Course Introduction
Course Introduction
Module 1 - Understanding Network Security Principles
Understanding Network Security Principles
Exploring Security Fundamentals
Why Network Security is a Necessity
Three Primary Goals of Network Security
Confidentiality
Integrity
Availability
Categorizing Data
Data Classification Cont.
Controls in a Security Solution
Responding to a Security Incident
Legal and Ethical Ramifications
Understanding the Methods of Network Attacks
Vulnerability
Potential Attackers
Classifying the Potential Hacker
Categories of Attacks
Mind-Set of the Attacker
Defense in Depth
Understanding IP Spoofing
Session Hijacking
Other IP Spoof Examples
Defending the IP Spoofing Attack
Understanding Confidentiality Attacks
Confidentiality Attack Strategies
Types of Attacks
Best Practices
Demo - MITM Attacks
Module 1 Review
Module 2 - Developing a Secure Network
Developing a Secure Network
Increasing Operations Security
System Development Life Cycle
Operations Security Overview
Evaluating Network Security
Baselining
Finding Weakness in Security
Risk Assessment
Disaster Recovery Plans
Disaster Recovery
Constructing a Comprehensive Security Policy
Security Policy Fundamentals
Security Policy Components
Security Policy Responsibilities
Risk Analysis
Factors Contributing to a Secure Network
Creating a Cisco Self-Defending Network
Evolving Security Threats
Cisco Self-Defending Network
Cisco Self-Defending Hierarchical Structure
Cisco Security Manager
Cisco Security MARS
Cisco Integrated Security Products
Module 2 Review
Module 3 - Defending the Perimeter
Defending the Perimeter
ISR: Integrated Services Router
Supported Routers
ISR Enhanced Features
Password Protecting a Router
Privilege Levels
Login Enhancements
Cisco Security Device Overview
Starting Cisco SDM and Cisco SDM Express
Files Required to Run Cisco SDM from a Router
Launching Cisco SDM Express
Launching Cisco SDM
Navigating the Cisco SDM Interface
Cisco SDM Wizards in Configure Mode
Configure Mode - Advanced Configuration
Monitor Mode
Preview Commands
Enabling HTTP Secure-Server and Default Certificate
URL/Certificate Identity Mismatch
Demo - Password Protecting a Router
Demo - Login Policies
Demo - View
Module 3 Review
Module 4 - Configuring AAA
Configuring AAA
AAA Model-Network Security Architecture
Implementing Cisco AAA
Implementing Authentication Using Local Services
Authenticating Router Access
Router Local Authentication Configuration Steps
Configuring User Accounts Using Cisco SDM
Enabling and Disabling AAA Using Cisco SDM
Enabling AAA
Configuring AAA Authentication Using Cisco SDM
Configuring AAA Authorization Using Cisco SDM
Review of AAA CLI Commands
Why Use Cisco Secure ACS?
Cisco Secure ACS
Cisco Secure ACS Features
Cisco Secure ACS for Windows
Cisco Secure ACS Solution Engine
Cisco Secure ACS Express 5.0
Cisco Secure ACS View 4.0
TACACS+ and RADIUS AAA Protocols
TACACS+ Overview
RADIUS Overview
TACACS+/RADIUS Comparison
Cisco Secure ACS Prerequisites
Cisco Secure ACS 4.1 Homepage
Network Configuration
Interface Configuration
External Databases
Windows Database
Unknown User Policy
Group Setup
User Setup
SDM Configuration
Adding a AAA Server
Creating a AAA Login Authentication Policy
Applying an Authentication Policy
Creating a AAA Exec Authorization Policy
Creating a AAA Network Authorization Policy
AAA Accounting Configuration
AAA Configuration for TACACS+ Example
Demo - AAA Authentication
Demo - Authentication Servers
Demo - ACS Server
Module 4 Review
Module 5 - Securing the Router
Securing the Router
Locking Down the Router
Vulnerable Router Services and Interfaces
Management Service Vulnerabilities
Locking Down a Router Using Cisco AutoSecure
Security Audit Home Page
Performing a Security Audit
Performing a One-Step Lockdown
Using Secure Management and Reporting
Secure Management and Reporting Architecture
Secure Management and Reporting Guidelines
Configuring Syslog Support
Syslog Severity Levels
SNMPv1 and SNMPv2 Architecture
Community Strings
SNMPv3 Architecture
Secure Shell
SSH v1 vs. v2
Enabling Syslog Logging
Using Logs to Monitor Network Security
Enabling SNMP with Cisco SDM
SNMP Trap Receiver
Enabling SSH Using Cisco SDM
VTY Settings
Demo - Router Hardening
Module 5 Review
Module 6 - Securing Layer 2 Devices
Securing Layer 2 Devices
Defending against Layer 2 attacks
Why Worry About Layer 2 Security?
Domino Effect
Basic Approaches to Protecting Layer 2 Switches
Inspection Options
VLAN Hopping
Double Tagging
Mitigating VLAN Hopping Network Attacks
Double Tagging Defense
STP
PortFast
Root Guard
Verifying BPDU Guard
BPDU Guard
CAM Table Overflow
Spoofing MAC Address
Configuring Port Security
Configuring Port Security Aging
Port Security Example
Cisco Identity Based Networking Services
802.1x
Configuring the Authentication Server
Configuring Authentication and the Interface
Demo - Layer 2 Security
Module 6 Review
Module 7 - Implementing Endpoint Security
Implementing Endpoint Security
Examining Endpoint Security
Software Security Concepts
Operating System Vulnerabilities
Application Vulnerabilities
Input Validation
Buffer Overflow
Types of Buffer Overflows
Worms, Viruses, and Trojan Horses
Anatomy of a Worm Attack
Securing Endpoints with Cisco Technologies
IronPort Perimeter Security Appliances
IronPort E-Mail Security Appliance
IronPort Web Security Appliance
Cisco NAC Products
NAC Framework
Cisco NAC Appliance Overview - Components
Cisco NAC Appliance Overview
Cisco Security Agent Architecture
Application, Kernel, and Interceptors
Cisco Security Agent Interceptors
Cisco Security Agent Attack Response
Operating System Guidelines
Application Guidelines
Module 7 Review
Module 8 - Providing SAN Security
Providing SAN Security
Overview of SAN Operations
Benefits of SAN Usage
SAN Basics
Logical Unit Number (LUN) Masking
World Wide Names
Fibre Channel Fabric Zoning
Virtual SANs
SAN Security Scope
SAN Management Threats
Fabric and Target Access Threats
Target Access Security - Zoning
IP Storage and Transmission Security
Module 8 Review
Module 9 - Exploring Secure Voice Solutions
Exploring Secure Voice Solutions
Defining VoIP
The Need for VoIP
VoIP Components
Major VoIP Protocols
Threats to IP Telephony Endpoints
Spam over IP Telephony
SPIT Example
Fraud
SIP Vulnerabilities
Separate Voice VLAN
Protect IP Telephony with Firewalls
Protect IP Telephony with VPNs
Protect IP Telephony Endpoints
Protect IP Telephony Servers
Module 9 Review
Module 10 - Exploring Firewall Technology
Exploring Firewall Technology
Cisco IOS Zone-Based Policy Firewall
Firewall History
Traditional Stateful Inspection
ACLs
Types of IP ACLs
Basics of the ACL
Applying the ACL
ACL Configuration Guidelines
Wildcard Bits - How to Check the Corresponding Address Bits
Numbered Standard IPv4 ACL Configuration
Applying Standard ACLs to Control vty Access
Numbered Extended IPv4 ACL Configuration
Established Command
Displaying ACLs
Zone-Based Policy Firewall
Benefits of Zone-Based Policy Firewall
Zone-Based Policy Firewall Actions
Zone-Based for Application Traffic
Zone-Based Policy Firewall Rules for Router Traffic
Basic Firewall Configuration Wizard
Basic Firewall Interface Configuration
Applying Security Policy
Finishing the Wizard
Manually Configuring a Zone-Based Policy Firewall
Define Zones
Define Class Maps
Define Policy Maps
Assign Policy Maps to Zone Pairs
Reviewing the Cisco IOS Zone-Based Policy Firewall
Cisco IOS Zone-Based Firewall Policy Configuration
Viewing the Firewall Log
Monitoring the Cisco IOS Zone-Based Policy Firewall
Advanced Inspection Options
Demo - ACL
Module 10 Review
Module 11 - Using Cisco IOS IPS to Secure the Network
Using Cisco IOS IPS to Secure the Network
Examining IPS Technologies
Types of IDS and IPS Sensors
Sensors
IPS Attack Responses
Signatures
Using Cisco SDM to Configure IPS
IPS Policies Wizard
IPS Config Location and Category
IPS Policy Summary
Setting Signature Severity
Configuring Signature Actions
Editing Signatures Using Cisco SDM
Viewing SDEE Alarm Messages
Viewing Syslog IPS Alarms
Verifying IPS Policies
Target Value Rating
Event Action Overrides
Event Action Filters
Module 11 Review
Module 12 - Designing a Cryptographic Solution
Designing a Cryptographic Solution
Introducing Cryptographic Services
Cryptography Uses Yesterday and Today
Cryptographic Definitions
A Few More Definitions
Historical Uses of Symmetric Cryptography
Historical Uses of Symmetric Cryptography ?V Hieroglyphics
Historical Uses of Symmetric Cryptography ?V Scytale Cipher
Historical Uses of Symmetric Cryptography ?V Substitution Cipher
Caesar Cipher Example
Historical Uses of Symmetric Cryptography ?V Vigenere Cipher
Polyalphabetic Substitution
Vignere Cipher
Historical Uses of Symmetric Cryptography ?V Enigma Machine
Historical Uses of Symmetric Cryptography ?V Vernam Cipher
Methods of Encryption
Confusing Terms
Comparison
Secret Key Cryptography (Symmetric Key)
Data Encryption Standard (DES)
DES Modes 1/3
DES Modes 2/3
DES Modes 3/3
Triple DES
Advanced Encryption Standard (AES)
Rivest-Shamir-Adleman (RSA)
Diffie-Hellman Key Exchange
SSL Overview
SSL Tunnel Establishment
Cryptographic Attacks
Module 12 Review
Module 13 - Implementing Digital Signatures
Implementing Digital Signatures
Overview of Hash Algorithms and HMACs
What Is a Hash Function?
Hashing in Action
Hashed Message Authentication Code
HMAC in Action
Message Digest 5
Secure Hash Algorithm 1
MD5 and SHA-1 Compared
Hash and HMAC Best Practices
Overview of Digital Signatures
Digital Signatures in Action
Digital Signature Example
Digital Signature Standard
Digital Signature Best Practices
Module 13 Review
Module 14 - Exploring PKI and Asymmetric Encryption
Exploring PKI and Asymmetric Encryption
Asymmetric Encryption Overview
Asymmetric Encryption Algorithms
Public Key Confidentiality Scenario
Asymmetric Confidentiality Process
Public Key Authentication Scenario
Asymmetric Authentication Process
RSA Algorithm
RSA Digital Signatures
RSA Usage Guidelines
The DH Algorithm
The DH Key Exchange Algorithm
Trusted Third-Party Protocols
Trusted Third-Party Example
PKI Terminology and Components
PKI Topologies - Single-Root CA
PKI Topologies - Hierarchical CAs
PKI Topologies - Cross-Certified CAs
PKI and Usage Keys
PKI Server Offload
Overview of Standardization
X.509v3
Public-Key Cryptography Standards
Simple Certificate Enrollment Protocol
Identity Management Using Digital Certificates and CAs
Retrieving CA Certificates
Certificate Enrollment
Authentication Using Certificates
Features of Digital Certificates and CAs
Caveats of Digital Certificates and CAs
Applications of Certificates
Module 14 Review
Module 15 - Building a Site-to-Site IPsec VPN Solution
Building a Site-to-Site IPsec VPN Solution
What is a VPN?
Benefits of VPNs
Site-to-Site VPNs
Remote-Access VPNs
Cisco IOS SSL VPN
Cisco VPN Products
Cisco VPN-Enabled IOS Routers
Cisco ASA Adaptive Security Appliances
VPN Clients
Hardware-Based Encryption
What is IPsec?
IPsec Security Services
Encryption Algorithms
DH Key Exchange
Data Integrity
Authentication
IPsec Advantages
IPsec Versus SSL
IPsec Security Protocols
Authentication Header
AH Authentication and Integrity
Encapsulating Security Payload
ESP Protocol
Modes of Use - Tunnel Versus Transport Mode
Tunnel Mode
IPsec Framework
Internet Key Exchange
IKE Communication Negotiation Phases
IKE Phase 1
First Exchange - IKE Policy Is Negotiated
Second Exchange - DH Key Exchange
Third Exchange - Authenticate Peer Identity
IKE Phase 2
Site-to-Site IPsec VPN
Site-to-Site IPsec Configuration
Step 1: Ensure That ACLs Are Compatible with Ipsec
Step 2: Create ISAKMP (IKE) Policies
IKE Policy Negotiation
Configure PSKs
Site-to-Site IPsec Configuration? Phase 1
Step 3: Configure Transform Sets
Transform Set Negotiation
Purpose of Crypto ACLs
Step 4: Create Crypto ACLs Using Extended ACLs
Configure Symmetric Peer Crypto ACLs
Crypto Map Parameters
Step 5: Configure IPsec Crypto Maps
Example: Crypto Map Commands
Applying Crypto Maps to Interfaces
Test and Verify Ipsec
show crypto isakmp policy Command
show crypto ipsec transform-set Command
show crypto map Command
show crypto ipsec sa
Introducing the Cisco SDM VPN Wizard Interface
Site-to-Site VPN Components
Launching the Site-to-Site VPN Wizard
Quick Setup
Step-by-Step Setup
Connection Settings
IKE Proposals
IPsec Transform Sets
Option 1: Single Source and Destination Subnet
Option 2: Using an ACL
Review the Generated Configuration
Test Tunnel Configuration and Operation
Monitor Tunnel Operation
Advanced Monitoring
Troubleshooting
Demo - IPSec
Module 15 Review
Course Closure