معرفی کتاب CCNA Security Official Exam Certification Guide
Foreword xxvi
Introduction xxvii
Part I Network Security Concepts 3
Chapter 1 Understanding Network Security Principles 5
“Do I Know This Already?” Quiz 5
Foundation Topics 9
Exploring Security Fundamentals 9
Why Network Security Is a Necessity 9
Types of Threats 9
Scope of the Challenge 10
Nonsecured Custom Applications 11
The Three Primary Goals of Network Security 12
Confidentiality 12
Integrity 12
Availability 13
Categorizing Data 13
Classification Models 13
Classification Roles 15
Controls in a Security Solution 16
Responding to a Security Incident 17
Legal and Ethical Ramifications 18
Legal Issues to Consider 19
Understanding the Methods of Network Attacks 20
Vulnerabilities 20
Potential Attackers 21
The Mind-set of a Hacker 23
Defense in Depth 24
Understanding IP Spoofing 27
Launching a Remote IP Spoofing Attack with IP Source Routing 28
Launching a Local IP Spoofing Attack Using a Man-in-the-Middle Attack 29
Protecting Against an IP Spoofing Attack 30
Understanding Confidentiality Attacks 31
Understanding Integrity Attacks 33
Understanding Availability Attacks 36
Best-Practice Recommendations 40
Exam Preparation Tasks 41
Review All the Key Topics 41
Complete the Tables and Lists from Memory 42
Definition of Key Terms 42
Chapter 2 Developing a Secure Network 45
“Do I Know This Already?” Quiz 45
Foundation Topics 49
Increasing Operations Security 49
System Development Life Cycle 49
Initiation 49
Acquisition and Development 49
Implementation 50
Operations and Maintenance 50
Disposition 51
Operations Security Overview 51
Evaluating Network Security 52
Nmap 54
Disaster Recovery Considerations 55
Types of Disruptions 56
Types of Backup Sites 56
Constructing a Comprehensive Network Security Policy 57
Security Policy Fundamentals 57
Security Policy Components 58
Governing Policy 58
Technical Policies 58
End-User Policies 59
More-Detailed Documents 59
Security Policy Responsibilities 59
Risk Analysis, Management, and Avoidance 60
Quantitative Analysis 60
Qualitative Analysis 61
Risk Analysis Benefits 61
Risk Analysis Example: Threat Identification 61
Managing and Avoiding Risk 62
Factors Contributing to a Secure Network Design 62
Design Assumptions 63
Minimizing Privileges 63
Simplicity Versus Complexity 64
User Awareness and Training 64
Creating a Cisco Self-Defending Network 66
Evolving Security Threats 66
Constructing a Cisco Self-Defending Network 67
Cisco Security Management Suite 69
Cisco Integrated Security Products 70
Exam Preparation Tasks 74
Review All the Key Topics 74
Complete the Tables and Lists from Memory 75
Definition of Key Terms 75
Chapter 3 Defending the Perimeter 77
“Do I Know This Already?” Quiz 77
Foundation Topics 81
ISR Overview and Providing Secure Administrative Access 81
IOS Security Features 81
Cisco Integrated Services Routers 81
Cisco 800 Series 82
Cisco 1800 Series 83
Cisco 2800 Series 84
Cisco 3800 Series 84
ISR Enhanced Features 85
Password-Protecting a Router 86
Limiting the Number of Failed Login Attempts 92
Setting a Login Inactivity Timer 92
Configuring Privilege Levels 93
Creating Command-Line Interface Views 93
Protecting Router Files 95
Enabling Cisco IOS Login Enhancements for Virtual Connections 96
Creating a Banner Message 98
Cisco Security Device Manager Overview 99
Introducing SDM 99
Preparing to Launch Cisco SDM 101
Exploring the Cisco SDM Interface 102
Exam Preparation Tasks 106
Review All the Key Topics 106
Complete the Tables and Lists from Memory 106
Definition of Key Terms 106
Command Reference to Check Your Memory 107
Chapter 4 Configuring AAA 111
“Do I Know This Already?” Quiz 111
Foundation Topics 115
Configuring AAA Using the Local User Database 115
Authentication, Authorization, and Accounting 115
AAA for Cisco Routers 115
Router Access Authentication 116
Using AAA to Configure Local User Database Authentication 117
Implementing the aaa authorization Command 122
Working with the aaa accounting Command 124
Using the CLI to Troubleshoot AAA for Cisco Routers 126
Using Cisco SDM to Configure AAA 127
Configuring AAA Using Cisco Secure ACS 128
Overview of Cisco Secure ACS for Windows 129
Additional Features of Cisco Secure ACS 4.0 for Windows 130
Cisco Secure ACS 4.0 for Windows Installation 132
Overview of TACACS+ and RADIUS 137
TACACS+ Authentication 138
Command Authorization with TACACS+ 140
TACACS+ Attributes 140
Authentication and Authorization with RADIUS 141
RADIUS Message Types 142
RADIUS Attributes 142
Features of RADIUS 143
Configuring TACACS+ 144
Using the CLI to Configure AAA Login Authentication on Cisco Routers 144
Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM 146
Defining the AAA Servers 147
Exam Preparation Tasks 149
Review All the Key Topics 149
Complete the Tables and Lists from Memory 150
Definition of Key Terms 150
Command Reference to Check Your Memory 150
Chapter 5 Securing the Router 155
“Do I Know This Already?” Quiz 155
Foundation Topics 158
Locking Down the Router 158
Identifying Potentially Vulnerable Router Interfaces and Services 158
Locking Down a Cisco IOS Router 160
AutoSecure 161
Cisco SDM One-Step Lockdown 166
Using Secure Management and Reporting 171
Planning for Secure Management and Reporting 172
Secure Management and Reporting Architecture 172
Configuring Syslog Support 175
Securing Management Traffic with SNMPv3 179
Enabling Secure Shell on a Router 183
Using Cisco SDM to Configure Management Features 185
Configuring Syslog Logging with Cisco SDM 186
Configuring SNMP with Cisco SDM 190
Configuring NTP with Cisco SDM 194
Configuring SSH with Cisco SDM 196
Exam Preparation Tasks 201
Review All the Key Topics 201
Complete the Tables and Lists from Memory 201
Definition of Key Terms 202
Command Reference to Check Your Memory 202
Part II Constructing a Secure Infrastructure 205
Chapter 6 Securing Layer 2 Devices 207
“Do I Know This Already?” Quiz 207
Foundation Topics 211
Defending Against Layer 2 Attacks 211
Review of Layer 2 Switch Operation 211
Basic Approaches to Protecting Layer 2 Switches 212
Preventing VLAN Hopping 213
Switch Spoofing 213
Double Tagging 214
Protecting Against an STP Attack 215
Combating DHCP Server Spoofing 218
Using Dynamic ARP Inspection 220
Mitigating CAM Table Overflow Attacks 222
Spoofing MAC Addresses 223
Additional Cisco Catalyst Switch Security Features 225
Using the SPAN Feature with IDS 226
Enforcing Security Policies with VACLs 226
Isolating Traffic Within a VLAN Using Private VLANs 227
Traffic Policing 228
Notifying Network Managers of CAM Table Updates 228
Port Security Configuration 228
Configuration Recommendations 231
Cisco Identity-Based Networking Services 232
Introduction to Cisco IBNS 232
Overview of IEEE 802.1x 234
Extensible Authentication Protocols 236
EAP-MD5 236
EAP-TLS 236
PEAP (MS-CHAPv2) 238
EAP-FAST 239
Combining IEEE 802.1x with Port Security Features 239
Chapter 7 Implementing Endpoint Security 251
“Do I Know This Already?” Quiz 251
Foundation Topics 254
Examining Endpoint Security 254
Defining Endpoint Security 254
Examining Operating System Vulnerabilities 255
Examining Application Vulnerabilities 257
Understanding the Threat of Buffer Overflows 258
Buffer Overflow Defined 259
The Anatomy of a Buffer Overflow Exploit 259
Understanding the Types of Buffer Overflows 260
Additional Forms of Attack 261
Securing Endpoints with Cisco Technologies 265
Understanding IronPort 265
The Architecture Behind IronPort 266
Examining the Cisco NAC Appliance 266
Working with the Cisco Security Agent 268
Understanding Cisco Security Agent Interceptors 269
Examining Attack Response with the Cisco Security Agent 272
Best Practices for Securing Endpoints 273
Application Guidelines 274
Apply Application Protection Methods 274
Exam Preparation Tasks 276
Review All the Key Topics 276
Complete the Tables and Lists from Memory 277
Definition of Key Terms 277
Chapter 8 Providing SAN Security 279
“Do I Know This Already?” Quiz 279
Foundation Topics 282
Overview of SAN Operations 282
Fundamentals of SANs 282
Organizational Benefits of SAN Usage 283
Understanding SAN Basics 284
Fundamentals of SAN Security 285
Classes of SAN Attacks 286
Implementing SAN Security Techniques 287
Using LUN Masking to Defend Against Attacks 287
Examining SAN Zoning Strategies 288
Examining Soft and Hard Zoning 288
Understanding World Wide Names 289
Defining Virtual SANs 290
Combining VSANs and Zones 291
Identifying Port Authentication Protocols 292
Understanding DHCHAP 292
CHAP in Securing SAN Devices 292
Working with Fibre Channel Authentication Protocol 292
Understanding Fibre Channel Password Authentication Protocol 293
Assuring Data Confidentiality in SANs 293
Incorporating Encapsulating Security Payload (ESP) 294
Providing Security with Fibre Channel Security Protocol 294
Exam Preparation Tasks 295
Review All the Key Topics 295
Complete the Tables and Lists from Memory 295
Definition of Key Terms 295
Chapter 9 Exploring Secure Voice Solutions 297
“Do I Know This Already?” Quiz 297
Foundation Topics 301
Defining Voice Fundamentals 301
Defining VoIP 301
The Need for VoIP 302
VoIP Network Components 303
VoIP Protocols 305
Identifying Common Voice Vulnerabilities 307
Attacks Targeting Endpoints 307
VoIP Spam 308
Vishing and Toll Fraud 308
SIP Attack Targets 309
Securing a VoIP Network 310
Protecting a VoIP Network with Auxiliary VLANs 310
Protecting a VoIP Network with Security Appliances 311
Hardening Voice Endpoints and Application Servers 313
Summary of Voice Attack Mitigation Techniques 316
Exam Preparation Tasks 317
Review All the Key Topics 317
Complete the Tables and Lists from Memory 317
Definition of Key Terms 317
Chapter 10 Using Cisco IOS Firewalls to Defend the Network 319
“Do I Know This Already?” Quiz 319
Foundation Topics 323
Exploring Firewall Technology 323
The Role of Firewalls in Defending Networks 323
The Advance of Firewall Technology 325
Transparent Firewalls 326
Application Layer Firewalls 327
Benefits of Using Application Layer Firewalls 329
Working with Application Layer Firewalls 330
Application Firewall Limitations 332
Static Packet-Filtering Firewalls 333
Stateful Packet-Filtering Firewalls 335
Stateful Packet Filtering and the State Table 335
Disadvantages of Stateful Filtering 336
Uses of Stateful Packet-Filtering Firewalls 337
Application Inspection Firewalls 338
Application Inspection Firewall Operation 340
Effective Use of an Application Inspection Firewall 341
Overview of the Cisco ASA Adaptive Security Appliance 342
The Role of Firewalls in a Layered Defense Strategy 343
Creating an Effective Firewall Policy 345
Using ACLs to Construct Static Packet Filters 347
The Basics of ACLs 348
Cisco ACL Configuration 349
Working with Turbo ACLs 350
Developing ACLs 351
Using the CLI to Apply ACLs to the Router Interface 352
Considerations When Creating ACLs 353
Filtering Traffic with ACLs 354
Preventing IP Spoofing with ACLs 357
Restricting ICMP Traffic with ACLs 358
Configuring ACLs to Filter Router Service Traffic 360 vty Filtering 360
SNMP Service Filtering 361
RIPv2 Route Filtering 361
Grouping ACL Functions 362
Implementing a Cisco IOS Zone-Based Firewall 364
Understanding Cisco IOS Firewalls 364
Traffic Filtering 365
Traffic Inspection 366
The Role of Alerts and Audit Trails 366
Classic Firewall Process 367
SPI and CBAC 368
Examining the Principles Behind Zone-Based Firewalls 369
Changes to Firewall Configuration 370
Zone Membership Rules 371
Understanding Security Zones 373
Zones and Inspection 373
Security Zone Restrictions 373
Working with Zone Pairs 375
Security Zone Firewall Policies 376
Class Maps 378
Verifying Zone-Based Firewall Configuration 379
Exam Preparation Tasks 380
Review All the Key Topics 380
Complete the Tables and Lists from Memory 381
Definition of Key Terms 381
Command Reference to Check Your Memory 382
Chapter 11 Using Cisco IOS IPS to Secure the Network 385
“Do I Know This Already?” Quiz 385
Foundation Topics 388
Examining IPS Technologies 388
IDS Versus IPS 388
IDS and IPS Device Categories 389
Detection Methods 389
Network-Based Versus Host-Based IPS 391
Deploying Network-Based and Host-Based Solutions 394
IDS and IPS Appliances 395
Cisco IDS 4215 Sensor 396
Cisco IPS 4240 Sensor 397
Cisco IPS 4255 Sensor 397
Cisco IPS 4260 Sensor 397
Signatures 398
Exploit Signatures 398
Connection Signatures 399
String Signatures 399
Denial-of-Service Signatures 399
Signature Definition Files 399
Alarms 400
Using SDM to Configure Cisco IOS IPS 401
Launching the Intrusion Prevention Wizard 401
IPS Policies Wizard 404
Creating IPS Rules 410
Manipulating Global IPS Settings 417
Signature Configuration 419
Exam Preparation Tasks 425
Review All the Key Topics 425
Complete the Tables and Lists from Memory 425
Definition of Key Terms 425
Part III Extending Security and Availability with Cryptography and VPNs 427
Chapter 12 Designing a Cryptographic Solution 429
“Do I Know This Already?” Quiz 429
Foundation Topics 433
Introducing Cryptographic Services 433
Understanding Cryptology 433
Cryptography Through the Ages 434
The Substitution Cipher 434
The Vigenère Cipher 435
Transposition Ciphers 436
Working with the One-Time Pad 436
The Encryption Process 437
Cryptanalysis 438
Understanding the Features of Encryption Algorithms 440
Symmetric and Asymmetric Encryption Algorithms 441
Encryption Algorithms and Keys 441
Symmetric Encryption Algorithms 441
Asymmetric Encryption Algorithms 443
The Difference Between Block and Stream Ciphers 444
Block Ciphers 444
Stream Ciphers 445
Exploring Symmetric Encryption 445
Functionality of Symmetric Encryption Algorithms 446
Key Lengths 446
Features and Functions of DES 447
Working with the DES Key 447
Modes of Operation for DES 447
Working with DES Stream Cipher Modes 449
Usage Guidelines for Working with DES 449
Understanding How 3DES Works 450
Encrypting with 3DES 450
AES 451
The Rijndael Cipher 451
Comparing AES and 3DES 451
Availability of AES in the Cisco Product Line 452
SEAL 452
SEAL Restrictions 452
The Rivest Ciphers 452
Understanding Security Algorithms 453
Selecting an Encryption Algorithm 453
Understanding Cryptographic Hashes 455
Working with Hashing 455
Designing Key Management 456
Components of Key Management 456
Understanding Keyspaces 456
Issues Related to Key Length 457
SSL VPNs 458
Establishing an SSL Tunnel 459
Exam Preparation Tasks 460
Review All the Key Topics 460
Complete the Tables and Lists from Memory 461
Definition of Key Terms 461
Chapter 13 Implementing Digital Signatures 463
“Do I Know This Already?” Quiz 463
Foundation Topics 466
Examining Hash Algorithms 466
Exploring Hash Algorithms and HMACs 466
Anatomy of a Hash Function 467
Application of Hash Functions 467
Cryptographic Hash Functions 468
Application of Cryptographic Hashes 469
HMAC Explained 470
MD5 Features and Functionality 471
Origins of MD5 472
Vulnerabilities of MD5 473
Usage of MD5 475
SHA-1 Features and Functionality 475
Overview of SHA-1 476
Vulnerabilities of SHA-1 477
Usage of SHA-1 478
Using Digital Signatures 478
Understanding Digital Signatures 480
Digital Signature Scheme 483
Authentication and Integrity 483
Examining RSA Signatures 483
Exploring the History of RSA 484
Understanding How RSA Works 484
Encrypting and Decrypting Messages with RSA 485
Signing Messages with RSA 485
Vulnerabilities of RSA 486
Exploring the Digital Signature Standard 487
Using the DSA Algorithm 487
Exam Preparation Tasks 488
Review All the Key Topics 488
Complete the Tables and Lists from Memory 489
Definition of Key Terms 489
Chapter 14 Exploring PKI and Asymmetric Encryption 491
“Do I Know This Already?” Quiz 491
Foundation Topics 494
Understanding Asymmetric Algorithms 494
Exploring Asymmetric Encryption Algorithms 494
Using Public-Key Encryption to Achieve Confidentiality 495
Providing Authentication with a Public Key 496
Understanding the Features of the RSA Algorithm 497
Working with RSA Digital Signatures 498
Guidelines for Working with RSA 499
Examining the Features of the Diffie-Hellman Key Exchange Algorithm 499
Steps of the Diffie-Hellman Key Exchange Algorithm 500
Working with a PKI 500
Examining the Principles Behind a PKI 501
Understanding PKI Terminology 501
Components of a PKI 501
Classes of Certificates 502
Examining the PKI Topology of a Single Root CA 502
Examining the PKI Topology of Hierarchical CAs 503
Examining the PKI Topology of Cross-Certified CAs 505
Understanding PKI Usage and Keys 506
Working with PKI Server Offload 506
Understanding PKI Standards 507
Understanding X.509v3 507
Understanding Public Key Cryptography Standards (PKCS) 508
Understanding Simple Certificate Enrollment Protocol (SCEP) 510
Exploring the Role of Certificate Authorities and Registration Authorities in a PKI 511
Examining Identity Management 512
Retrieving the CA Certificate 513
Understanding the Certificate Enrollment Process 513
Examining Authentication Using Certificates 514
Examining Features of Digital Certificates and CAs 515
Understanding the Caveats of Using a PKI 516
Understanding How Certificates Are Employed 517
Exam Preparation Tasks 519
Review All the Key Topics 519
Complete the Tables and Lists from Memory 519
Definition of Key Terms 520
Chapter 15 Building a Site-to-Site IPsec VPN Solution 523
“Do I Know This Already?” Quiz 523
Foundation Topics 527
Exploring the Basics of IPsec 527
Introducing Site-to-Site VPNs 527
Overview of IPsec 529
IKE Modes and Phases 529
Authentication Header and Encapsulating Security Payload 531
Cisco VPN Product Offerings 533
Cisco VPN-Enabled Routers and Switches 533
Cisco VPN 3000 Series Concentrators 535
Cisco ASA 5500 Series Appliances 536
Cisco 500 Series PIX Security Appliances 538
Hardware Acceleration Modules 538
VPN Design Considerations and Recommendations 539
Best-Practice Recommendations for Identity and IPsec Access Control 540
Best-Practice Recommendations for IPsec 540
Best-Practice Recommendations for Network Address Translation 541
Best-Practice Recommendations for Selecting a Single-Purpose Versus
Multipurpose Device 541
Constructing an IPsec Site-to-Site VPN 542
The Five Steps in the Life of an IPsec Site-to-Site VPN 542
The Five Steps of Configuring an IPsec Site-to-Site VPN 543
Configuring an IKE Phase 1 Tunnel 543
Configuring an IKE Phase 2 Tunnel 545
Applying Crypto Maps 546
Using Cisco SDM to Configure IPsec on a Site-to-Site VPN 548
Introduction to the Cisco SDM VPN Wizard 548
Quick Setup 549
Step-by-Step Setup 559
Configuring Connection Settings 559
Selecting an IKE Proposal 561
Selecting a Transform Set 562
Selecting Traffic to Protect in the IPsec Tunnel 563
Part IV Final Preparation 589
Chapter 16 Final Preparation 577
Exam Engine and Questions on the CD 577
Install the Software from the CD 578
Activate and Download the Practice Exam 578
Activating Other Exams 579
Study Plan 579
Recall the Facts 580
Use the Exam Engine 580
Choosing Study or Simulation Mode 580
Passing Scores for the IINS Exam 581
Part V Appendixes 583
Appendix A Answers to “Do I Know This Already?” Questions 585
Appendix B Glossary 595
Appendix C CCNA Security Exam Updates: Version 1.0 617
Appendix D Memory Tables (CD only)
Appendix E Memory Tables Answer Key (CD only) Index 620
حجم: 13.8 مگابایت
زبان : انگلیسی
تعداد صفحات: 776
