Foundation Summary

The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CCDA exam, a well-prepared CCDA candidate should at a minimum know all the details in each "Foundation Summary" before taking the exam.

The CCDA exam requires that you be familiar with the following topics covered in this chapter:

■ Critical components of the Self-Defending Network:

— Trust and identity management—Securing critical assets

— Threat defense—Responding to the effects of security outbreaks

— Secure connectivity—Ensuring privacy and confidentiality of data communications

■ Cisco Self-Defending Network phases:

— Integrated security—Security throughout the existing infrastructure in which each network device acts as a point of defense

— Collaborative security—Security components that work with an organization's security policies

— Adaptive threat defense—Tools used to defend against security threats and varying network conditions

■ Trust and identify technologies:

— Access control lists—ACLs are used on routers, switches, and firewalls to control access

— Firewall—A security device designed to permit or deny network traffic based on source address, destination address, protocol, and port

— Network Admission Control (NAC)—Protects the network from threats by enforcing security compliance on all devices attempting to access the network

— 802.1X—An IEEE media-level access control standard that permits and denies access to the network and applies traffic policy based on identity

— Cisco Identity-Based Network Services (IBNS)—Based on several integrated Cisco solutions to enable authentication, access control, and user policies to secure network infrastructure and resources

■ Threat detection and mitigation technologies:

— PIX—Firewall appliances

— FWSM—Catalyst 6500 Firewall Services Module

— ASA—Adaptive Security Appliance (Robust firewall and/or network-based intrusion prevention system [NIPS])

— IOS firewall—Cisco IOS Software feature set

— IPS sensor appliance (NIPS)

— IPS—Intrusion prevention system (IOS feature)

— NetFlow—Stats on packets flowing through router (IOS feature)

— SNMP—Simple Network Management Protocol (IOS feature)

— MARS—Monitoring, Analysis, and Response System

— Cisco Traffic Anomaly Detector Module detects high-speed denial-of-service attacks

■ Security management solutions:

— Cisco Security Manager (CSM) is an integrated solution for configuration management of firewall, VPN, router, switch module, and IPS devices.

— Cisco Secure Access Control Server (ACS) provides centralized control for administrative access to Cisco devices and security applications.

— Cisco Security Monitoring, Analysis, and Response System (MARS) is an appliance-based solution for network security administrators to monitor, identify, isolate, and respond to security threats.

— Management Center for CSA (CSA MC) is an SSL web-based tool for managing Cisco Security Agent configurations.

— Cisco Router and Security Device Manager (SDM) is a web-based tool for routers and supports a wide range of IOS software.

— Cisco Adaptive Security Device Manager (ASDM) is a web-based tool for managing Cisco ASA 5500 series appliances, PIX 500 series appliances (version 7.0 or higher), and Cisco Catalyst 6500 Firewall Services Modules (FWSM version 3.1 or higher).

— Cisco Intrusion Prevention System Device Manager (IDM) is a web-based application that configures and manages IPS sensors.

■ Integrating security:

— Cisco IOS Firewall

— Cisco IOS trust and identity

— Cisco IOS Routers and Switches

— Adaptive Security Appliance (ASA)

— PIX security appliance

— VPN concentrator

— Catalyst 6500 series service modules

— Endpoint Security

■ Securing the enterprise:

— Identity and access control—802.1X, NAC, ACLs, and firewalls

— Threat detection and mitigation—NetFlow, Syslog, SNMP, RMON, CS-MARS, NIPS, and HIPS

— Infrastructure protection—AAA, TACACS, RADIUS, SSH, SNMP v3, IGP/EGP MD5, and Layer 2 security features

— Security management—CSM, CS-MARS, and ACS


As mentioned in the Introduction, you have two choices for review questions: here in the book or the exam questions on the CD-ROM. The answers to these questions appear in Appendix A.

For more practice with exam format questions, use the exam engine on the CD-ROM.

1. What security device combines IOS Firewall with VPN and IPS services?

c. Cisco Catalyst switches d. IPS

2. What is a standards-based protocol for authenticating network clients?

3. Cisco_Framework is an integrated solution led by Cisco that incorporates the network infrastructure and third-party software to impose security policy attached endpoints.

4. What is an appliance-based solution for network security administrators to monitor, identity, isolate, and respond to security threats? (Select the best answer.)



5. Cisco IOS Trust and Identity has a set of services that include which of the following? (Select all that apply.)


6. True or false: SSH provides unencrypted router access.

7. Cisco IOS_offers data encryption at the IP packet level using a set of standards-based protocols.

8. True or false: PKI provides strong authentication for e-commerce applications.

9. What provides hardware VPN encryption for terminating a large number of VPN tunnels for ISRs?


b. IDS Network Module c. Network Analysis Module d. High-Performance AIM

10. True or false: Integrated Content Module for 2800/3800 series routers captures traffic flows from hosts and allows detailed network analysis.

11. True or false: Cisco VPN 3000 concentrators provide robust firewall servers for users and application policy enforcement, attack protection, and security VPN connectivity services.

12. Which of the following services modules do Cisco Catalyst 6500 switches support? (Select all that apply.)


b. IDSM2

c. VPN3000

13. What provides attack responses by blocking malicious traffic with Gbps line rates?

a. Network Analysis Module b. Anomaly Guard Module c. Content Switch Module d. Traffic Anomaly Detector Module

14. Which of the following are identity and access control protocols and mechanisms? (Select all that apply.)

d. NetFlow

15. True or false: The Cisco Security Agent protects server and desktop endpoints from the latest threats caused by malicious network attacks.

16. What SSL web-based tool is used to manage Cisco Security Agent configurations?


17. True or false: IDM is a web-based application that configures and manages IPS sensors.

18. True or false: NetFlow is used for threat detection and mitigation.

19. Which of the following is not one of the phases of the Cisco Self-Defending Network?

a. Integrated Security b. Collaborative Security c. Network Admission Control d. Adaptive Threat Defense

20. True or false: Cisco ASAs, PIX security appliances, FWSM, and IOS firewall are part of Infection Containment.

21. What IOS feature offers inline deep-packet inspection to successfully diminish a wide range of network attacks?



22. The 4200_sensor appliances can identify, analyze, and block unwanted traffic from flowing on the network.

23. What provides centralized control for administrative access to Cisco devices and security applications?


24. True or false: ASDM provides management of Cisco ASAs, PIX, and FWSMs.

25. True or false: IPS 4255 delivers 10000 Mbps of performance and can be used to protect partially utilized Gigabit connected subnets.

26. True or false: FWSM is a high-speed firewall module for use in the Cisco Catalyst 6500 and 7600 series routers.

27. Match each protocol, mechanism, or feature with its security grouping:


iii. NetFlow iv. NAC

a. Identity and access control b. Threat detection and mitigation c. Infrastructure protection d. Security management

Was this article helpful?

0 0

Post a comment