Contents

Foreword xviii Introduction xx Chapter 1 General Networking Topics 3

"Do I Know This Already?" Quiz 4 Foundation Topics 14

Networking Basics—The OSI Reference Model 14 Layer 1: The Physical Layer 14 Layer 2: The Data Link Layer 15 Layer 3: The Network Layer 16 Layer 4: The Transport Layer 17 Layer 5: The Session Layer 17 Layer 6: The Presentation Layer 17 Layer 7: The Application Layer 18 TCP/IP and OSI Model Comparison 18 Example of Peer-to-Peer Communication 19 Ethernet Overview 20

Switching and Bridging 22 Bridge Port States 24 Fast EtherChannel 25 Internet Protocol 27 Variable-Length Subnet Masks 31 Classless Interdomain Routing 32 Transmission Control Protocol 34

TCP Mechanisms 34 TCP/IP Services 38

Address Resolution Protocol 38 Reverse ARP 39

Dynamic Host Configuration Protocol 40 Hot Standby Router Protocol 41 Internet Control Message Protocol 46 Telnet 47

File Transfer Protocol and Trivial File Transfer Protocol 47 Routing Protocols 48

Routing Information Protocol 52 Enhanced Interior Gateway Routing Protocol 57 EIGRP Terminology 57 EIGRP Configuration Example 59

Open Shortest Path First 61 OSPF in a Single Area 62 Multiple OSPF Areas 64 Virtual Links 66 OSPF Configuration Example 66 Border Gateway Protocol 71 BGP Attributes 72 Configuring BGP 74 Integrated Services Digital Network 75

Basic Rate and Primary Rate Interfaces 75 ISDN Framing and Frame Format 76 ISDN Layer 2 Protocols 76 High-Level Data Link Control 76 Point-to-Point Protocol 77 Cisco IOS ISDN Commands 78 IP Multicast 79

Asynchronous Communications and Access Devices 80

Telephony Best Practices 82

Wireless Best Practices 84

Foundation Summary 89

Wireless Best Practices 95

Scenario: Routing IP on Cisco Routers 98 Scenario Answers 100 Chapter 2 Application Protocols 103

"Do I Know This Already?" Quiz 103 Foundation Topics 110 Domain Name System 110 Trivial File Transfer Protocol 114 File Transfer Protocol 116 Active FTP 117 Passive FTP 118 Hypertext Transfer Protocol 119 Secure Sockets Layer 121 Simple Network Management Protocol 122 SNMP Notifications 123 SNMP Examples 128 Simple Mail Transfer Protocol 128

Network Time Protocol 130 Secure Shell and Cisco IOS SSH 133

Cisco IOS SSH 135 Remote Data Exchange Protocol 138 Foundation Summary 140 Q & A 143

Scenario: Configuring DNS, TFTP, NTP, and SNMP 145 Scenario Answers 147 Chapter 3 Cisco IOS Specifics and Security 149 "Do I Know This Already?" Quiz 149 Foundation Topics 156 Cisco Hardware 156

Random-Access Memory 157 Nonvolatile RAM 157 System Flash 157 Central Processing Unit 158 Read-Only Memory 159 Configuration Registers 160 Cisco Interfaces 163 Saving and Loading Files 165 show and debug Commands 166 Router CLI 166 show Commands 166 Debugging Cisco Routers 175 Password Recovery 182 Basic Security on Cisco Routers 187 IP Access Lists 190

Access Lists on Cisco Routers 190 Extended Access Lists 196 Layer 2 Switching Security 199 CAM Table Overflow 199 VLAN Hopping 202 Spanning Tree Protocol Manipulation 204 MAC Spoofing Attack 205 DHCP Starvation Attacks 207 Security Policy Best Practices—A Cisco View 208 Foundation Summary 210

Scenario: Configuring Cisco Routers for Passwords and

Access Lists 215 Scenario Answers 217 Chapter 4 Security Protocols 221

"Do I Know This Already?" Quiz 221 Foundation Topics 228

Authentication, Authorization, and Accounting 228 Authentication 230 Authorization 230 Accounting 231 Remote Authentication Dial-In User Service 232

RADIUS Configuration Task List 236 Terminal Access Controller Access Control System Plus 238 TACACS+ Configuration Task List 241 TACACS+ Versus RADIUS 245 Encryption Technology Overview 246 DES and 3DES 248 Advanced Encryption Standard 250 Message Digest 5 and Secure Hash Algorithm 251 Diffie-Hellman 252 IP Security 254 Encapsulating Security Payload 255 Authentication Header 257 Internet Key Exchange 258 Cisco IOS IPSec Configuration 264 Certificate Enrollment Protocol 272

Extensible Authentication Protocol, Protected EAP, and Temporal Key Integrity

Protocol 272 Virtual Private Dial-Up Networks (VPDN) 276

VPDN Configuration Task List 279 Foundation Summary 282 Q & A 286

Scenario: Configuring Cisco Routers for IPSec 288 Scenario Answers 292

Chapter 5 Cisco Security Applications 297

"Do I Know This Already?" Quiz 298 Foundation Topics 301

Cisco Secure for Windows (NT) and Cisco Secure ACS 301

Cisco Secure ACS 303 IDS Fundamentals 303 Notification Alarms 303 Signature-Based IDS 304 Anomaly-Based IDS 305 Network-Based IDS Versus Host-Based IDS 305 IDS Placement 305 IDS Tuning 307

Cisco Secure Intrusion Detection System and Catalyst Services Modules 309 Cisco Secure IDS 309

Cisco Inline IDS (Intrusion Prevention System) 311 Catalyst Services Module 312 CiscoWorks VMS 313 Cisco VPN 3000 Concentrator 314 Cisco Secure VPN Client 326 Cisco Router and Security Device Manager 328 Security Information Monitoring System 331 Foundation Summary 332 Q & A 334

Scenario: Cisco Secure IDS Database Event 335 Scenario Answers 337 Chapter 6 Security Technologies 341

"Do I Know This Already?" Quiz 342 Foundation Topics 351 Advanced Security Concepts 351

Network Address Translation and Port Address Translation 355 NAT Operation on Cisco Routers 358 Dynamic NAT Configuration Task List 359 Monitoring NAT Operations with show Commands 360 Cisco PIX Firewall 361

Configuring a PIX Firewall 364 PIX Firewall Configuration Task List 364 Miscellaneous PIX Firewall Commands 370 Advanced Cisco PIX Commands 373

Troubleshooting PIX Firewall Log Files 374 Cisco PIX Firewall Software Features 376 Cisco IOS Firewall Feature Set 377

CBAC Configuration Task List 380 Public Key Infrastructure 382 Virtual Private Networks 383 Network-Based Intrusion Detection Systems 386 Cisco Security Agent and Host-Based IDS 387 Cisco Threat Response 391

Cisco Threat Response IDS Requirements 392 Authorization Technologies (IOS Authentication 802.1X) 392 Foundation Summary 395 Q & A 399

Scenario: Configuring a Cisco PIX Firewall for NAT 401 Scenario Answer 402 Chapter 7 Network Security Policies, Vulnerabilities, and Protection 405 "Do I Know This Already?" Quiz 405 Foundation Topics 412 Network Security Policies 412 Standards Bodies and Incident Response Teams 413 Incident Response Teams 415 Internet Newsgroups 416 Vulnerabilities, Attacks, and Common Exploits 417 Intrusion Detection System 422 Protecting Cisco IOS from Intrusion 425 Foundation Summary 432 Q & A 435

Scenario: Defining Cisco IOS Commands to View DoS Attacks in Real Time 436 Scenario Answers 437 Chapter 8 CCIE Security Self-Study Lab 441 How to Use This Chapter 442 Preparing for this Lab 442 Goal of This Lab 443

CCIE Security Self-Study Lab Part I Goals 444 CCIE Security Self-Study Lab Part II Goals 445 General Lab Guidelines and Setup 445 Communications Server (0 Points) 448 Communications Server Solution 448

CCIE Security Self-Study Lab Part I: Basic Network Connectivity (4 Hours) 450 Basic Frame Relay Setup (5 Points) 450 Basic Frame Relay Setup Solution 451 Physical Connectivity (0 Points) 456 Catalyst Ethernet Switch Setup I (5 Points) 457 Catalyst Ethernet Switch Setup I Solution 457 Catalyst Ethernet Switch Setup II (6 Points) 463 Catalyst Ethernet Switch Setup II Solution 463 IP Host Lookup and Disable DNS (1 Point) 464

IP Host Lookup and Disable DNS Solution 464 PIX Configuration (6 Points) 465 PIX Configuration Solution 466 IGP Routing (18 Points) 470 Basic RIP Configuration (6 of 18 Points) 470 EIGRP Configuration (5 of 18 Points) 471 OSPF Configuration (7 of 18 Points) 475 Basic ISDN Configuration (6 Points) 484 Basic ISDN Configuration Solution 485 DHCP Configuration (3 Points) 490 DHCP Configuration Solution 491 BGP Routing Configuration (6 Points) 491 Basic IBGP Configuration 492 CCIE Security Self-Study Lab Part II: Advanced Security Design (4 Hours) 495 IP Access List (4 Points) 495 IP Access List Solution 496 Prevent Denial-of-Service Attacks (4 Points) 497 Prevent Denial-of-Service Attacks Solution 497 Time-Based Access List (4 Points) 499 Time-Based Access List Solution 499 Dynamic Access List/Lock and Key Feature (5 Points) 501 Dynamic Access List/Lock and Key Feature Solution 501 Cisco IOS Firewall Configuration on R5 (6 Points) 503 Cisco IOS Firewall Configuration on R5 Solution 503 IPSec Configuration (6 Points) 505 IPSec Configuration Solution 506 Advanced PIX Configuration (5 Points) 511 Configuring SSH on the PIX 512 Configuring the PIX for Intrusion Detection 512 ACS Configuration (5 Points) 514 Non-AAA Authentication Methods 514 Login Authentication Methods 516

Appendix A Appendix B Appendix C Appendix D Index 671

Login Authentication Using TACACS+ 518 ACS Configuration: Login Authentication Using RADIUS 521 Cisco Intrusion Detection System (5 Points) 525 Cisco Intrusion Detection System Solution 527 Final Configurations 538

Additional Advanced Lab Topics (No Solutions Provided) 557 Advanced Security Lab Topics (4 Points) 558 Content Filtering (2 Points) 558 FTP Issues (3 Points) 558 Routing Table Authenticity (4 Points) 558 Access Control on R2 Ethernet Interface (4 Points) 558 Conclusion 559

Answers to Quiz Questions 561 Study Tips for CCIE Security Examinations 625 Sample CCIE Routing and Switching Lab I 639 Sample CCIE Routing and Switching Lab II 657

0 0

Post a comment