CCIE Security v4.0 Quick Reference

Lancy Lobo, CCIE No. 4690 (Routing and Switching, Service Provider, Security), is a senior systems engineer in the Cisco Systems Sales organization that supports a large service provider. Previously, he was a network consulting engineer in the Cisco Systems Advanced Services organization, which supports Cisco strategic service provider and enterprise customers. He has more than 14 years of experience with data-communication technologies and protocols. He has supported several Cisco strategic service provider customers to design and implement large-scale routed networks. Lancy holds a Bachelor's degree in electronics and telecommunication engineering from Bombay University and a dual management degree from Jones International University. Umesh Lakshman is a systems engineer within the public sector organization and is currently supporting the higher education accounts in the Bay Area. Prior to taking on this role, he was the technical lead at the Customer Proof of Concept Labs (CPOC) team at Cisco, where he supported Cisco sales teams by demonstrating advanced technologies, such as Multiprotocol Label Switching (MPLS) and high-end routing with the Cisco CRS-1 and ASR 9000, to customers in a presales environment. Umesh has conducted several customer-training sessions for MPLS and service-provider architectural designs. He holds a Bachelor's degree in electrical and electronics engineering from Madras University and a Master's degree in electrical and computer engineering from Wichita State University.

Introduction xiii

Chapter 1 Infrastructure, Connectivity, Communications, and Network Security 1

Networking Basics 1

Ethernet in a Nutshell 3

Bridging and Switching 3

Bridge Port States 3

EtherChannel and Trunking 4

IP Overview 4

Subnetting, Variable-Length Subnet Masking, and Classless Interdomain Routing 6

IPv6 6

Transmission Control Protocol 7

Hot Standby Routing Protocol 9

Virtual Router Redundancy Protocol 10

Generic Routing Encapsulation 10

Next Hop Resolution Protocol 11

Routing Protocols 12

Configuring RIP 12

Interior Gateway Routing Protocol 13

Configuring IGRP 13

Open Shortest Path First Protocol 14

Enhanced Interior Gateway Routing Protocol 16

Configuring EIGRP 16

Border Gateway Protocol 17

Configuring BGP (Basics Only) 17

IP Multicast Overview 18

Wireless 18

Service Set Identifier 18

Authentication and Authorization 19

Client Authentication and Association Process 19

Rogue Access Points 22

Authentication and Authorization Technologies 23

Single Sign-On 26

One-Time Password 27

Lightweight Directory Access Protocol and Active Directory 27

Role-Based Access Control 28

Mobile IP Networks 28

Questions and Answers 30

Chapter 2 Security Protocols 33

RADIUS 33

Configuring RADIUS 34

TACACS+ 35

Configuring TACACS 35

Hash Algorithms 36

Need for Hashing Algorithms 36

Hash-Based Message Authentication Codes 37

Symmetric and Asymmetric Encryption 38

Symmetric Key Algorithms 39

Asymmetric Encryption Protocols 40

Diffie-Hellman Algorithm 41

IP Security 41

Data Integrity 42

Origin Authentication 42

Anti-Replay Protection 42

Confidentiality 42

ISAKMP (RFC 2408) 43

Authentication Header and Encapsulating Security Payload Protocols 44

Tunnel and Transport Modes 44

Secure Shell 45

Configuring SSH 45

Secure Sockets Layer 46

Group Domain of Interpretation 46

Lightweight Directory Access Protocol 47

Public Key Infrastructure 47

802.1x Authentication 48

IEEE 802.1x Extensible Authentication Protocol Security 50

WEP, WPA, and WPA2 50

WPA and WPA2 51

WPA-PSK 51

WPA-Enterprise 51

Web Cache Communication Protocol 51

Security Group Tag eXchange Protocol 52

MACsec 52

DNSSEC 53

Questions and Answers 54

Chapter 3 Application and Infrastructure Security 57

HTTP 57

Configuring HTTP 57

HTTPS 58

Configuring HTTPS 58

Simple Mail Transfer Protocol 58

File Transfer Protocol 59

Domain Name System 60

Trivial File Transfer Protocol 61

Network Time Protocol 62

Syslog 62

Dynamic Host Configuration Protocol 63

Simple Network Management Protocol 64

Remote Desktop Protocol 65

PC over IP 66

Virtual Network Computing 66

Questions and Answers 67

Chapter 4 Threats, Vulnerability Analysis, and Mitigation 69

Recognize and Mitigate Common Attacks 69

ICMP Attacks and PING Floods 69

Man-in-the-Middle Attacks 69

Replay Attacks 70

Spoofing Attacks 71

Back-Door Attacks 71

Bots and Botnets 72

Wireless Attacks 72

Denial-of-Service Attacks 73

Snooping Attacks 73

Decryption Attacks 73

DoS and DDoS Attacks 73

Distributed Denial of Service (DDoS) 74

Identification of Attack Traffic 74

Solutions for Attack Traffic 74

Header Attacks 75

Tunneling Attacks 75

Software and OS Exploits 76

Security and Attack Tools 76

Packet Sniffer and Capture Tools 77

Network Service Mapping Tools 77

Vulnerability Assessment Tools 77

Packet Filtering 77

Content Filtering 77

ActiveX Filtering 78

Java Filtering 78

URL Filtering 78

Endpoint and Posture Assessment 79

QoS Marking Attacks 80

Questions and Answers 80

Chapter 5 Cisco Security Products, Features, and Management 83

Cisco Adaptive Security Appliance 83

Firewall Functionality 83

Firewall Modes (Routing and Multicast Capabilities) 84

Network Address Translation 86

Access Control Lists/Entries and Identity-Based Services 88

Modular Policy Framework 89

ASA Failover and Redundancy 90

Identity Services Engine 92

Virtual Security Gateway 93

Cisco Cloud Web Security (Formerly ScanSafe) 94

Cisco Catalyst 6500 ASA-Service Module 96

Cisco Prime Security Manager 97

Questions and Answers 98

Chapter 6 Cisco Security Technologies and Solutions 99

Cisco Hardware Overview 99

Cisco Router Operating Modes and Management 101

Basic Cisco Router Security 101

IP Access Lists 103

Network-Based Application Recognition 104

Control Plane Policing 104

Control Plane Protection 105

Control Plane Host Subinterface 105

Control Plane Transit Subinterface 105

Control Plane CEF-Exception Subinterface 106

Management Plane Protection 106

Modular QoS CLI 107

Unicast Reverse Path Forwarding 107

Cisco NetFlow 107

CAM Table Overflow and MAC Address Spoofing 108

VLAN Hopping 109

Spanning Tree Protocol Security 109

DHCP Starvation Attack 109

DNS Spoofing 109

Cisco Discovery Protocol 110

VLAN Trunking Protocol Security 110

Network Segregation 110

VLAN Extensible LAN 110

VPN Solutions 111

FlexVPN 111

Dynamic Multipoint VPN 112

Group Encrypted Transport VPN 114

Time-Based Anti-Replay 116

Cisco Easy VPN 116

Load Balancing and Failover 116

Load Balancing 117

Failover 117

Questions and Answers 118

Chapter 7 Security Policies and Procedures, Best Practices and Standards 119

The Need for Network Security Policy 119

Standards Bodies 119

Newsgroups 120

Information Security Standards 121

ISO 17799/BS7799/ISO 27002 121

Attacks, Vulnerabilities, and Common Exploits 121

Ping of Death 122

TCP SYN Flood Attack and Land.C Attack 122

Email Attack 122

CPU-Intensive Attack 122

Teardrop Attack, DNS Poisoning, and UDP Bomb 122

Distributed DoS Attack 123

Chargen Attack 123

Spoof Attack 123

Smurf Attack 123

Man-in-the-Middle Attack 123

Birthday Attack 123

BCP 38 123

Intrusion Detection Systems and Configuring Cisco IOS Software for Security Against Intrusion 124

Security Audit and Validation 125

Risk Assessment/Analysis 125

Change Management Process 126

Incident Response Teams and Framework 126

Computer Security Forensics 127

Common RFCs 127

Questions and Answers 127

Answers Appendix 129





9780133855081 TOC 8/5/2014