ASA
“Do I Know This Already?” Quiz 327
Foundation Topics 330
The ASA Appliance Family and Features 330
Meet the ASA Family 330
ASA Features and Services 331
ASA Firewall Fundamentals 333
ASA Security Levels 333
The Default Flow of Traffic 335
Tools to Manage the ASA 336
Initial Access 337
Packet Filtering on the ASA 337
Implementing a Packet-Filtering ACL 338
Modular Policy Framework 338
Where to Apply a Policy 339
Configuring the ASA 340
Beginning the Configuration 340
Getting to the ASDM GUI 345
Configuring the Interfaces 347
IP Addresses for Clients 355
Basic Routing to the Internet 356
NAT and PAT 357
Permitting Additional Access Through the Firewall 359
Using Packet Tracer to Verify Which Packets Are Allowed 362
Verifying the Policy of No Telnet 366
Exam Preparation Tasks 368
Review All the Key Topics 368
Complete the Tables and Lists from Memory 368
Define Key Terms 369
Command Reference to Check Your Memory 369
Chapter 15 Cisco IPS/IDS Fundamentals
“Do I Know This Already?” Quiz 371
Foundation Topics 374
IPS Versus IDS 374
What Sensors Do 374
Difference Between IPS and IDS 374
Sensor Platforms 376
True/False Negatives/Positives 376
Positive/Negative Terminology 377
Identifying Malicious Traffic on the Network 377
Signature-Based IPS/IDS 377
Policy-Based IPS/IDS 378
Anomaly-Based IPS/IDS 378
Reputation-Based IPS/IDS 378
When Sensors Detect Malicious Traffic 379
Controlling Which Actions the Sensors Should Take 381
Implementing Actions Based on the Risk Rating 382
IPv6 and IPS 382
Circumventing an IPS/IDS 382
Managing Signatures 384
Signature or Severity Levels 384
Monitoring and Managing Alarms and Alerts 385
Security Intelligence 385
IPS/IDS Best Practices 386
Exam Preparation Tasks 387
Review All the Key Topics 387
Complete the Tables and Lists from Memory 387
Define Key Terms 387
Chapter 16 Implementing IOS-Based IPS
“Do I Know This Already?” Quiz 389
Foundation Topics 392
Understanding and Installing an IOS-Based IPS 392
What Can IOS IPS Do? 392
Installing the IOS IPS Feature 393
Getting to the IPS Wizard 394
Working with Signatures in an IOS-Based IPS 400
Actions That May Be Taken 405
Best Practices When Tuning IPS 412
Managing and Monitoring IPS Alarms 412
Exam Preparation Tasks 417
Review All the Key Topics 417
Complete the Tables and Lists from Memory 417
Define Key Terms 417
Command Reference to Check Your Memory 418
Part IV Using VPNs for Secure Connectivity
Chapter 17 Fundamentals of VPN Technology
“Do I Know This Already?” Quiz 423
Foundation Topics 426
Understanding VPNs and Why We Use Them 426
What Is a VPN? 426
Types of VPNs 427
Two Main Types of VPNs 427
Main Benefits of VPNs 427
Confidentiality 428
Data Integrity 428
Authentication 430
Antireplay 430
Cryptography Basic Components 430
Ciphers and Keys 430
Ciphers 430
Keys 431
Block and Stream Ciphers 431
Block Ciphers 432
Stream Ciphers 432
Symmetric and Asymmetric Algorithms 432
Symmetric 432
Asymmetric 433
Hashes 434
Hashed Message Authentication Code 434
Digital Signatures 435
Digital Signatures in Action 435
Key Management 436
IPsec and SSL 436
IPsec 436
SSL 437
Exam Preparation Tasks 439
Review All the Key Topics 439
Complete the Tables and Lists from Memory 439
Define Key Terms 439
Chapter 18 Fundamentals of the Public Key Infrastructure
“Do I Know This Already?” Quiz 441
Foundation Topics 444
Public Key Infrastructure 444
Public and Private Key Pairs 444
RSA Algorithm, the Keys, and Digital Certificates 445
Who Has Keys and a Digital Certificate? 445
How Two Parties Exchange Public Keys 445
Creating a Digital Signature 445
Certificate Authorities 446
Root and Identity Certificates 446
Root Certificate 446
Identity Certificate 448
Using the Digital Certificates to get the Peer’s Public Key 448
X.500 and X.509v3 Certificates 449
Authenticating and Enrolling with the CA 450
Public Key Cryptography Standards 450
Simple Certificate Enrollment Protocol 451
Revoked Certificates 451
Uses for Digital Certificates 452
PKI Topologies 452
Single Root CA 453
Hierarchical CA with Subordinate CAs 453
Cross-Certifying CAs 453
Putting the Pieces of PKI to Work 453
Default of the ASA 454
Viewing the Certificates in ASDM 455
Adding a New Root Certificate 455
Easier Method for Installing Both Root and Identity certificates 457
Exam Preparation Tasks 462
Review All the Key Topics 462
Complete the Tables and Lists from Memory 462
Define Key Terms 463
Command Reference to Check Your Memory 463
Chapter 19 Fundamentals of IP Security
“Do I Know This Already?” Quiz 465
Foundation Topics 468
IPsec Concepts, Components, and Operations 468
The Goal of IPsec 468
The Play by Play for IPsec 469
Step 1: Negotiate the IKE Phase 1 Tunnel 469
Step 2: Run the DH Key Exchange 471
Step 3: Authenticate the Peer 471
What About the User’s Original Packet? 471
Leveraging What They Have Already Built 471
Now IPsec Can Protect the User’s Packets 472
Traffic Before IPsec 472
Traffic After IPsec 473
Summary of the IPsec Story 474
Configuring and Verifying IPsec 475
Tools to Configure the Tunnels 475
Start with a Plan 475
Applying the Configuration 475
Viewing the CLI Equivalent at the Router 482
Completing and Verifying IPsec 484
Exam Preparation Tasks 491
Review All the Key Topics 491
Complete the Tables and Lists from Memory 491
Define Key Terms 492
Command Reference to Check Your Memory 492
Chapter 20 Implementing IPsec Site-to-Site VPNs
“Do I Know This Already?” Quiz 495
Foundation Topics 498
Planning and Preparing an IPsec Site-to-Site VPN 498
Customer Needs 498
Planning IKE Phase 1 500
Planning IKE Phase 2 501
Implementing and Verifying an IPsec Site-to-Site VPN 502
Troubleshooting IPsec Site-to-Site VPNs 511
Exam Preparation Tasks 526
Review All the Key Topics 526
Complete the Tables and Lists from Memory 526
Define Key Terms 526
Command Reference to Check Your Memory 526
Chapter 21 Implementing SSL VPNs Using Cisco ASA
“Do I Know This Already?” Quiz 529
Foundation Topics 532
Functions and Use of SSL for VPNs 532
Is IPsec Out of the Picture? 532
SSL and TLS Protocol Framework 533
The Play by Play of SSL for VPNs 534
SSL VPN Flavors 534
Configuring SSL Clientless VPNs on ASA 535
Using the SSL VPN Wizard 536
Digital Certificates 537
Authenticating Users 538
Logging In 541
Seeing the VPN Activity from the Server 543
Configuring the Full SSL AnyConnect VPN on the ASA 544
Types of SSL VPNs 545
Configuring Server to Support the AnyConnect Client 545
Groups, Connection Profiles, and Defaults 552
One Item with Three Different Names 553
Split Tunneling 554
Exam Preparation Tasks 556
Review All the Key Topics 556
Complete the Tables and Lists from Memory 556
Define Key Terms 556
Chapter 22 Final Preparation
Tools for Final Preparation 559
Pearson IT Certification Practice Test Engine and Questions on the CD 559
Installing the Software from the CD 560
Activating and Downloading the Practice Exam 560
Activating Other Exams 560
Premium Edition 561
The Cisco Learning Network 561
Memory Tables 561
Chapter-Ending Review Tools 561
Videos 562
Suggested Plan for Final Review/Study 562
Using the Exam Engine 562
Summary 563
Part V Appendixes
Appendix A Answers to the “Do I Know This Already?” Quizzes 567
Appendix B CCNA Security 640-554 (IINSv2) Exam Updates 573
Glossary 577
On the CD
Appendix C Memory Tables
Appendix D Memory Tables Answer Key
Other Things You Might Like
- Cisco Catalyst SD-WAN: Design, Deploy and Secure your WAN Premium Edition and Practice Test, 2nd Edition
- Premium Edition eBook $67.99