PartI Introduction to Network Security Chapter I Understanding Network Security Threats Identify the Need for Network Security Identify the Causes of Network Security Problems Technology Weakness Policy Weakness Configuration Weakness The Four Primary Types of Network Threats Unstructured Threats Structured Threats Internal Threats Extemal Threats The Four Primary Types of Network Attack Reconnaissance Attacks Access Attacks Denial of Service (DOS) Attacks Data Manipulation Attacks Cisco AVVID and SAFE Strategies AVVID SAFE Cisco Security Wheel Network Security Policy Why Create a Network Security Policy The Balancing Act A Security Policy Is to Be Shared Who Should Help Create the Security Policy? Assets and Threats Evaluating a Network Security Policy Example of a Network Security Policy Securing the Network Wireless Communication Policy Monitoring Network Security Improving Network Security Chapter Review Questions Answers Chapter 2 Securing the Network Secure Network Design Example Inside Network Outside Network Demilitarized Zone (DMZ) Securing Network Devices Physically Secure the Devices Securing Administrative Access Using Access Control Lists to Secure the Network Standard ACLs Extended Access Lists Named Access Lists Time-Based Access Lists Chapter Review Questions Answers Part II Securing the Network Perimeter Chapter 3 Cisco AAA Security Technology The Cisco AAA Model NAS Servers Why Authenticate? AAA Benefits TACACS+, RADIUS, and Kerberos Support AAA System Components AAA as Facilitator Authentication Authorization Accounting Testing AAA Configuration The show Commands The debug Commands Chapter Review Questions Answers Chapter 4 Cisco Secure ACS and TACACS+/RADIUS Technologies Describe Cisco Secure ACS CiscoSecure ACS for Windows and UNIX Features and Architecture of Cisco Secure ACS for Windows Features and Benefits Cisco Secure ACS Benefits Cisco Secure ACS for Windows Internal Architecture System Performance Features of CiscoSecure ACS for UNIX Features and Benefits Preparing to Install UNIX ACS Installing Cisco Secure ACS 3.0 for Windows Hardware Requirements Operating System Requirements Third-Party Software Requirements NAS.Minimum lOS Requirements Network Requirements Back Up Server Data Gathering Information Required During Installation Administering and Troubleshooting Cisco Secure ACS for Windows Navigation Bar Configuration Area Display Area Accessing the HTML Interface Suggested Configuration Sequence TACACS+ Overview Configuring Cisco Secure ACS and TACACS+ Configure NAS to TACACS+ Server Communication Verifying TACACS+ The show Commands The debug Commands Configure NAS to RADIUS Server Communication Chapter Review Questions Answers Chapter 5 Securing Cisco Perimeter Routers Perimeter Router Terms and Concepts Simple Secure Network Design Eavesdropping Router Solutions Hub and Switch Issues Limit Unneeded TCP/IP and Other Services TCP and UDP "Small Services" Finger NTP CDP Denial of Service Attacks Controlling Directed Broadcasts Flood Management Antispoofing with RPF Checks Unauthorized Access Address Filtering Dynamic (Lock-and-Key) Access Lists Reflexive Access Lists Lack of Legal IP Addresses NAT Technology and Terminology Static NAT Dynamic NAT Dynamic NAT with Overloading (PAT) Rerouting Attacks Event Logging on Perimeter Routers Access List Violation Logs Chapter Review Questions Answers Chapter 6 lOS Firewall Feature Set—BAC Introduction to Cisco IOS Firewall Router-Based Firewall Functionality Integration with Cisco IOS Software Feature Summary Context-Based Access Control (CBAC) Quick Access List Review CBAC Advantages CBAC Limitations CBAC Process Configuring CBAC IOS Firewall Management Command Line Interface ConfigMaker Chapter Review Questions Answers Chapter 7 lOS Firewall--lntrusion Detection System Intrusion Detection System (IDS) IOS Firewall Intrusion Detection System Devices Supporting the lOS Firewall IDS Feature Cisco IDS Attack Signatures Cisco Secure IDS Director Support Performance Implications IOS IDS vs. Cisco Secure IDS Cisco lOS Firewall IDS Configuration Task List Initializing the IOS Firewall IDS The ip audit smtp spam Command The ip audit po max-events Command Initializing the Post Office The ip audit notify Command The ip audit po local Command The ip audit po remote Command Creating and Applying Audit Rules Creating an Audit Rule Apply the Audit Rule to the Interface(s) Verifying the IDS Configuration The show ip audit statistics Command The show ip audit configuration Command The show ip audit interface Command The show ip audit all Command Chapter Review Questions Answers Chapter 8 lOS Firewall--Authentication Proxy Cisco lOS Firewall Authentication Proxy How the Authentication Proxy Works Applying the Authentication Proxy Comparison with the Lock-and-Key Feature Compatibility with Other Features Security Vulnerability Issues Before Configuring Authentication Proxy Authentication Proxy Configuration Task List AAA Server Configuration AAA Router Configuration Enable AAA Define the Security Server Define Login Authentication Methods List Enable Authorization Proxy (auth-proxy) for AAA Activate Authentication Proxy Accounting ACL Entry for Return Traffic from the AAA Server Configuring the HTTP Server Authentication Proxy Configuration on the Router The ip auth-proxy auth-cache-time Command The ip auth-proxy auth-proxy-banner Command The ip auth-proxy name Command The auth-proxy Interface Configuration Verify Authentication Proxy Configuration The auth-proxy Cache The debug Commands CBAC Configuration Chapter Review Questions Answers Part III Virtual Private Networks (VPNs) Chapter 9 Cisco lOS IPSec Introduction virtual Private Networks Remote-Access Site-to-Site Layer 2 VPNs Layer 3 VPNs Other VPN Implementations Why Use VPNs? VPN Analogy Tunneling Protocols Layer Two Forwarding (L2F) Protocol Layer 2 Tunneling Protocol (L2TP) Generic Routing Encapsulation (GRE) How IPSec Works Cisco IOS IPSec Technologies IPSec Security Overview Transport and Tunnel Mode IPSec Transforms and Transform Sets Cisco IOS Cryptosystem Components How Encryption Works Cryptography Types Encryption Ahematives Hashing Diffie-Hellman Key Agreement (DH) Security Association (SA) IKE SAs versus IPSec SAs Five Steps of IPSec Revisited Step 1--Determine Interesting Traffic Step 2--IKE Phase One Step 3--IKE Phase Two Step 4--IPSec Data Transfer Step 5--Session Termination IPSec Support in Cisco Systems Products Chapter Review Questions Answers Chapter 10 Cisco lOS IPSec for Presharecl Keys Configure IPSec Encryption Tasks Task 1 Prepare for IKE and IPSec Task 2 Configure IKE Task 3 Configure IPSec Task 4 Test and Verify IPSec Configuring IPSec Manually Configuring IPSec Manually Is Not Recommended Chapter Review Questions Answers Chapter I I Cisco lOS IPSec Certificate Authority Support CA Support Overview Digital Certificates Certificate Distribution IPSec with CAs How CA Certs Are Hsed by IPSec Peers Cisco IOS CA Standards Simple Certificate Enrollment Protocol (SCEP) CA Servers Interoperable with Cisco Routers Enroll a Device with a CA Configure CA Support Tasks Task 1--Prepare for IKE and IPSec Task 2--Configure CA Support Task 3--Configure IKE Task 4--Configure IPSec Task 5--Test and Verify IPSec RSA Encrypted Nonces Overview Task 2--Configure RSA Keys Chapter Review Questions Answers Chapter 12 Cisco lOS Remote Access Using Cisco Easy VPN Introduction to Cisco Easy VPN Cisco Easy VPN Server Client Connection Process Cisco Easy VPN Remote Split Tunneling Cisco VPN 3.6 Client How the VPN Client Works Connection Technologies Easy VPN Server Configuration Tasks Preconfiguring the Cisco VPN 3.6 Client Creating a New Connection Entry Trying Out the New Connection Customizing the Connection Management Center for VPN Routers Features and Benefits Router MC Server Requirements Router MC Client Requirements Router MC User Permissions Easy VPN Remote Phase Two Supported VPN Servers Phase Two Features Cisco VPN Firewall Feature for VPN Client Overview of Software Client Firewall Feature Defining a Client Firewall Policy The Are You There Feature The Central Policy Protection Feature Client/Server Feature Client Firewall Statistics Chapter Review Questions Answers Chapter 13 Cisco VPN Hardware Overview Cisco Products Enable a Secure VPN What's Newt Cisco VPN 3002 Client Devices Cisco VPN 3002 Client Models Client and Network Extension Modes Standards Supported Cisco VPN 3002 Hardware Client Features Cisco VPN 3000 Concentrator Devices Cisco VPN 3000 Concentrator Models Standards Supported Cisco VPN 3000 Concentrator Features VPN 3000 Concentrator Client Support Chapter Review Questions Answers Chapter 14 Cisco VPN 3000 Remote Access Networks VPN Concentrator User Interfaces and Startup Quick Configuration Command-Line Interface (CLI) Basics Concentrator Manager (Web Interface) VPN Concentrators in IPSec VPN Implementations Remote Access Networks LAN-tu-LAN Networks Remote Access VPNs with Preshared Keys Preshared Keys Initial Configuration Setting the Public Interface Defining the Default Gateway (Optional) Adding the Static Routes General System Information Define Inside Address Assignment Method Define Inside Address Pool for Remote Users Configuring Groups and Users Other Configuration Options Digital Certificates Certificate Types VPN Concentrator and Certificates Enrolling and Installing Certificates Using SCEP to Manage Certificates Using the Certificates Configure Cisco VPN Client Support VPN Client Autoinitiation Feature The vpndient.ini File Preparation Configuration VPN 3000 Configuration Administer and Monitor Remote Access Networks Administration Monitoring Chapter Review Questions Answers Chapter 15 Configuring Cisco VPN 3002 Remote Clients The VPN 3002 in the Network VPN Modes IPSec VPNs Configuring the 3002 Device Command-Line Interface (CH) The Hardware Client Manager (Web Interface) Common Configuration Tasks Upgrading the Software Quick Configuration System Status PPPoE Support Basic Configuration for the VPN 3002 Set the System Time, Date, and Time Zone Optional--Upload an Existing Configuration File Configure the Private Interface Configure the Public Interface Configure the IPSec Choose Client (PAT) Mode or Network Extension Mode Configure DNS Configure Static Routes Change the Admin Password Modifying Options Other VPN 3002 Software Features Interactive Hardware Client Authentication Individual User Authentication LEAP Bypass IPSec Backup Servers IPSec Server Load Balancing H.323 Support in PAT Mode Simple Certificate Enrollment Protocol (SCEP) XML Management Reverse Route Injection (RILl) AES Support and Diffie-Hellman Group 5 Push Banner to VPN 3002 Delete with Reason Auto-Update Feature VPN 3002 Hardware Clients Cisco VPN Software Clients Configuring Auto-Update Chapter Review Questions Answers Chapter 16 Cisco VPN 3000 LAN-to-LAN Networks The VPN Concentrators in LAN-to-LAN VPNs Chapter Scenario LAN-to-LAN Networks with Preshared Keys Configure Network Lists Define the IKE Proposals (Optional) Create the Tunnel LAN-to-LAN Networks with Digital Certificates NAT Issues NAT Transparency IPSec over TCP IPSec over NAT-T IPSec over LIDP LAN-to-LAN VPN with Overlapping Network Addresses LAN-to-LAN Routing Default Gateways Reverse Route Injection Virtual Router Redundancy Protocol Chapter Review Questions Answers PartIV PIX Firewalls Chapter 17 CiscoSecure PIX Firewalls Firewall and Firewall Security Systems Packet Filter Proxy Filter Stateful Packet Filter CiscoSecure PIX Firewall Technology PIX Adaptive Security Algorithm The PIX Firewall Family Tested and Certified VPN Support PIX Management Options Cisco Mobile Office Support Cisco Catalyst 6500 Implementation Basic PIX Firewall Configuration PIC Command-Line Interface The nameif Command The interface Command The ip address Command The nat Command The global Command The route Command Chapter Review Questions Answers Chapter 18 Getting Started with the Cisco PiX Firewall Basic PIX Firewall Configuration Verifying Configuration and Traffic ICMP Traffic to the Firewall The show icmp Command The debug icmp trace Command Time Setting and NTP Support How NTP Works NTP and PIX Firewalls Syslog Configuration The logging Commands Fri' and URL Logging Verifying and Monitoring Logging DHCP Server Configuration Configuring the DHCP Server Feature DHCP Client Using NAT/PAT with DHCP Client Firewalls as a DHCP Client and Server Chapter Review Questions Answers Chapter 19 Access Through the PIX Firewall Adaptive Security Algorithm Security Levels Stateful System Translations Connections Translations and Connections Transport Protocols Static Translations Network Address Translation Port Address Translations (PAT) Using NAT and PAT Together Names and Name Commands Configuring DNS Support Access Control Lists (ACLs) Using Access Lists Access-Group Statement Basic ACL Statements ICMP ACL Statements TurboACL Downloadable ACLs Content Filtering ActiveX Blocking Java Blocking Websense Filtering Object Grouping Overview of Object Grouping Getting Started with Group Objects Configuring Object Groups with ACLs Nested Object Groups Conduit Statements Configuring Conduits PIX Routing Configuration The Route Command Routing Options Multicast Traffic Chapter Review Questions Answers Chapter 20 Advanced PIX Firewall Features Remote Access Telnet Access HTTP Access Secure Shell (SSH) Access AAA Support for Telnet, HTTP, and SSH Sessions AAA on the PIX Firewall Defining the AAA Server Local User Database Configuring AAA Features Access Lists with AAA Command-Level Authorization Firewall Privilege Levels Configuring Cisco Secure ACS for Windows Advanced Protocol Handling Application Inspection The tm'up protocol Command Supported Applications and Protocols Fixup Protocol Examples Other Supported Protocols and Applications Attack Guards DNS Control Flood Defender FragGuara and Virtual Reassembly TCP Intercept Unicast Reverse Path Forwarding ActiveX Blocking, Java Filtering, and URL Filtering Intrusion Detection Define Default Audit Actions Disabling Individual Signatures Create Named Audit Rules Apply the Audit Rule to the Interface(s) PIX Firewall IDS Syslog Messages Shunning Managing SNMP Services PIX Firewall SNMP Support SNMP Contact and Location SNMP Management Station SNMP Community Key Enabling SNMP Traps Verify SNMP Configuration Logging to the SNMP Management Station Chapter Review Questions Answers Chapter 21 Firewalls and VPN Features Pix Firewall Enables a Secure VPN IPSec VPN Establishment Five Steps of IPSec IPSec Configuration Tasks Task 1: Prepare to Configure VPN Support Task 2: Configure IKE Parameters Task 3: Configure IPSec. Parameters Task 4: Test and Verify VPN Configuration Cisco VPN Client Client Mode Network Extension Mode Establishing Preliminary Connectivity Easy VPN Remote Configuration Scale PIX Firewall VPNs Network Management Options PPPoE and the PIX Firewall Chapter Review Configuring IPSec Configuring IPSec for RSA Encrypted Nonces Configuring CA Support Tasks Questions Answers Chapter 22 Managing and Maintaining the PIX Firewall PDM Overview Versions and Device Support PDM Operating Requirements PIX Firewall Requirements Workstation Requirements Cisco Secure Policy Manager Considerations Web Browser Considerations Prepare for PDM Installing PDM on a PIX Firewall Minimum PIX Configuration Starting PDM Using the PDM Startup Wizard Using PDM to Configure the PIX Firewall Using PDM to Create a Site-to-Site VPN Using PDM to Create a Remote Access VPN CiscoWorks Management Center for PIX Firewalls (PIX MC) System Requirements PIX Failover Feature Hnderstanding Failover Failover Configuration with Failover Cable LAN-Based Failover Configuration Verifying Failover Configuration Password Recovery Before Getting Started PIX Devices with a Floppy Drive PIX Devices Without a Floppy Drive Upgrading the PIX OS Older Upgrade Methods Chapter Review Questions Answers Par V Intrusion Detection Systems (IDS) Chapter 23 Intrusion Detection System Overview Security Threats Internal Threats Extemal Threats Unstructured Threats Structured Threats The Attack Types and Phases Attack Types Attack Phases Intrusion Detection Systems Overview Host- and Network*Based IDSs IDS Triggers Summary Questions Answers Chapter 24 Cisco Secure Intrusion Detection System CIDS Operations and Functionality Monitoring Analyzing Communications Centralized Alarm Display and Management Sensor Response CIDS Architecture CIDS Software Architecture CIDS Commands CIDS Directory Structure CIDS Log Files Chapter Review Questions Answers Chapter 25 Sensor Installation and Configuration Sensor Deployment Considerations Network Entry Points Network Size and Complexity The Amount and Type of Traffic Sensor Installation Connecting to Your Network Sensor Appliance Sensor Bootstrap IDS Device Manager Connecting to the IDS Device Manager IDS Device Manager GUI Interface Device Area Configuration Configuration Area Monitoring Area Administration Area Chapter Review Questions Answers Chapter 26 Signature and Alarm Management CIDS Signatures Signature Series Signature Implementations Signature Structure Signature Classes Signature Types Signature Severity Event Viewer Managing Alarms Event Viewer Customization Preference Settings Chapter Review Review Questions Answers Part VI Cisco SAFE Implementation Chapter 27 Cisco SAFE Implementation Preparation Documents Exam Topics Security Fundamentals Architectural Overview Cisco Security Portfolio SAFE Small Network Design SAFE Medium Network Design SAFE Remote-User Network Implementation Skills Required for the Exam Chapter Review Questions Answers Appendix A Access Control Lists Access List Basics Two-Step Process Numbered ACL Common Characteristics The Numbers Matter Standard Access Lists Building a Standard ACL Verifying ACLs Show Run Command Show Access-Lists Command Show IP Interfaces Command Extended Access Lists Creating an Extended Access List Named Access Lists Appendix B About the CD System Requirements LeamKey Online Training Installing and Running MasterExam MasterExam Electronic Book Lab Exercises Help Removing Installation(s) Technical Support LearnKey Technical Support Index
鄂公網(wǎng)安備 42010302001612號 