Introduction
This book helps you prepare for the Cisco SECURE certification exam. The SECURE exam is one in a series of exams required for the Cisco Certified Network Professional - Security (CCNP - Security) certification. This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and Virtual Private Network (VPN) devices.
How to Use This Book
This book consists of 22 chapters. Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. The chapters cover the following topics:
■ Chapter 1, “Network Security Fundamentals”: This chapter reviews the basic network security concepts and elements along with a review of the Cisco SAFE approach. It is this core of understanding that provides a good base for the other chapters.
■ Chapter 2, “Network Security Threats”: This chapter reviews the different methods used to exploit a network and the elements on it. With a better understanding of the methods used, network security personnel are better equipped to face these security challenges as they are found.
■ Chapter 3, “Network Foundation Protection (NFP) Overview”: NFP details a layered approach to protecting Cisco IOS Software–based devices. Attacks against the control, data, and management planes and the appropriate mitigation techniques are covered.
■ Chapter 4, “Configuring and Implementing Switched Data Plane Security Solutions”: This chapter reviews the different types of attacks that are focused at the data plane of the switches in the network. It then goes on to review the technologies that can be used to mitigate them and shows how to configure them to best protect the switched data plane.
■ Chapter 5, “802.1X and Cisco Identity-Based Networking Services (IBNS)”: This chapter reviews IEEE 802.1X and the Cisco IBNS framework that are both used to protect the network from unauthorized users. It goes into the basics of 802.1X,
including the various Extensible Authentication Protocol (EAP) methods that can be
used as well as the different IBNS features that can be used to secure the network.
■ Chapter 6, “Implementing and Configuring Basic 802.1X”: This chapter describes
how to configure basic 802.1X authentication on a Cisco IOS Software–based device
to prevent unauthorized clients (supplicants) from gaining access to the network.
■ Chapter 7, “Implementing and Configuring Advanced 802.1X”: This chapter describes how to configure advanced 802.1X authentication features on a Cisco IOS Software–based device to prevent unauthorized clients (supplicants) from gaining access to the network.
■ Chapter 8, “Implementing and Configuring Cisco IOS Routed Data Plane Security”: This chapter reviews the different types of attack that are focused at the data plane of the routers (or Layer 3 switches) in the network. It then reviews the different
features that can be used to mitigate these threats and how to configure them.
■ Chapter 9, “Implementing and Configuring Cisco IOS Control Plane Security”: This chapter reviews the different types of attack that are focused at the control plane of the devices in the network. It then reviews the different features that can be used to mitigate these threats and how to configure them.
■ Chapter 10, “Implementing and Configuring Cisco IOS Management Plane Security”: This chapter reviews the different types of attack that are focused at the management plane of the devices in the network. It then reviews the different features that can be used to mitigate these threats and how to configure them.
■ Chapter 11, “Implementing and Configuring Network Address Translation (NAT) “: This chapter reviews the Network Address Translation (NAT) feature and how it can be used in various ways on the network. NAT is an important feature that is used by almost everyone on a daily basis; a through understanding of it is vital now that the majority of the IPv4 address space has been depleted.
■ Chapter 12, “Implementing and Configuring Zone-Based Policy Firewalls”: This
chapter reviews the Zone-Based Policy Firewall (ZBPFW) feature and how it can be
used to secure the different parts of the network. In the modern network environment,
there are a number of threats that exist that are focused on the network and
the devices on it. The ZBPFW feature has a number of different capabilities that can
be used to mitigate these threats and keep the network and the devices on it secure.
■ Chapter 13, “Implementing and Configuring IOS Intrusion Prevention System
(IPS)”: The Cisco IOS Intrusion Prevention System (IPS) feature set is the evolution
of the Cisco IOS Intrusion Detection System (IDS). Cisco IPS products go beyond
the IDS signature matching by incorporating features such as stateful pattern recognition,
protocol analysis, traffic anomaly detection, and protocol anomaly detection.
This chapter discusses the security features of the Cisco IOS IPS.
■ Chapter 14, “Introduction to Cisco IOS Site-to-Site Security Solutions”: This
chapter introduces site-to-site VPN technologies and an overview of the many
topologies and technologies that are possible with IPsec VPNs.
■ Chapter 15, “Deploying VTI-Based Site-to-Site IPsec VPNs”: This chapter covers
deployment of static and dynamic point-to-point VTI tunnels using Cisco IOS
Software. IP Security (IPsec) Virtual Tunnel Interfaces (VTI) greatly simplify the
configuration process that is required to create site-to-site VPN tunnels.
■ Chapter 16, “Deploying Scalable Authentication in Site-to-Site IPsec VPNs”: Cisco
IOS devices are designed with a feature called CA interoperability support, which
allows them to interact with a certificate authority (CA) when deploying IPsec. This
functionality allows a scalable and manageable enterprise VPN solution.
■ Chapter 17, “Deploying DMVPNs”: Dynamic Multipoint Virtual Private Networks
(DMVPN) are a feature of Cisco IOS Software that makes the deployment of large
hub-and-spoke, partial mesh, and full mesh VPN topologies much easier. This chapter
covers implementing DMVPN on Cisco IOS Software–based devices.
■ Chapter 18, “Deploying High Availability in Tunnel-Based IPsec VPNs”: This
chapter describes the mechanisms that can be put in place to provide a high-availability
solution that will protect an organization from outages.
■ Chapter 19, “Deploying GET VPNs”: This chapter covers the deployment of the Cisco Group Encrypted Transport Virtual Private Network (GET VPN) technology. It provides a solution that allows easy deployment of a complex, redundant, fully meshed VPN network.
■ Chapter 20, “Deploying Remote Access Solutions Using SSL VPNs”: Remote access VPN technologies allow mobile workers to access internal resources over untrusted networks. This chapter will discuss a comparison of remote access VPN technologies and then cover configuring, verifying, and troubleshooting a basic client-based and clientless SSL VPN solution on a Cisco ISR.
■ Chapter 21, “ Deploying Remote Access Solutions Using EZVPNs”: Cisco Easy VPN is a client/server application that allows VPN security parameters to be “pushed out” to the remote locations that connect using a growing array of Cisco products.
■ Chapter 22, “Final Preparation”: This short chapter lists the exam preparation tools useful at this point in the study process and provides a suggested study plan now that you have completed all the earlier chapters in this book.
This book helps you prepare for the Cisco SECURE certification exam. The SECURE exam is one in a series of exams required for the Cisco Certified Network Professional - Security (CCNP - Security) certification. This exam focuses on the application of security principles with regard to Cisco IOS routers, switches, and Virtual Private Network (VPN) devices.
How to Use This Book
This book consists of 22 chapters. Each chapter tends to build upon the chapter that precedes it. The chapters that cover specific commands and configurations include case studies or practice configurations. The chapters cover the following topics:
■ Chapter 1, “Network Security Fundamentals”: This chapter reviews the basic network security concepts and elements along with a review of the Cisco SAFE approach. It is this core of understanding that provides a good base for the other chapters.
■ Chapter 2, “Network Security Threats”: This chapter reviews the different methods used to exploit a network and the elements on it. With a better understanding of the methods used, network security personnel are better equipped to face these security challenges as they are found.
■ Chapter 3, “Network Foundation Protection (NFP) Overview”: NFP details a layered approach to protecting Cisco IOS Software–based devices. Attacks against the control, data, and management planes and the appropriate mitigation techniques are covered.
■ Chapter 4, “Configuring and Implementing Switched Data Plane Security Solutions”: This chapter reviews the different types of attacks that are focused at the data plane of the switches in the network. It then goes on to review the technologies that can be used to mitigate them and shows how to configure them to best protect the switched data plane.
■ Chapter 5, “802.1X and Cisco Identity-Based Networking Services (IBNS)”: This chapter reviews IEEE 802.1X and the Cisco IBNS framework that are both used to protect the network from unauthorized users. It goes into the basics of 802.1X,
including the various Extensible Authentication Protocol (EAP) methods that can be
used as well as the different IBNS features that can be used to secure the network.
■ Chapter 6, “Implementing and Configuring Basic 802.1X”: This chapter describes
how to configure basic 802.1X authentication on a Cisco IOS Software–based device
to prevent unauthorized clients (supplicants) from gaining access to the network.
■ Chapter 7, “Implementing and Configuring Advanced 802.1X”: This chapter describes how to configure advanced 802.1X authentication features on a Cisco IOS Software–based device to prevent unauthorized clients (supplicants) from gaining access to the network.
■ Chapter 8, “Implementing and Configuring Cisco IOS Routed Data Plane Security”: This chapter reviews the different types of attack that are focused at the data plane of the routers (or Layer 3 switches) in the network. It then reviews the different
features that can be used to mitigate these threats and how to configure them.
■ Chapter 9, “Implementing and Configuring Cisco IOS Control Plane Security”: This chapter reviews the different types of attack that are focused at the control plane of the devices in the network. It then reviews the different features that can be used to mitigate these threats and how to configure them.
■ Chapter 10, “Implementing and Configuring Cisco IOS Management Plane Security”: This chapter reviews the different types of attack that are focused at the management plane of the devices in the network. It then reviews the different features that can be used to mitigate these threats and how to configure them.
■ Chapter 11, “Implementing and Configuring Network Address Translation (NAT) “: This chapter reviews the Network Address Translation (NAT) feature and how it can be used in various ways on the network. NAT is an important feature that is used by almost everyone on a daily basis; a through understanding of it is vital now that the majority of the IPv4 address space has been depleted.
■ Chapter 12, “Implementing and Configuring Zone-Based Policy Firewalls”: This
chapter reviews the Zone-Based Policy Firewall (ZBPFW) feature and how it can be
used to secure the different parts of the network. In the modern network environment,
there are a number of threats that exist that are focused on the network and
the devices on it. The ZBPFW feature has a number of different capabilities that can
be used to mitigate these threats and keep the network and the devices on it secure.
■ Chapter 13, “Implementing and Configuring IOS Intrusion Prevention System
(IPS)”: The Cisco IOS Intrusion Prevention System (IPS) feature set is the evolution
of the Cisco IOS Intrusion Detection System (IDS). Cisco IPS products go beyond
the IDS signature matching by incorporating features such as stateful pattern recognition,
protocol analysis, traffic anomaly detection, and protocol anomaly detection.
This chapter discusses the security features of the Cisco IOS IPS.
■ Chapter 14, “Introduction to Cisco IOS Site-to-Site Security Solutions”: This
chapter introduces site-to-site VPN technologies and an overview of the many
topologies and technologies that are possible with IPsec VPNs.
■ Chapter 15, “Deploying VTI-Based Site-to-Site IPsec VPNs”: This chapter covers
deployment of static and dynamic point-to-point VTI tunnels using Cisco IOS
Software. IP Security (IPsec) Virtual Tunnel Interfaces (VTI) greatly simplify the
configuration process that is required to create site-to-site VPN tunnels.
■ Chapter 16, “Deploying Scalable Authentication in Site-to-Site IPsec VPNs”: Cisco
IOS devices are designed with a feature called CA interoperability support, which
allows them to interact with a certificate authority (CA) when deploying IPsec. This
functionality allows a scalable and manageable enterprise VPN solution.
■ Chapter 17, “Deploying DMVPNs”: Dynamic Multipoint Virtual Private Networks
(DMVPN) are a feature of Cisco IOS Software that makes the deployment of large
hub-and-spoke, partial mesh, and full mesh VPN topologies much easier. This chapter
covers implementing DMVPN on Cisco IOS Software–based devices.
■ Chapter 18, “Deploying High Availability in Tunnel-Based IPsec VPNs”: This
chapter describes the mechanisms that can be put in place to provide a high-availability
solution that will protect an organization from outages.
■ Chapter 19, “Deploying GET VPNs”: This chapter covers the deployment of the Cisco Group Encrypted Transport Virtual Private Network (GET VPN) technology. It provides a solution that allows easy deployment of a complex, redundant, fully meshed VPN network.
■ Chapter 20, “Deploying Remote Access Solutions Using SSL VPNs”: Remote access VPN technologies allow mobile workers to access internal resources over untrusted networks. This chapter will discuss a comparison of remote access VPN technologies and then cover configuring, verifying, and troubleshooting a basic client-based and clientless SSL VPN solution on a Cisco ISR.
■ Chapter 21, “ Deploying Remote Access Solutions Using EZVPNs”: Cisco Easy VPN is a client/server application that allows VPN security parameters to be “pushed out” to the remote locations that connect using a growing array of Cisco products.
■ Chapter 22, “Final Preparation”: This short chapter lists the exam preparation tools useful at this point in the study process and provides a suggested study plan now that you have completed all the earlier chapters in this book.
642-637 SECURE v1.0 Exam Topics (Blueprint)
Exam Description
The 642-637 Secure v1.0 Securing Networks with Cisco Routers and Switches exam is associated with the CCSP, and CCNP Security certifications. This exam tests a candidate's knowledge and skills needed to secure Cisco IOS Software router and switch-based networks, and provide security services based on Cisco IOS Software. Candidates can prepare for this exam by taking the Securing Networks with Cisco Routers and Switches course.
Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.
Pre-Production Design
Choose Cisco IOS technologies to implement HLD
Choose Cisco products to implement HLD
Choose Cisco IOS features to implement HLD 2
- Integrate Cisco network security solutions with other security technologies
- Create and test initial Cisco IOS configurations for new devices/services
- Configure and verify ASA VPN feature configurations
Complex Operations Support
- Optimize Cisco IOS security infrastructure device performance
- Create complex network security rules to meet the security policy requirements
- Optimize security functions, rules, and configuration
- Configure & verify Classic IOS Firewall and NAT to dynamically mitigate identified threats to the network
- Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
- Configure & verify the IPS features to identify threats and dynamically block them from entering the network
- Maintain, update and tune IPS signatures
- Configure & verify IOS VPN features
- Configure & verify Layer 2 and Layer 3 security features
Advanced Troubleshooting
- Advanced Cisco IOS security software configuraiton fault finding and repairing
- Advanced Cisco routers and switches hardware fault finding and repairing
0 comments
Post a Comment