32,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Cisco has announced big changes to its certification program. As of February 24, 2020, all current certifications will be retired, and Cisco will begin offering new certification programs. The good news is if you're working toward any current CCNA certification, keep going. You have until February 24, 2020 to complete your current CCNA. If you already have CCENT/ICND1 certification and would like to earn CCNA, you have until February 23, 2020 to complete your CCNA certification in the current program. Likewise, if you're thinking of completing the current CCENT/ICND1, ICND2, or CCNA Routing and Switching certification, you can still complete them between now and February 23, 2020. Lay the foundation for a successful career in network security CCNA Security Study Guide offers comprehensive review for Exam 210-260. Packed with concise explanations of core security concepts, this book is designed to help you successfully prepare for the exam. Expert instruction guides you through critical concepts relating to secure network infrastructure, access management, VPN encryption, Firewalls, intrusion prevention and more, with complete coverage of the CCNA exam objectives. Practical examples allow you to apply your skills in real-world scenarios, helping you transition effectively from "learning" to "doing". You also get access to the Sybex online learning environment, featuring the tools you need to maximize your study time: key terminology and flash cards allow you to study anytime, anywhere, while chapter tests and practice exams help you track your progress and gauge your readiness along the way. The CCNA Security certification tests your knowledge of secure network installation, monitoring, and troubleshooting using Cisco security hardware and software solutions. When you're ready to get serious about preparing for the exam, this book gives you the advantage of complete coverage, real-world application, and extensive learning aids to help you pass with confidence. * Master Cisco security essentials, standards, and core technologies * Work through practical examples drawn from real-world examples * Track your progress with online study aids and self-tests * Develop critical competencies in maintaining data integrity, confidentiality, and availability Earning your CCNA Security certification validates your abilities in areas that define careers including network security, administrator, and network security support engineer. With data threats continuing to mount, the demand for this skill set will only continue to grow--and in an employer's eyes, a CCNA certification makes you a true professional. CCNA Security Study Guide is the ideal preparation resource for candidates looking to not only pass the exam, but also succeed in the field.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 457
Veröffentlichungsjahr: 2018
Ähnliche
CCNA®
SecurityStudy GuideExam 210-260
Troy McMillan
Senior Acquisitions Editor: Kenyon Brown
Development Editor: David Clark
Technical Editors: Jon Buhagiar and Mark Dittmer
Production Manager: Kathleen Wisor
Copy Editor: Kim Wimpsett
Editorial Manager: Mary Beth Wakefield
Executive Editor: Jim Minatel
Book Designer: Judy Fung and Bill Gibson
Proofreader: Amy Schneider
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: @Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-40993-9
ISBN: 978-1-119-40991-5 (ebk.)
ISBN: 978-1-119-40988-5 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2017962360
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNA is a registered trademark of Cisco Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
For my best friend, Wade Long, for just being a good friend.
Acknowledgments
Special thanks go to David Clark for keeping me on schedule and ensuring all the details are correct. Also, I’d like to thank Jon Buhagiar for the excellent technical edit that saved me from myself at times. Finally, as always, I’d like to acknowledge Kenyon Brown for his continued support of all my writing efforts.
About the Author
Troy McMillan writes practice tests, study guides, and online course materials for Kaplan IT Training, while also running his own consulting and training business. He holds more than 30 industry certifications and also appears in training videos for OnCourse Learning and Pearson Press. Troy can be reached at [email protected].
Contents
Acknowledgments
About the Author
Introduction
What Does This Book Cover?
Interactive Online Learning Environment and Test Bank
Who Should Read This Book
How to Use This Book
How Do You Go About Taking the Exam?
Certification Exam Policies
Assessment Test
Answers to Assessment Test
Chapter 1 Understanding Security Fundamentals
Goals of Security
Network Topologies
Common Network Security Zones
Summary
Exam Essentials
Review Questions
Chapter 2 Understanding Security Threats
Common Network Attacks
Social Engineering
Malware
Data Loss and Exfiltration
Summary
Exam Essentials
Review Questions
Chapter 3 Understanding Cryptography
Symmetric and Asymmetric Encryption
Hashing Algorithms
Key Exchange
Public Key Infrastructure
Summary
Exam Essentials
Review Questions
Chapter 4 Securing the Routing Process
Securing Router Access
Implementing OSPF Routing Update Authentication
Securing the Control Plane
Summary
Exam Essentials
Review Questions
Chapter 5 Understanding Layer 2 Attacks
Understanding STP Attacks
Understanding ARP Attacks
Understanding MAC Attacks
Understanding CAM Overflows
Understanding CDP/LLDP Reconnaissance
Understanding VLAN Hopping
Understanding DHCP Spoofing
Summary
Exam Essentials
Review Questions
Chapter 6 Preventing Layer 2 Attacks
Configuring DHCP Snooping
Configuring Dynamic ARP Inspection
Configuring Port Security
Configuring STP Security Features
Disabling DTP
Verifying Mitigations
Summary
Exam Essentials
Review Questions
Chapter 7 VLAN Security
Native VLANs
PVLANs
ACLs on Switches
Summary
Exam Essentials
Review Questions
Chapter 8 Securing Management Traffic
In-Band and Out-of-Band Management
Securing Network Management
Securing Access through SNMP v3
Securing NTP
Using SCP for File Transfer
Summary
Exam Essentials
Review Questions
Chapter 9 Understanding 802.1x and AAA
802.1x Components
RADIUS and TACACS+ Technologies
Configuring Administrative Access with TACACS+
Understanding Authentication and Authorization Using ACS and ISE
Understanding the Integration of Active Directory with AAA
Summary
Exam Essentials
Review Questions
Chapter 10 Securing a BYOD Initiative
The BYOD Architecture Framework
The Function of Mobile Device Management
Summary
Exam Essentials
Review Questions
Chapter 11 Understanding VPNs
Understanding IPsec
Understanding Advanced VPN Concepts
Summary
Exam Essentials
Review Questions
Chapter 12 Configuring VPNs
Configuring Remote Access VPNs
Configuring Site-to-Site VPNs
Summary
Exam Essentials
Review Questions
Chapter 13 Understanding Firewalls
Understanding Firewall Technologies
Stateful vs. Stateless Firewalls
Summary
Exam Essentials
Review Questions
Chapter 14 Configuring NAT and Zone-Based Firewalls
Implementing NAT on ASA 9.
x
Configuring Zone-Based Firewalls
Summary
Exam Essentials
Review Questions
Chapter 15 Configuring the Firewall on an ASA
Understanding Firewall Services
Understanding Modes of Deployment
Understanding Methods of Implementing High Availability
Understanding Security Contexts
Configuring ASA Management Access
Configuring Cisco ASA Interface Security Levels
Configuring Security Access Policies
Configuring Default Cisco Modular Policy Framework (MPF)
Summary
Exam Essentials
Review Questions
Chapter 16 Intrusion Prevention
IPS Terminology
Evasion Techniques
Introducing Cisco FireSIGHT
Understanding Modes of Deployment
Positioning of the IPS within the Network
Understanding False Positives, False Negatives, True Positives, and True Negatives
Summary
Exam Essentials
Review Questions
Chapter 17 Content and Endpoint Security
Mitigating Email Threats
Mitigating Web-Based Threats
Mitigating Endpoint Threats
Summary
Exam Essentials
Review Questions
Appendix Answers to Review Questions
Chapter 1: Understanding Security Fundamentals
Chapter 2: Understanding Security Threats
Chapter 3: Understanding Cryptography
Chapter 4: Securing the Routing Process
Chapter 5: Understanding Layer 2 Attacks
Chapter 6: Preventing Layer 2 Attacks
Chapter 7: VLAN Security
Chapter 8: Securing Management Traffic
Chapter 9: Understanding 802.1x and AAA
Chapter 10: Securing a BYOD Initiative
Chapter 11: Understanding VPNs
Chapter 12: Configuring VPNs
Chapter 13: Understanding Firewalls
Chapter 14: Configuring NAT and Zone-Based Firewalls
Chapter 15: Configuring the Firewall on an ASA
Chapter 16: Intrusion Prevention
Chapter 17: Content and Endpoint Security
Advert
EULA
List of Tables
Chapter 1
TABLE 1.1
Chapter 3
TABLE 3.1
TABLE 3.2
Chapter 9
TABLE 9.1
Chapter 16
TABLE 16.1
List of Illustrations
Chapter 1
FIGURE 1.1
Defense in depth
FIGURE 1.2
Security cycle
FIGURE 1.3
Campus area network
Chapter 2
FIGURE 2.1
Ping scan with nmap
FIGURE 2.2
TCP header
FIGURE 2.3
NULL scan
FIGURE 2.4
XMAS scan
FIGURE 2.5
TCP handshake
FIGURE 2.6
SYN flood
FIGURE 2.7
Ping-of-death packet
FIGURE 2.8
Direct DDoS
FIGURE 2.9
Smurf attack
Chapter 3
FIGURE 3.1
ROT 13 Caesar cipher
FIGURE 3.2
Vigenère cipher
FIGURE 3.3
ECB process
FIGURE 3.4
CBC process
FIGURE 3.5
Hash process
FIGURE 3.6
HMAC process
FIGURE 3.7
Digital signature process
FIGURE 3.8
PKI encryption
FIGURE 3.9
PKI digital signature
FIGURE 3.10
SSL process
FIGURE 3.11
PKI hierarchy
FIGURE 3.12
Cross certification
FIGURE 3.13
Viewing certificates
Chapter 4
FIGURE 4.1
CoPP
FIGURE 4.2
Modular policy framework
Chapter 5
FIGURE 5.1
STP attack
FIGURE 5.2
ARP process
FIGURE 5.3
ARP cache poisoning
FIGURE 5.4
MAC spoofing
FIGURE 5.5
CAM overflow
FIGURE 5.6
Switch spoofing
FIGURE 5.7
Double tagging
FIGURE 5.8
DHCP spoofing
Chapter 6
FIGURE 6.1
DHCP snooping
FIGURE 6.2
DAI in action
FIGURE 6.3
BPDU Guard in action
Chapter 7
FIGURE 7.1
PVLANs
FIGURE 7.2
PVLAN proxy attack
Chapter 8
FIGURE 8.1
Partial MIB
FIGURE 8.2
NTP authentication process
Chapter 9
FIGURE 9.1
802.1x
Chapter 10
FIGURE 10.1
ISE context-based access
FIGURE 10.2
CMD
FIGURE 10.3
SXP and SGT
FIGURE 10.4
Permission matrix
FIGURE 10.5
MDM with IDE
FIGURE 10.6
ISE authorization policy integration
Chapter 11
FIGURE 11.1
Diffie-Hellman
FIGURE 11.2
IKE phase 1
FIGURE 11.3
Matching ISAKMP parameters
FIGURE 11.4
AH process
FIGURE 11.5
AH in tunnel mode
FIGURE 11.6
ESP in tunnel mode
FIGURE 11.7
AH in transport mode
FIGURE 11.8
ESP in transport mode
FIGURE 11.9
IPv6 header with extensions
FIGURE 11.10
The need for hairpinning
FIGURE 11.11
Hairpin configuration
FIGURE 11.12
Split tunneling
FIGURE 11.13
Preferences (Part 2) window
FIGURE 11.14
NAT traversal
Chapter 12
FIGURE 12.1
Supported SSL/TLS algorithms
Chapter 13
FIGURE 13.1
TCP three-way handshake
FIGURE 13.2
Stateful firewall operation
Chapter 14
FIGURE 14.1
Multiple class maps
FIGURE 14.2
Reuse of class maps
FIGURE 14.3
Default policies
FIGURE 14.4
Default policies (self-zone)
Chapter 15
FIGURE 15.1
Active/Standby failover
FIGURE 15.2
Active/Active failover
FIGURE 15.3
Clustering
FIGURE 15.4
Security contexts
FIGURE 15.5
Security levels in action
Chapter 16
FIGURE 16.1
IP header fragmentation flags
FIGURE 16.2
Fragmentation process
FIGURE 16.3
Fragmentation attack
FIGURE 16.4
Injection attack
FIGURE 16.5
SPAN
FIGURE 16.6
Tap
FIGURE 16.7
Inline mode
FIGURE 16.8
Outside deployment
FIGURE 16.9
DMZ deployment
FIGURE 16.10
Inside deployment
Chapter 17
FIGURE 17.1
File retrospection
FIGURE 17.2
ESA inbound
FIGURE 17.3
ESA outbound
FIGURE 17.4
Incoming mail processing
FIGURE 17.5
Outgoing mail processing
Guide
Cover
Table of Contents
Introduction
Pages
vii
ix
xxi
xxii
xxiii
xxiv
xxv
xxvi
xxvii
xxviii
xxix
xxx
xxxi
xxxii
xxxiii
xxxiv
xxxv
xxxvi
xxxvii
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
127
128
129
130
131
132
133
134
135
136
137
138
139
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
171
172
173
174
175
176
177
178
179
180
181
182
183
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
271
272
273
274
275
276
277
278
279
280
281
282
283
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
Introduction
The CCNA Security certification program is one of the elective paths you can take when achieving the CCNA. It requires passing the CCENT exam (100-105) and then passing the CCNA Security exam (210-260).
The Cisco Security exam objectives are periodically updated to keep the certification applicable to the most recent hardware and software. This is necessary because a technician must be able to work on the latest equipment. The most recent revisions to the objectives—and to the whole program—were introduced in 2016 and are reflected in this book.
This book and the Sybex CCNA Security+ Complete Study Guide (both the Standard and Deluxe editions) are tools to help you prepare for this certification—and for the new areas of focus of a modern server technician’s job.
What Is the CCNA Security Certification?
Cisco Certified Network Associate Security (CCNA Security) validates associate-level knowledge and skills required to secure Cisco networks. With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security curriculum emphasizes core security technologies; the installation, troubleshooting, and monitoring of network devices to maintain integrity, confidentiality, and availability of data and devices; and competency in the technologies that Cisco uses in its security structure.
The CCNA Security certification isn’t awarded until you’ve passed the two tests. For the latest pricing on the exams and updates to the registration procedures, call Pearson VUE at (877) 551-7587. You can also go to Pearson VUE’s website at www.vue.com for additional for information or to register online. If you have further questions about the scope of the exams, see https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.
What Does This Book Cover?
Here is a glance at what’s in each chapter.
Chapter 1: Understanding Security Fundamentals
covers common security principles such as the CIA triad; common security terms such as risk, vulnerability, and threat; the proper application of common security zones, such as intranet, DMZ, and extranets; a discussion of network topologies as seen from the perspective of the Cisco Campus Area network; and methods of network segmentation such as VLANs.
Chapter 2: Understanding Security Threats
covers common network attacks and their motivations; attack vectors such as malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel; various methods used to perform network reconnaissance such as ping scans and port scans; types of malware; and the exfiltration of sensitive data such as IP, PII, and credit card data.
Chapter 3: Understanding Cryptography
covers symmetric and asymmetric key cryptography, the hashing process, major hashing algorithms, PKI and the components that make it function, and common attacks on cryptography.
Chapter 4: Securing the Routing Process
covers methods of securing administrative access to the router, IOS privilege levels, IOS role-based CLI access, Cisco IOS resilient configuration, authentication for router updates for both OSPF and EIGRP, and control plane policing.
Chapter 5: Understanding Layer 2 Attacks
covers STP attacks such as rogue switches, ARP spoofing, MAC spoofing, and CAM overflow. It also discusses both the value and the danger in using CDP and LLDP. Finally, you will learn how VLAN hopping attacks are performed.
Chapter 6: Preventing Layer 2 Attacks
covers DHCP snooping, DAI and how it can prevent ARP poisoning attacks, preventing MAC overflow attacks and the introduction of unauthorized devices to switch ports by using port security, and the use of BPDU Guard, Root Guard, and Loop Guard, all STP features designed to prevent changes to the STP topology.
Chapter 7: VLAN Security
covers preventing VLAN hopping attacks that take advantage of the native VLAN; private VLANs; setting ports as promiscuous, community, and isolated; the PVLAN Edge feature; and using ACLs to prevent a PVLAN proxy attack.
Chapter 8: Securing Management Traffic
covers managing devices in-band and out-of-band, methods of securing management interfaces including enabling the HTTPS server, securing SNMP v3 with a security policy, applying passwords to all management interfaces, and using SSH for remote management, types of banner message, and securing the NTP protocol.
Chapter 9: Understanding 802.1x and AAA
covers AAA service that can be provided by TACACS+ and RADIUS servers, configuring administrative access to a router using TACACS+, how AAA can be integrated with Active Directory, the Cisco implementations of a RADIUS server including the Cisco Secure Access Control Server (ACS) and the Cisco Identity Services Engine (ISR), and the functions of various 802.1X components.
Chapter 10: Securing a BYOD Initiative
covers challenges involved in supporting a BYOD initiative, components provided by Cisco for this including the Cisco Integrated Services Engine (ISE), and the Cisco TrustSec provisioning and management platform. It also covers advanced features of Cisco ISE, including downloadable ACLs (dACLs), automatic VLAN assignment, security group access (SGAs), change of authorization (COA), and posture assessment. Further we discuss the authentication mechanisms ISE can accept, including 802.1x, MAC authentication bypass (MAB), and web authentication (WebAuth). Finally, we end the chapter covering the three main functions of TrustSec.
Chapter 11: Understanding VPNs
covers IPsec and the security services it provides; the components of IPsec such as ISAKMP, IKE, AH, and ESP; how to use hairpinning to allow traffic between two hosts to connect to the same VPN interface; and split tunneling and its benefits.
Chapter 12: Configuring VPNs
covers the value of the Cisco clientless SSL VPN and the steps required to configure it, the Cisco AnyConnect SSL VPN, modules in the Cisco AnyConnect client that can provide endpoint posture assessment, and how to implement an IPsec site-to-site VPN with preshared key authentication.
Chapter 13: Understanding Firewalls
covers various firewall technologies such as proxy, application, personal, and stateful firewalls, with stateful firewalls covered in greater detail and described in relation to the operation of these firewalls and the TCP three-way handshake. Finally you learn what is contained in the state table of a stateful firewall.
Chapter 14: Configuring NAT and Zone-Based Firewalls
covers three forms of NAT: static NAT, dynamic NAT, and PAT; the NAT options available in the ASA, the benefits of NAT; and how to configure it and verify its operation. You will learn about class maps, policy maps, and service policies and their respective functions in a zone-based firewall. Finally, the steps to configure and verify a zone-based firewall end the chapter.
Chapter 15: Configuring the Firewall on an ASA
covers how to set up the ASA so you can remotely administer it using the ASDM, the default security policies that are in place, how the default global policy interacts with configured policies, how interface security levels affect traffic flows, how the Cisco Modular Policy framework is used to create policies; the difference between a transparent and route firewall; and high availability solutions including active-active, active-passive, and clustering approaches.
Chapter 16: Intrusion Prevention
covers general IPS concepts such as network-based and host-based deployments; modes of deployment such as inline, SPAN, and tap; the positioning options available; false positives and false negatives; how rules and signatures are used in the process of identifying potential attacks; and trigger actions of which an IPS might be capable, such as dropping, resetting, and alerting.
Chapter 17: Content and Endpoint Security
covers mitigation techniques available when using the Cisco Email Security Appliance, including reputation and context-based filtering, and the Cisco Web Security Appliance, which uses blacklisting, URL filtering, and malware scanning to secure web traffic and web applications. Finally, the chapter discusses endpoint protection provided by the Cisco Identity Services Engine and Cisco TrustSec technology.
Interactive Online Learning Environment and Test Bank
We’ve put together some really great online tools to help you pass the CCNA Security exam. The interactive online learning environment that accompanies the CCNA Security exam certification guide provides a test bank and study tools to help you prepare for the exam. By using these tools you can dramatically increase your chances of passing the exam on your first try.
The online test bank includes the following:
Sample Tests Many sample tests are provided throughout this book and online, including the Assessment Test, which you’ll find at the end of this introduction, and the Chapter Tests that include the review questions at the end of each chapter. In addition, there are two bonus practice exams. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Flashcards The online text bank includes 100 flashcards specifically written to hit you hard, so don’t get discouraged if you don’t ace your way through them at first! They’re there to ensure that you’re really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you’ll be more than prepared when exam day comes! Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Resources A glossary of key terms from this book and their definitions are available as a fully searchable PDF.
Go to http://www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.
Who Should Read This Book
If you want to acquire a solid foundation in managing security on Cisco devices or your goal is to prepare for the exams by filling in any gaps in your knowledge, this book is for you. You’ll find clear explanations of the concepts you need to grasp and plenty of help to achieve the high level of professional competency you need in order to succeed in your chosen field.
If you want to become certified as a CCNA Security professional, this book is definitely what you need. However, if you just want to attempt to pass the exam without really understanding the basics of personal computers, this guide isn’t for you. It’s written for people who want to acquire skills and knowledge of servers and storage systems.
How to Use This Book
If you want a solid foundation for the serious effort of preparing for the Cisco CCNA Security exam, then look no further. We’ve spent hundreds of hours putting together this book with the sole intention of helping you to pass the exam as well as really learn about the exciting field of network security!
This book is loaded with valuable information, and you will get the most out of your study time if you understand why the book is organized the way it is.
So, to maximize your benefit from this book, I recommend the following study method:
Take the assessment test that’s provided at the end of this introduction. (The answers are at the end of the test.) It’s okay if you don’t know any of the answers; that’s why you bought this book! Carefully read over the explanations for any questions you get wrong and note the chapters in which the material relevant to them is covered. This information should help you plan your study strategy.
Study each chapter carefully, making sure you fully understand the information and the test objectives listed at the beginning of each one. Pay extra-close attention to any chapter that includes material covered in questions you missed.
Complete all hands-on labs in each chapter, referring to the text of the chapter so that you understand the reason for each step you take.
Answer all of the review questions related to each chapter. (The answers appear in Appendix.) Note the questions that confuse you, and study the topics they cover again until the concepts are crystal clear. And again—do not just skim these questions! Make sure you fully comprehend the reason for each correct answer. Remember that these will not be the exact questions you will find on the exam, but they’re written to help you understand the chapter material and ultimately pass the exam!
Try your hand at the practice questions that are exclusive to this book. The questions can be found at
http://www.sybex.com/go/ccnasecuritystudyguide
.
Test yourself using all the flashcards, which are also found at the download link. These are brand-new and updated flashcards to help you prepare for the CCNA Security exam and a wonderful study tool!
To learn every bit of the material covered in this book, you’ll have to apply yourself regularly, and with discipline. Try to set aside the same time period every day to study, and select a comfortable and quiet place to do so. I’m confident that if you work hard, you’ll be surprised at how quickly you learn this material!
If you follow these steps and really study in addition to using the review questions, the practice exams, and the electronic flashcards, it would actually be hard to fail the CCNA Security exam. But understand that studying for the Cisco exams is a lot like getting in shape—if you do not go to the gym every day, it’s not going to happen!
According to the Cisco website the Cisco CCNA Security exam details are as follows:
Exam code: 210-260
Exam description: This exam tests the candidate’s knowledge of secure network infrastructure, understanding core security concepts, managing secure access, VPN encryption, firewalls, intrusion prevention, web and email content security, and endpoint security using Cisco routers and the ASA 9x.
Number of questions: 60–70
Type of questions: multiple choice, drag and drop, testlet, simulation
Length of test: 90 minutes
Passing score: 860 (on a scale of 100–900)
Language: English
How Do You Go About Taking the Exam?
When the time comes to schedule your exam you will need to create an account at http://www.pearsonvue.com/cisco/ and register for your exam. Cisco testing is provided by their global testing partner Pearson VUE. You can locate your closest testing center at https://home.pearsonvue.com/. You can schedule at any of the listed testing centers.
To purchase the exam, you will need to buy an exam voucher from Cisco. The voucher is a code they provide you to use to schedule the exam. Information on purchasing a voucher can be found at: http://www.pearsonvue.com/vouchers/pricelist/cisco.asp.
When you have a voucher and have selected a testing center, you can schedule the Cisco 210-260 exam by following this link: http://www.pearsonvue.com/cisco/. This will take you to the Pearson VUE website and from here you can also locate a testing center or purchase vouchers if you have not already done so.
When you have registered for the CCNA Security certification exam you will receive a confirmation e-mail that supplies you with all of the information you will need to take the exam. Remember to take a printout of this e-mail with you to the testing center.
Certification Exam Policies
For the most current information regarding Cisco exam policies, it is recommended that you follow the https://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.html link to become familiar with Cisco policies. It contains a large amount of useful information regarding:
Exam policy requirements
Age requirements and policies concerning minors
Certification and confidentiality agreement
Candidate identification and authentication
Candidate rights and responsibilities
Confidentiality and agreements
Embargoed country policy
Privacy
Exam and testing policies
Conduct
Confidentiality and agreements
Exam discounts, vouchers, and promotional codes
Exam violations
Preliminary score report
Retaking exams
Post exam policies
Certification tracking system
Correspondence
Exam recertification
Exam retirement
Exam scoring
Logo guidelines
Tips for Taking Your Exam
The Cisco CCNA Security exam contains 60–90 multiple choice, drag and drop, testlet, and simulation item questions, and must be completed in 90 minutes or less. This information may change over time and it is advised to check www.cisco.com for the latest updates.
Many questions on the exam offer answer choices that at first glance look identical—especially the syntax questions! So remember to read through the choices carefully because close just doesn’t cut it. If you get information in the wrong order or forget one measly character, you may get the question wrong. So, to practice, do the practice exams and hands-on exercises in this book’s chapters over and over again until they feel natural to you; also, and this is very important, do the online sample test until you can consistently answer all the questions correctly. Relax, read the question over and over until you are 100% clear on what it is asking, and then you can usually eliminate a few of the obviously wrong answers.
Here are some general tips for exam success:
Arrive early at the exam center so you can relax and review your study materials.
Read the questions
carefully
. Don’t jump to conclusions. Make sure you’re clear about
exactly
what each question asks. “Read twice, answer once!”
Ask for a piece of paper and pencil if it is offered to take down quick notes and make sketches during the exam.
When answering multiple-choice questions that you’re not sure about, use the process of elimination to get rid of the obviously incorrect answers first. Doing this greatly improves your odds if you need to make an educated guess.
After you complete an exam, you’ll get immediate notification of your pass or fail status, a printed examination score report that indicates your pass or fail status, and your exam results by section. (The test administrator will give you the printed score report.) Test scores are automatically forwarded to Cisco after you take the test, so you don’t need to send your score to them. If you pass the exam, you’ll receive confirmation from Cisco and a package in the post with a nice document suitable for framing showing that you are now a Cisco certified engineer.
Exam Objectives
Cisco goes to great lengths to ensure that its certification programs accurately reflect the IT industry’s best practices. The company does this by establishing Cornerstone Committees for each of its exam programs. Each committee comprises a small group of IT professionals, training providers, and publishers who are responsible for establishing the exam’s baseline competency level and who determine the appropriate target audience level.
Once these factors are determined, Cisco shares this information with a group of hand-selected subject-matter experts (SMEs). These folks are the true brainpower behind the certification program. They review the committee’s findings, refine them, and shape them into the objectives you see before you. Cisco calls this process a job task analysis (JTA).
Finally, Cisco conducts a survey to ensure that the objectives and weightings truly reflect the job requirements. Only then can the SMEs go to work writing the hundreds of questions needed for the exam. And, in many cases, they have to go back to the drawing board for further refinements before the exam is ready to go live in its final state. So, rest assured, the content you’re about to learn will serve you long after you take the exam.
Cisco also publishes relative weightings for each of the exam’s objectives. The following table lists the objective domains and the extent to which they’re represented on each exam.
210-260 Exam Domains
% of Exam
1.0 Security Concepts
12%
2.0 Secure Access4.0 Security
14%
3.0 VPN
17%
4.0 Secure Routing and Switching
18%
5.0 Cisco Firewall Technologies
18%
6.0 IPS
9%
7.0 Content and Endpoint Security
12%
Total
100%
210-260 Sub Domains
Chapters
1.2 Common security threats
2
1.3 Cryptography concepts
2
1.4 Describe network topologies
3
2.1 Secure management
8
2.2 AAA concepts
9
2.3 802.1x authentication
9
2.4 BYOD
10
3.1 VPN concepts
11
3.2 Remote access VPN
12
3.3 Site-to-site VPN
12
4.1 Security on Cisco routers
4
4.2 Securing routing protocols
4
4.3 Securing the control plane
4
4.4 Common Layer 2 attacks
5
4.5 Mitigation procedures
6
4.6 VLAN security
7
5.1 Describe operational strengths and weaknesses of the different firewall technologies
13
5.2 Compare stateful vs. stateless firewalls
13
5.3 Implement NAT on Cisco ASA 9.x
14
5.4 Implement zone-based firewall
14
5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x
15
6.1 Describe IPS deployment considerations
16
6.2 Describe IPS technologies
16
7.1 Describe mitigation technology for email-based threats
17
7.2 Describe mitigation technology for web-based threats
17
7.3 Describe mitigation technology for endpoint threats
17
Assessment Test
When you are concerned with preventing data from unauthorized edits you are concerned with which of the following?
integrityconfidentialityavailabilityauthorizationWhen a systems administrator is issued both an administrative-level account and a normal user account and uses the administrative account only when performing an administrative task, it is an example of which concept?
least privilegesplit knowledgedual controlseparation of dutiesWhat is the purpose of mandatory vacations?
cross trainingfraud preventionimproves moraleemployee retentionWhich of the following occurs when an organizational asset is exposed to losses?
riskthreatexposurevulnerabilityWhich of the following is a standard used by the security automation community to enumerate software flaws and configuration issues?
CSESCAPCVECWEWhich hacker type hacks for a political cause?
black hatswhite hatsscript kiddieshacktivistsWhich of the following is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator?
PGPS/MIMESMTPSPFWhat does the following command do?
nmap -sP 192.168.0.0-100
port scanping scanvulnerability scanpenetration testYou just executed a half open scan and got no response. What does that tell you?
the port is openthe port is closedthe port is blockedit cannot be determinedWhich of the following is a mitigation for a buffer overflow?
antivirus softwareIOS updatesinput validationencryptionWhich of the following is a Layer 2 attack?
buffer overflowDoSARP poisoningIP spoofingWhich of the following is not intellectual property?
designsadvertisementsrecipescontact listsWhat is the best countermeasure to social engineering?
trainingaccess listsHIDSencryptionWhich of the following is a mitigation for ARP poisoning?
VLANsDAIDNSSecSTPIn which cryptographic attack does the attacker use recurring patterns to reverse engineer the message?
side channelfrequencyplaintext onlyciphertext onlyYou have five users in your department. These five users only need to encrypt information with one another. If you implement a symmetric encryption algorithm, how many keys will be needed to support the department?
581012Which statement is true with regard to asymmetric encryption?
less expensive than symmetricslower than symmetricharder to crack than symmetrickey compromise can occur more easily than with symmetricWhich of the following is a stream-based cipher?
RC4DES3DESAESWhat is the purpose of an IV?
doubles the encryptionadds randomnessperforms 16 rounds of transpositionhashes the messageWhich step is not required to configure SSH on a router?
Set the router nameSet the router IDSet the router domain nameGenerate the RSA keyWhich of the following allows you to assign a technician sets of activities that coincide with the level they have been assigned?
access levelsjob parametersprivilege levelsrulesWhich of the following is a way to prevent unwanted changes to the configuration?
router lockdownresilient configurationsecure IOSconfig-secWhich of the following is used to hold multiple keys used in OSPF Routing Update Authentication?
key storekeychainkeydbkeyauthWhich of the following characteristics of a rogue switch could cause it to become the root bridge?
higher MAC addresshigher IP addressa superior BPDUlower router IDWhich of the following is used by a malicious individual to pollute the ARP cache of other machines?
ping of deathbuffer overflowbound violationgratuitous ARPWhat happens when the CAM table of a switch is full of fake MAC addresses and can hold no other MAC addresses?
it gets dumpedthe switch shuts downthe switch start forwarding all traffic out of all portsall ports are shut downWhich switch feature uses the concept of trusted and untrusted ports?
DAIDHCP snoopingSTPRoot GuardWhich command enables port security on the switch?
SW70(config-if)#switchport mode accessSW70(config-if)# switchport port-security maximum 2SW70(config-if)#switchport port-securitySW70(config-if)# switchport port-security violation shutdownWhich switch feature prevents the introduction of a rogue switch to the topology?
Root GuardBPDU GuardLoop GuardDTPWhat prevents switching loops?
DAIDHCP snoopingSTPRoot GuardAnswers to Assessment Test
A. Integrity, the second part of the CIA triad, ensures that data is protected from unauthorized modification or data corruption. The goal of integrity is to preserve the consistency of data, including data stored in files, databases, systems, and networks.
A. The principle of least privilege requires that a user or process is given only the minimum access privilege needed to perform a particular task.
B. With mandatory vacations, all personnel are required to take time off, allowing other personnel to fill their position while gone. This detective administrative control enhances the opportunity to discover unusual activity.
C. An exposure occurs when an organizational asset is exposed to losses.
B. Security Content Automation Protocol (SCAP) is a standard used by the security automation community to enumerate software flaws and configuration issues. It standardized the nomenclature and formats used.
D. Hacktivists are those who hack not for personal gain, but to further a cause. For example, the Anonymous group hacks from time to time for various political reasons.
D. Sender Policy Framework (SPF) is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s box.
B. 0–100 is the range of IP addresses to be scanned in the 192.168.0.0 network.
C. If you receive no response the port is blocked on the firewall.
C. With proper input validation, a buffer overflow attack will cause an access violation. Without proper input validation, the allocated space will be exceeded, and the data at the bottom of the memory stack will be overwritten.
C. One of the ways a man-in-the-middle attack is accomplished is by poisoning the ARP cache on a switch. The attacker accomplishes this poisoning by answering ARP requests for another computer’s IP address with his own MAC address. Once the ARP cache has been successfully poisoned, when ARP resolution occurs, both computers will have the attacker’s MAC address listed as the MAC address that maps to the other computer’s IP address. As a result, both are sending to the attacker, placing him “in the middle.”
B. An advertisement would be publicly available.
A. The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly.
B. Dynamic ARP inspection (DAI) is a security feature that intercepts all ARP requests and responses and compares each response’s MAC address and IP address information against the MAC–IP bindings contained in a trusted binding table.
B. One of the issues with substitution ciphers is that if the message is of sufficient length, patterns in the encryption begin to become noticeable, which makes it vulnerable to a frequency attack. A frequency attack is when the attacker uses these recurring patterns to reverse engineer the message.
C. To calculate the number of keys that would be needed in this example, you would use the following formula:
# of users × (# of users – 1) / 2
Using our example, you would calculate 5 ×(4) / 2 or 10 needed keys.
B. Asymmetric encryption is more expensive than symmetric, it is slower than symmetric, it is easier to crack than symmetric, and key compromise can occur less easily than with symmetric.
A. Only RC4 is a stream cipher.
B. Some modes of symmetric key algorithms use initialization vectors (IVs) to ensure that patterns are not produced during encryption. These IVs provide this service by using random values with the algorithms.
B. A router ID is not a part of the configuration.
C. Privilege levels allow you to assign a technician sets of activities that coincide with the level they have been assigned. There are 16 levels from 0 to 15.
B. The IOS Resilient Configuration feature can provide a way to easily recover from an attack on the configuration, and it can also help to recover from an even worse attack in which the attacker deletes not only the startup configuration but also the boot image.
B. A keychain can be used to hold multiple keys if required.
C. When a malicious individual introduces a rogue switch to the switching network and the rogue switch has a superior BPDU to the one held by the current root bridge, the new switch assumes the position of root bridge.
A. Gratuitous ARP is called gratuitous because the ARP message sent is an answer to a question that the target never asks and it cause the target to change its ARP cache.
C. The result of this attack is that the attacker is now able to receive traffic that he would not have been able to see otherwise because in this condition the switch is basically operating as a hub and not a switch.
B. DHCP snooping is implemented on the switches in the network, so it is a Layer 2 solution. The switch ports on the switch are labeled either trusted or untrusted. Trusted ports are those that will allow a DHCP message to traverse.
C. Without executing this command the other commands will have no effect.
B. The BPDU Guard feature is designed to prevent the reception of superior BPDUs on access ports by preventing the reception of any BPDU frames on access ports.
Spanning Tree Protocol (STP), prevents switching loops in redundant switching networks.
Chapter 1Understanding Security Fundamentals
CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:
1.1 Common security principles
Describe confidentiality, integrity, availability (CIA)
Identify common security terms
Identify common network security zones
1.4 Describe network topologies
Campus area network (CAN)
Cloud, wide area network (WAN)
Data center
Small office/home office (SOHO)
Network security for a virtual environment
Securing a network is no easy task. Daily you probably hear about data disclosures and new network attacks. However, you are not defenseless. By properly implementing the security features available in Cisco routers, switches, and firewalls, you can reduce the risk of a security breach to a manageable level. This book is designed to help you understand the issues, identify your security options, and deploy those options in the correct manner. In the process, the book will prepare you for the Cisco CCNA Security certification, which validates the skills and knowledge required to secure a network using Cisco products.
In this chapter, you will learn the following:
Common security principles
Network topologies
Goals of Security
When you’re securing a network, several important security principles should guide your efforts. Every security measure you implement should contribute to the achievement of one of three goals. The three fundamentals of security are confidentiality, integrity, and availability (CIA), often referred to as the CIA triad.
Most security issues result in a violation of at least one facet of the CIA triad. Understanding these three security principles will help ensure that the security controls and mechanisms implemented protect at least one of these principles.
Every security control that is put into place by an organization fulfills at least one of the security principles of the CIA triad. Understanding how to circumvent these security principles is just as important as understanding how to provide them.
Confidentiality
To ensure confidentiality, you must prevent the disclosure of data or information to unauthorized entities. As part of confidentiality, the sensitivity level of data must be determined before putting any access controls in place. Data with a higher sensitivity level will have more access controls in place than data at a lower sensitivity level. Identification, authentication, and authorization can be used to maintain data confidentiality. Encryption is another popular example of a control that provides confidentiality.
Integrity
Integrity, the second part of the CIA triad, ensures that data is protected from unauthorized modification or data corruption. The goal of integrity is to preserve the consistency of data, including data stored in files, databases, systems, and networks.
An access control list (ACL) is an example of a control that helps to provide integrity. Another example is the generation of hash values that can be used to validate data integrity.
Availability
Availability means ensuring that data is accessible when and where it is needed. Only individuals who need access to data should be allowed access to that data. The two main areas where availability is affected are
When attacks are carried out that disable or cripple a system.
When service loss occurs during and after disasters. Each system should be assessed on its criticality to organizational operations. Controls are implemented based on each system’s criticality level.
Fault-tolerant technologies, such as RAID or redundant sites, are examples of controls that help to improve availability.
Guiding Principles
When managing network security and access to resources, there are some proven principles that should guide your efforts. These concepts have stood the test of time because they contribute to supporting the CIA triad.
Least Privilege/Need-to-Know
The principle of least privilege requires that a user or process is given only the minimum access privilege needed to perform a particular task. Its main purpose is to ensure that users only have access to the resources they need and are authorized to perform only the tasks they need to perform. To properly implement the least privilege principle, organizations must identify all users’ jobs and restrict users only to the identified privileges.
The need-to-know principle is closely associated with the concept of least privilege. Although least privilege seeks to reduce access to a minimum, the need-to-know principle actually defines what the minimums for each job or business function are. Excessive privileges become a problem when a user has more rights, privileges, and permissions than he needs to do his job. Excessive privileges are hard to control in large environments.
A common implementation of the least privilege and need-to-know principles is when a systems administrator is issued both an administrative-level account and a normal user account. In most day-to-day functions, the administrator should use his normal user account. When the systems administrator needs to perform administrative-level tasks, he should use the administrative-level account. If the administrator uses his administrative-level account while performing routine tasks, he risks compromising the security of the system and user accountability.
Organizational rules that support the principle of least privilege include the following:
Keep the number of administrative accounts to a minimum.
Administrators should use normal user accounts when performing routine operations.
Permissions on tools that are likely to be used by attackers should be as restrictive as possible.
To more easily support the least privilege and need-to-know principles, users should be divided into groups to facilitate the confinement of information to a single group or area. This process is referred to as compartmentalization.
Default to No Access
During the authorization process, you should configure an organization’s access control mechanisms so that the default level of security is to default to no access. This means that if nothing has been specifically allowed for a user or group, then the user or group will not be able to access the resource. The best security approach is to start with no access and add rights based on a user’s need to know and least privilege needed to accomplish daily tasks.
Defense in Depth
A defense-in-depth strategy refers to the practice of using multiple layers of security between data and the resources on which it resides and possible attackers. The first layer of a good defense-in-depth strategy is appropriate access control strategies. Access controls exist in all areas of an information systems (IS) infrastructure (more commonly referred to as an IT infrastructure), but a defense-in-depth strategy goes beyond access control. It also considers software development security, cryptography, and physical security. Figure 1.1 shows an example of the defense-in-depth concept.
FIGURE 1.1 Defense in depth
Separation of Duties
Separation of duties is a preventive administrative control to keep in mind when designing an organization’s authentication and authorization policies. Separation of duties prevents fraud by distributing tasks and their associated rights and privileges between more than one user. It helps to deter fraud and collusion because when an organization implements adequate separation of duties, collusion between two or more personnel would be required to carry out fraud against the organization. A good example of separation duties is authorizing one person to manage backup procedures and another to manage restore procedures.
Separation of duties is associated with dual controls and split knowledge. With dual controls, two or more users are authorized and required to perform certain functions. For example, a retail establishment might require two managers to open the safe. Split knowledge ensures that no single user has all the information to perform a particular task. An example of a split control is the military requiring two individuals to each enter a unique combination to authorize missile firing.
Separation of duties ensures that one person is not capable of compromising organizational security. Any activities that are identified as high risk should be divided into individual tasks, which can then be allocated to different personnel or departments.
Let’s look at an example of the violation of separation of duties. An organization’s internal audit department investigates a possible breach of security. One of the auditors interviews three employees.
