CCSP SNRS Exam Certification Guide
Cisco Press
978-1-58720-153-0 (ISBN)
- Titel ist leider vergriffen;
keine Neuauflage - Artikel merken
Official self-study test preparation guide for the Cisco SNRS exam 642-502
Attack threats
Router management and administration
Authentication, Authorization, and Accounting (AAA) and Cisco Secure Access Control Server
RADIUS and TACACS+
Cisco IOS® Firewall feature set
Securing networks with Cisco routers
Mitigating Layer 2 attacks
IPsec and Easy Virtual Private Network (VPN)
Security Device Manager (SDM)
CCSP SNRS Exam Certification Guide is a best-of-breed Cisco® exam study guide that focuses specifically on the objectives for the SNRS exam. Network security engineers Greg Bastien, Sara Nasseh, and Christian Degu share preparation hints and test-taking tips, helping you identify areas of weakness and improve your knowledge of router and switch security. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
CCSP SNRS Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Foundation summary information gives you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts.
The companion CD-ROM contains a powerful test engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback module-by-module basis, presenting question-by-question remediation to the text.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
CCSP SNRS Exam Certification Guide is part of a recommended learning path from Cisco Systems® that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press®. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
Companion CD-ROM
The CD-ROM contains an electronic copy of the book and over 200 practice questions for the SNRS exam, all available in study mode, test mode, and flash card format.
Includes a FREE 45-Day Online Edition
This volume is part of the Exam Certification Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.
Greg Bastien, CCNP®, CCSP™, CISSP, is the chief technical officer of Virtue Technologies, Inc., and directs the actions of the engineering staff that supports several federal agencies. Sara Nasseh, CCIE® No. 5824, CISSP, is a senior consultant for Intercom Consulting and Federal Systems, working as the network architect and consultant for various federal agencies. Christian Abera Degu, CCSP, CCNP, CCDP®, is a network architect with General Dynamics Network Systems supporting civilian federal agencies.
Contents
Part I Overview of Network Security
Chapter 1 Network Security Essentials
“Do I Know This Already?” Quiz
Foundation Topics
Defining Network Security
Balancing Business Needs with Network Security Requirements
Network Security Policies
Security Policy Goals
Security Guidelines
Network Security as a Process
Network Security as a Legal Issue
Foundation Summary
Network Security Policies
Security Policy Goals
Security Guidelines
Network Security as a Process
Q&A
Chapter 2 Defining and Detailing Attack Threats
“Do I Know This Already?” Quiz
Foundation Topics
Vulnerabilities
Self-Imposed Network Vulnerabilities
Technology Weakness
Threats
Intruder Motivations
Lack of Understanding of Computers or Networks
Intruding for Curiosity
Intruding for Fun and Pride
Intruding for Revenge
Intruding for Profit
Intruding for Political Purposes
Types of Network Attacks
Reconnaissance Attacks
Access Attacks
DoS Attacks
Foundation Summary
Vulnerabilities
Self-Imposed Network Vulnerabilities
Threats
Intruder Motivations
Types of Network Attacks
Q&A
Chapter 3 Defense in Depth
“Do I Know This Already?” Quiz
Foundation Topics
Overview of Defense in Depth
Foundation Summary
Q&A
Part II Managing Cisco Routers
Chapter 4 Basic Router Management
“Do I Know This Already?” Quiz
Foundation Topics
Router Configuration Modes
Accessing the Cisco Router CLI
Cisco IOS Firewall Features
Foundation Summary
Router Configuration Modes
Accessing the Cisco Router CLI
Cisco IOS Firewall Features
Q&A
Chapter 5 Secure Router Administration
“Do I Know This Already?” Quiz
Foundation Topics
Privilege Levels
Securing Console Access
Configuring the enable Password
enable secret Command
service password-encryption Command
Configuring Multiple Privilege Levels
Warning Banners
Interactive Access
Securing vty Access
SSH Protocol
Setting Up SSH on a Cisco IOS Router or Switch
Secure Copy
Port Security for Ethernet Switches
Configuring Port Security
AutoSecure
Foundation Summary
Q&A
Part III AAA
Chapter 6 Authentication
“Do I Know This Already?” Quiz
Foundation Topics
Authentication
Configuring Line Password Authentication
Configuring Username Authentication
Remote Security Servers
PAP, CHAP, and EAP Authentication
PAP
CHAP
EAP
Foundation Summary
Q&A
Chapter 7 Authentication, Authorization, and Accounting
“Do I Know This Already?” Quiz
Foundation Topics
AAA Overview
Authentication
Authorization
Accounting
Configuring AAA Services
Configuring AAA Authentication
Configuring AAA Authorization
Configuring AAA Accounting
Troubleshooting AAA
Foundation Summary
Q&A
Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software
“Do I Know This Already?” Quiz
Foundation Topics
Configuring TACACS+ on Cisco IOS Software
TACACS+ Authentication Example
TACACS+ Authorization Example
TACACS+ Accounting Example
AAA TACACS+ Testing and Troubleshooting
Configuring RADIUS on Cisco IOS Software
RADIUS Authentication Example
RADIUS Authorization Example
RADIUS Accounting Example
RADIUS Configuration Testing and Troubleshooting
Foundation Summary
Q&A
Chapter 9 Cisco Secure Access Control Server
“Do I Know This Already?” Quiz
Foundation Topics
Cisco Secure ACS for Windows
Authentication
Authorization
Accounting
Administration
Replicating, Synchronizing, and Backing Up Databases
Database Replication
RDBMS Synchronization
Database Backup
Cisco Secure ACS for Windows Architecture
CSAdmin
CSAuth
CSDBSync
CSLog
CSMon
CSTacacs and CSRadius
Authenticating Users
Local Database
Windows NT/2000 AD
Generic LDAP User Database
Token Server
Enabling User Changeable Passwords
Foundation Summary
Q&A
Chapter 10 Administration of Cisco Secure Access Control Server for Windows
“Do I Know This Already?” Quiz
Foundation Topics
Basic Deployment Factors for Cisco Secure ACS
Hardware Requirements
Operating System Requirements
Browser Compatibility
Performance Considerations
AAA Clients
Installing Cisco Secure ACS for Microsoft Windows
Cisco Secure ACS Deployment Sequence
Troubleshooting Cisco Secure ACS for Microsoft Windows
Authentication Problems
Troubleshooting Authorization Problems
Administration Issues
Foundation Summary
Q&A
Part IV IOS Firewall Feature Set
Chapter 11 Securing Networks with Cisco Routers
“Do I Know This Already?” Quiz
Foundation Topics
Defining ACLs
Determining When to Configure Access Lists
Types of IP ACLs
Configuring ACLs on a Router
Simple Network Management Protocol
Controlling Interactive Access Through a Browser
Disabling Directed Broadcasts
Routing Protocol Authentication
Defining Small Server Services
Disabling Finger Services
Disabling Network Time Protocol
Disabling Cisco Discovery Protocol
Foundation Summary
Q&A
Chapter 12 The Cisco IOS Firewall and Advanced Security Feature Set
“Do I Know This Already?” Quiz
Foundation Topics
Cisco IOS Firewall and Advanced Security Feature Set
Authentication Proxy
DoS Protection
Logging and Audit Trail
Port-to-Application Mapping
URL Filtering
Foundation Summary
Q&A
Chapter 13 Cisco IOS Intrusion Prevention System
“Do I Know This Already?” Quiz
Foundation Topics
Cisco IOS IPS
Cisco IOS IPS Features
Cisco IOS IPS Functions
Cisco IOS IPS Restrictions
Cisco IOS IPS Application
Cisco IOS IPS Configuration Tasks
Initializing the Cisco IOS IPS
Configuring the Notification Type
Configuring the Router Maximum Queue for Alarms
Defining the Protected Network
Working with Cisco IOS IPS Signatures and Rules
Loading IPS-Based Signatures
Creating and Applying IPS Rules
Verifying the Cisco IOS IPS Configuration
Cisco IOS IPS Deployment Strategies
Foundation Summary
Q&A
Chapter 14 Mitigating Layer 2 Attacks
“Do I Know This Already?” Quiz
Foundation Topics
Types of Attacks
CAM Table Overflow Attacks
VLAN Hopping Attacks
STP Manipulation Attacks
MAC Address Spoofing–Man-in-the-Middle Attacks
Private VLAN Vulnerabilities
DHCP Starvation Attacks
IEEE 802.1x EAP Attacks
Factors Affecting Layer 2 Mitigation Techniques
Foundation Summary
Q&A
Chapter 15 Context-Based Access Control
“Do I Know This Already?” Quiz
Foundation Topics
Context-Based Access Control Features
Detecting and Protecting Against DoS Attacks
Generating Alerts and Audit Trails
How CBAC Works
CBAC Restrictions
Supported Protocols
CPU and Performance Impact
Configuring CBAC
Selecting an Interface
Configuring IP ACLs at the Interface
Configuring Global Timeouts and Thresholds
Port to Application Mapping
Defining an Inspection Rule
Applying the Inspection Rule to an Interface
Verifying and Debugging CBAC
Debugging CBAC
Configuring CBAC Example
Foundation Summary
Q&A
Chapter 16 Authentication Proxy and the Cisco IOS Firewall
“Do I Know This Already?” Quiz
Foundation Topics
Understanding Authentication Proxy
How Authentication Proxy Works
What Authentication Proxy Looks Like
Authentication Proxy and the Cisco IOS Firewall
Configuring Authentication Proxy on the Cisco IOS Firewall
Authentication Proxy Configuration Steps
Authentication Proxy Configuration Examples
Using Authentication Proxy with TACACS+
Step 1: Complete the Network Configuration
Step 2: Complete the Interface Configuration
Step 3: Complete the Group Setup
Using Authentication Proxy with RADIUS
Limitations of Authentication Proxy
Foundation Summary
Q&A
Chapter 17 Identity-Based Networking Services
“Do I Know This Already?” Quiz
Foundation Topics
IBNS Overview
IEEE 802.1x
802.1x Components
How 802.1x Works
Port State
Selecting EAP
EAP-MD5
Cisco Lightweight EAP
EAP Transport Layer Security
Protected EAP
EAP Flexible Authentication via Secure Tunneling
EAP Methods Comparison
Cisco Secure ACS
Foundation Summary
Q&A
Chapter 18 Configuring 802.1x Port-Based Authentication
“Do I Know This Already?” Quiz
Foundation Topics
802.1x Port-Based Authentication Configuration Tasks
802.1x Mandatory Configuration
Enabling 802.1x Authentication
Configuring the Switch-to-RADIUS Server Communication
802.1x Optional Configurations
Enabling Periodic Re-Authentication
Manually Re-Authenticating a Client Connected to a Port
Changing the Quiet Period
Changing the Switch-to-Client Retransmission Time
Setting the Switch-to-Client Frame-Retransmission Number
Enabling Multiple Hosts
Configuring a Guest VLAN
Resetting the 802.1X Configuration to the Default Values
Displaying 802.1x Statistics and Status
Foundation Summary
Q&A
Part V VPN
Chapter 19 Building a VPN Using IPsec
“Do I Know This Already?” Quiz
Foundation Topics
Configuring a Cisco Router for IPsec Using Preshared Keys
How IPsec Works
Step 1: Select the IKE and IPsec Parameters
Step 2: Configure IKE
Step 3: Configure IPsec
Step 4: Test and Verify the IPsec Configuration
Configuring Manual IPsec
Configuring IPsec Using RSA-Encrypted Nonces
Configure the RSA Keys
Foundation Summary
Configure a Cisco Router for IPsec Using Preshared Keys
Verifying the IKE and IPsec Configuration
Explain the Issues Regarding Configuring IPsec Manually and Using RSA-Encrypted Nonces
Q&A
Chapter 20 Scaling a VPN Using IPsec with a Certificate Authority
“Do I Know This Already?” Quiz
Foundation Topics
Advanced IPsec VPNs Using Cisco Routers and CAs
Digital Signatures, Certificates, and Certificate Authorities
Overview of Cisco Router CA Support
SCEP
Configuring the Cisco Router for IPsec VPNs Using CA Support
Foundation Summary
Advanced IPsec VPNs Using Cisco Routers and CAs
Q&A
Chapter 21 Troubleshooting the VPN Configuration on a Cisco Router
“Do I Know This Already?” Quiz
Foundation Topics
show Commands
show crypto ca certificates Command
show crypto isakmp policy Command
show crypto ipsec sa Command
show crypto ipsec security-association lifetime Command
show crypto ipsec transform-set Command
show crypto isakmp key Command
show crypto map Command (IPsec)
show crypto key pubkey-chain rsa Command
show crypto key mypubkey rsa Command
debug Commands
debug crypto isakmp Command
debug crypto key-exchange Command
debug crypto engine Command
debug crypto ipsec Command
debug crypto pki messages Command
debug crypto pki transactions Command
clear Commands
clear crypto sa Command
clear crypto isakmp Command
clear crypto sa counters Command
Foundation Summary
Q&A
Chapter 22 Configuring Remote Access Using Easy VPN
“Do I Know This Already?” Quiz
Foundation Topics
Describe the Easy VPN Server
Describe the Easy VPN Remote
Easy VPN Server Functionality
How Cisco Easy VPN Works?
Configuring the Easy VPN Server
Easy VPN Modes of Operation
Foundation Summary
Describe the Easy VPN Server
Easy VPN Server Functionality
Configuring the Easy VPN Server
Easy VPN Modes of Operation
Q&A
Part VI Enterprise Network Management
Chapter 23 Security Device Manager
“Do I Know This Already?” Quiz
Foundation Topics
Security Device Manager Overview
Hardware Requirements
Operating System Requirements
Browser Compatibility
Installing SDM Software
SDM User Interface
SDM Wizards
SDM LAN Wizard
Using SDM to Configure a Firewall
Using SDM to Configure a VPN
Using SDM to Perform Security Audits
Using the Factory Reset Wizard
Using SDM Advanced Options
Using SDM Monitor Mode
Foundation Summary
Q&A
Part VII Scenarios
Chapter 24 Final Scenarios
Task 1–Configure Cisco Secure ACS for AAA on Miami Network Devices
Task 2–Configure and Secure Miami Router
Task 3–Configure 802.1x on Miami User Switches
Task 4–Configure Miami User Switches and Router to Mitigate Layer 2 Attacks
Task 5–Configure PEAP with Cisco Secure ACS
Task 6–Prepare the Network for IPsec Using Preshared Keys
Establish a Common Convention for Connectivity Between Locations
Configure Initial Setup of the Router and Verify Connectivity
Prepare for IKE and IPsec
Define the Preshared Key
Task 7–Configure IKE Using Preshared Keys
Enable IKE
Create the IKE Policy
Configure the Preshared Key
Verify the IKE Configuration
Task 8–Configure IPsec Using Preshared Keys
Configure Transform Sets and SA Parameters
Configure IPsec SA Lifetimes
Configure Crypto ACLs
Configure Crypto Maps
Apply the Crypto Map to the Interface
Task 9–Configure IKE and IPsec on a Cisco Router
Enable IKE
Create an IKE Policy Using RSA Signatures
Configure Transform Sets and SA Parameters
Configure IPsec SA Lifetimes
Configure Crypto ACLs
Configure Crypto Maps
Apply the Crypto Map to the Interface
Task 10–Prepare the Network for IPsec Using Digital Certificates
Configure Initial Setup of the Router and Verify Connectivity
Prepare for IKE and IPsec
Configure CA Support
Task 11–Test and Verify IPsec CA Configuration
Display IKE Policies
Display Transform Sets
Display Configured crypto maps
Display the Current State of IPsec SAs
Clear Any Existing SAs
Enable Debug Output for IPsec Events
Enable Debug Output for ISAKMP Events
Observe the IKE and IPsec Debug Outputs
Verify IKE and IPsec SAs
Task 12–Configure Authentication Proxy on the Miami Router
Configure AAA
Configure the HTTP Server
Configure Authentication Proxy
Test and Verify the Authentication Proxy Configuration
Task 13–Configure CBAC on the Miami Router
Task 14–Configure Miami Router with IPS Using SDM
Task 15–Verify and Monitor Miami Router with
IPS Using SDM
Task 16–Configure Easy VPN Server Using SDM
Task 17–Configure Easy VPN Remote Using SDM
Part VIII Appendix
Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
1587201534TOC121905
Erscheint lt. Verlag | 5.1.2006 |
---|---|
Reihe/Serie | CCSP Self-Study |
Verlagsort | Indianapolis |
Sprache | englisch |
Maße | 194 x 235 mm |
Gewicht | 1296 g |
Themenwelt | Mathematik / Informatik ► Informatik ► Netzwerke |
Informatik ► Theorie / Studium ► Kryptologie | |
ISBN-10 | 1-58720-153-4 / 1587201534 |
ISBN-13 | 978-1-58720-153-0 / 9781587201530 |
Zustand | Neuware |
Haben Sie eine Frage zum Produkt? |