Home   FAQs   New Arrivals   Specials   Pricing & Shipping   Location   Corporate Services   Why Choose Bookware?  
 Search:   
Call our store: 9955 5567 (from within Sydney) or 1800 734 567 (from outside Sydney)
 View Cart   Check Out   
 
Browse by Subject
 TAFE Accounting
 TAFE I.T./Computing
 TAFE - Other
I.T
 .NET
 Windows 8
 Adobe CS6
 Cisco
 CCNA 2012
 CCNP 2012
 Java
 VB
 ASP
 Web Design
 E-Commerce
 Project Management
 ITIL
 Macintosh
 Mobile Devices
 Linux
 Windows Server 2012
 SQL Server 2012
 SAP
Certification
 MCITP
 MCTS
Economics and Business
 Accounting
 Business Information Systems
 Economics
 Finance
 Management
 Marketing
 TAX
 Human Resources
Academic
 Law
 Nursing
 Medical
 Psychology
 Engineering

CCNA Security Exam Cram (Exam IINS 640-553)

by: Eric Stewart

Notify me when in stock

On-line Price: $31.95 (includes GST)

Paperback package 552

20%Off Retail Price

You save: $8.00

Usually ships within 4 - 5 business days.
_____________________
N.Sydney : On Order (reserve your copy)

Retail Price: $39.95

Publisher: QUE,24.11.08

Category: CCNA Level:

ISBN: 0789738007
ISBN13: 9780789738004

Add to Shopping Cart

Features and Benefits

top


Get certified on the ALL NEW CCNA Security certification from Cisco with the most popular late-stage study product from Exam Cram

Master all the objectives in the CCNA Security IINS exam 640-553
Use the popular collection of exam strategies, practice exams and lab exercises, including the Cram Sheet, that have made Exam Cram the most popular late-stage study tool for IT certifications
Written by expert trainers with years of experience in preparing students for Cisco exams


Table of Contents

top


Introduction... 1


  Organization and Elements of This Book. 1


  Contacting the Author.. 4

Self Assessment... 5


  Who Is a CCNA Security?.. 5


  The Ideal CCNA Security Candidate. 6


  Put Yourself to the Test.. 8


  Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security).. 10


  Strategy for Using This Exam Cram. 12

Part I: Network Security Architecture

Chapter 1: Network Insecurity... 15


  Exploring Network Security Basics and the Need for Network Security.. 16


          The Threats.. 16


          Other Reasons for Network Insecurity 18


          The CIA Triad.. 18


          Data Classification.. 21


          Security Controls.. 22


          Incident Response.. 25


          Laws and Ethics.. 26


  Exploring the Taxonomy of Network Attacks. 29


          Adversaries.. 30


          How Do Hackers Think?. 32


          Concepts of Defense in Depth. 32


          IP Spoofing Attacks.. 34


          Attacks Against Confidentiality. 36


          Attacks Against Integrity. 38


          Attacks Against Availability. 42


  Best Practices to Thwart Network Attacks. 45


          Administrative Controls. 45


          Technical Controls.. 46


          Physical Controls.. 46


  Exam Prep Questions.. 47


  Answers to Exam Prep Questions. 50

Chapter 2: Building a Secure Network Using Security Controls. 51


  Defining Operations Security Needs. 52


          Cisco System Development Life Cycle for Secure Networks 52


          Operations Security Principles. 54


          Network Security Testing. 55


          Disaster Recovery and Business Continuity Planning 59


  Establishing a Comprehensive Network Security Policy 61


          Defining Assets.. 62


          The Need for a Security Policy. 63


          Policies.. 64


          Standards, Guidelines, and Procedures 65


          Who Is Responsible for the Security Policy? 66


          Risk Management.. 67


                  Principles of Secure Network Design 70


  Examining Cisco's Model of the Self-Defending Network 73


          Where Is the Network Perimeter?. 73


          Building a Cisco Self-Defending Network 74


          Components of the Cisco Self-Defending Network 75


          Cisco Integrated Security Portfolio. 79


  Exam Prep Questions.. 81


  Answers to Exam Prep Questions. 84

Part II: Perimeter Security

Chapter 3: Security at the Network Perimeter.. 87


  Cisco IOS Security Features.. 88


          Where Do You Deploy an IOS Router? 88


          Cisco ISR Family and Features. 90


  Securing Administrative Access to Cisco Routers 91


          Review Line Interfaces. 92


          Password Best Practices. 94


          Configuring Passwords. 94


          Setting Multiple Privilege Levels. 97


          Configuring Role-Based Access to the CLI 98


          Configuring the Cisco IOS Resilient Configuration Feature 101


          Protecting Virtual Logins from Attack 102


          Configuring Banner Messages. 104


  Introducing Cisco SDM.. 105


          Files Required to Run Cisco SDM from the Router 106


          Using Cisco SDM Express. 107


          Launching Cisco SDM. 108


          Cisco SDM Smart Wizards. 110


          Advanced Configuration with SDM. 111


          Cisco SDM Monitor Mode. 113


  Configuring Local Database AAA on a Cisco Router 114


          Authentication, Authorization, and Accounting (AAA) 114


          Two Reasons for Implementing AAA on Cisco Routers 114


          Cisco's Implementation of AAA for Cisco Routers 115


          Tasks to Configure Local Database AAA on a Cisco Router 116


          Additional Local Database AAA CLI Commands 120


  Configuring External AAA on a Cisco Router Using
Cisco Secure ACS.. 121


          Why Use Cisco Secure ACS?. 123


          Cisco Secure ACS Features. 123


          Cisco Secure ACS for Windows Installation Requirements 124


          Cisco Secure ACS Solution Engine and Cisco Secure
ACS Express 5.0 Comparison. 125


          TACACS+ or RADIUS?. 125


          Prerequisites for Cisco Secure ACS 126


          Three Main Tasks for Setting Up External AAA 127


          Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+.. 140


          AAA Configuration Snapshot. 141


  Exam Prep Questions.. 142


  Answers to Exam Prep Questions. 145

Chapter 4: Implementing Secure Management and Hardening the Router 147


  Planning for Secure Management and Reporting 148


          What to Log.. 149


          How to Log.. 150


          Reference Architecture for Secure Management and Reporting.. 151


          Secure Management and Reporting Guidelines 153


          Logging with Syslog.. 153


          Cisco Security MARS. 154


          Where to Send Log Messages. 154


          Log Message Levels. 155


          Log Message Format. 156


          Enabling Syslog Logging in SDM. 156


          Using SNMP.. 157


          Configuring the SSH Daemon. 161


          Configuring Time Features. 165


  Using Cisco SDM and CLI Tools to Lock Down the Router 167


          Router Services and Interface Vulnerabilities 167


          Performing a Security Audit. 172


  Exam Prep Questions.. 180


  Answers to Exam Prep Questions. 182

Part III: Augmenting Depth of Defense


      

Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185


  Examining and Defining Firewall Technologies 187


          What Is a Firewall?.. 188


          Characteristics of a Firewall. 189


          Firewall Advantages.. 189


          Firewall Disadvantages. 190


          Role of Firewalls in a Layered Defense Strategy 190


          Types of Firewalls.. 190


          Cisco Family of Firewalls. 201


          Firewall Implementation Best Practices 202


  Creating Static Packet Filters with ACLs. 203


          Threat Mitigation with ACLs. 203


          Inbound Versus Outbound. 203


          Identifying ACLs.. 205


          ACL Examples Using the CLI. 205


          ACL Guidelines.. 208


          Using the Cisco SDM to Configure ACLs 209


          Using ACLs to Filter Network Services 212


          Using ACLs to Mitigate IP Address Spoofing Attacks 213


          Using ACLs to Filter Other Common Services 216


  Cisco Zone-Based Policy Firewall Fundamentals 218


          Advantages of ZPF.. 220


          Features of ZPF.. 221


          ZPF Actions.. 221


          Zone Behavior.. 221


          Using the Cisco SDM Basic Firewall Wizard to
Configure ZPF.. 224


          Manually Configuring ZPF with the Cisco SDM 233


          Monitoring ZPF.. 238


  Exam Prep Questions.. 241


  Answers to Exam Prep Questions. 244

Chapter 6: Introducing Cryptographic Services.. 245


  Cryptology Overview.. 246


          Cryptanalysis.. 249


          Encryption Algorithm (Cipher) Desirable Features 251


          Symmetric Key Versus Asymmetric Key
Encryption Algorithms.. 251


          Block Versus Stream Ciphers. 254


          Which Encryption Algorithm Do I Choose? 255


          Cryptographic Hashing Algorithms. 256


          Principles of Key Management. 256


          Other Key Considerations. 257


          SSL VPNs.. 259


  Exploring Symmetric Key Encryption. 261


          DES... 263


          3DES.. 264


          AES... 265


          SEAL.. 266


          Rivest Ciphers (RC).. 267


  Exploring Cryptographic Hashing Algorithms and Digital Signatures.. 268


          HMACs.. 270


          Message Digest 5 (MD5). 271


          Secure Hashing Algorithm 1 (SHA-1) 272


          Digital Signatures.. 272


  Exploring Asymmetric Key Encryption and Public Key Infrastructure.. 275


          Encryption with Asymmetric Keys. 276


          Authentication with Asymmetric Keys 277


          Public Key Infrastructure Overview. 277


          PKI Topologies.. 278


          PKI and Usage Keys. 279


          PKI Server Offload and Registration Authorities (RAs) 280


          PKI Standards.. 280


          Certificate Enrollment Process. 282


          Certificate-Based Authentication. 283


          Certificate Applications. 284


  Exam Prep Questions.. 286


  Answers to Exam Prep Questions. 289

Chapter 7: Virtual Private Networks with IPsec.. 291


  Overview of VPN Technology.. 292


          Cisco VPN Products. 293


          VPN Benefits.. 293


          Site-to-Site VPNs.. 294


          Remote-Access VPNs. 295


          Cisco IOS SSL VPN. 296


          Cisco VPN Product Positioning. 297


          VPN Clients.. 299


          Hardware-Accelerated Encryption. 300


          IPsec Compared to SSL. 301


  Conceptualizing a Site-to-Site IPsec VPN. 302


          IPsec Components.. 302


          IPsec Strengths.. 306


          Constructing a VPN: Putting it Together 307


  Implementing IPsec on a Site-to-Site VPN Using the CLI 315


          Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN.. 315


          Step 2: Create ISAKMP (IKE Phase I) Policy Set(s) 316


          Step 3: Configure IPsec Transform Set(s) 318


          Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN.. 319


          Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface).. 320


          Verifying and Troubleshooting the IPsec VPN Using the CLI.. 321


  Implementing IPsec on a Site-to-Site VPN Using Cisco SDM 325


          Site-to-Site VPN Wizard Using Quick Setup 325


          Site-to-Site VPN Wizard Using Step-by-Step Setup 329


  Exam Prep Questions.. 337


  Answers to Exam Prep Questions. 339

Chapter 8: Network Security Using Cisco IOS IPS. 341


  Exploring IPS Technologies.. 342


          IDS Versus IPS.. 342


          IDS and IPS Categories. 343


          IPS Attack Responses. 347


          Event Management and Monitoring. 349


          Host IPS.. 351


          Network IPS.. 354


          HIPS and Network IPS Comparison 355


          Cisco IPS Appliances. 356


          IDS and IPS Signatures. 357


          Signature Alarms.. 359


          Best Practices for IPS Configuration 360


  Implementing Cisco IOS IPS.. 362


          Cisco IOS IPS Feature Blend. 362


          Cisco IOS IPS Primary Benefits. 362


          Cisco IOS IPS Signature Integration 363


          Configuring Cisco IOS IPS with the Cisco SDM 364


          Cisco IOS IPS CLI Configuration. 377


          Configuring IPS Signatures. 378


          SDEE and Syslog Logging Protocol Support 381


          Verifying IOS IPS Operation. 384


  Exam Prep Questions.. 387


  Answers to Exam Prep Questions. 390

Part IV: Security Inside the Perimeter


      

Chapter 9: Introduction to Endpoint, SAN, and Voice Security. 395


  Introducing Endpoint Security. 396


          Cisco's Host Security Strategy. 397


          Securing Software.. 397


          Endpoint Attacks.. 399


          Cisco Solutions to Secure Systems and Thwart Endpoint Attacks.. 403


          Endpoint Best Practices. 407


  Exploring SAN Security.. 407


          SAN Advantages.. 407


          SAN Technologies.. 408


          SAN Address Vulnerabilities. 408


          Virtual SANs (VSANs). 409


          SAN Security Strategies. 409


  Exploring Voice Security.. 411


          VoIP Components.. 411


          Threats to VoIP Endpoints. 413


          Fraud... 414


          SIP Vulnerabilities.. 414


          Mitigating VoIP Hacking. 415


  Exam Prep Questions.. 418


  Answers to Exam Prep Questions. 420

Chapter 10: Protecting Switch Infrastructure.. 421


  VLAN Hopping Attacks.. 422


          VLAN Hopping by Rogue Trunk. 423


          VLAN Hopping by Double-Tagging. 424


  STP Manipulation Attack.. 425


          STP Manipulation Attack Mitigation: Portfast 426


          STP Manipulation Attack Mitigation: BPDU Guard 427


          STP Manipulation Attack Mitigation: Root Guard 428


  CAM Table Overflow Attack.. 428


          CAM Table Overflow Attack Mitigation: Port Security 429


  MAC Address Spoofing Attack. 429


          MAC Address Spoofing Attack Mitigation: Port Security 429


  Configuring Port Security.. 429


          Port Security Basic Settings. 430


          Port Security Optional Settings. 430


          Port Security Verification. 433


  Miscellaneous Switch Security Features. 434


          Intrusion Notification.. 434


          Switched Port Analyzer (SPAN). 435


          Storm Control.. 436


  Switch Security Best Practices. 438


  Exam Prep Questions.. 439


  Answers to Exam Prep Questions. 440

Part V: Practice Exams and Answers


      

Practice Exam 1... 443

Answers to Practice Exam 1.. 461

Practice Exam 2... 471

Answers to Practice Exam 2.. 487

Part VI: Appendixes


        

Appendix A: What's on the CD-ROM.. 499

Appendix B: Need to Know More?... 503

TOC, 0789738007, 10/3/08


Preface

top


Introduction
Welcome to CCNA Security Exam Cram! The fact that you are reading this means that you are interested in the CCNA Security certification that Cisco announced in July of 2008. Cisco has done a thorough job of revamping the certification path for the Cisco Certified Security Professional (CCSP), with the CCNA Security certification being the cornerstone upon which the CCSP certification depends. Implementing Cisco IOS Network Security (IINS) is the recommended training course for CCNA Security certification. If you already hold the prerequisite valid CCNA certification, passing the 640-553 IINS exam enables you to obtain the CCNA Security certification-likely to become one of the hottest certifications in IT. This book helps prepare you for that exam. The book assumes that you already have your CCNA certification or an equivalent level of knowledge. If you do not have a CCNA level of knowledge, you should consider putting down this book and first pursuing more robust fundamental training, such as a full CCNA course book or a recommended CCNA course. And remember that CCNA is a prerequisite to CCNA Security certification.

This book is a synthesized, distilled, and pared-down effort, with only enough information as is necessary to provide context for the information you need to pass the exam. This is not to say that this book is not a good read, but it is a fair reflection of the type of material that you will need to master in order to be successful with the exam. Read this book, understand the material, and drill yourself with the practice exams, and you stand a very good chance of passing the exam. That said, it's possible that in the course of working through this book, depending on your prior CCNA Security training or on-the-job experience, you might identify topics you are struggling with and might require you to look up more fundamental resources to deal with. This book discusses all the topics on the exam and tests you on all of them, but it does not always provide detailed coverage of all those topics.

Organization and Elements of This Book
When designing a secure network infrastructure, the workflow moves from the perimeter of the network to the inside of the network. After the perimeter is properly secured, the security architect can turn his or her attention to securing devices on the inside of the network perimeter where the endpoints reside. This structured approach is mimicked in the basic organization of this book.

The chapters of this book are organized into four major parts, with each part encapsulating a major idea in the field of network security:

Part I: Network Security Architecture

Part II: Perimeter Security

Part III: Augmenting Depth of Defense

Part IV: Security Inside the Perimeter

You can use this book's organization to your advantage while studying for the CCNA Security 640-553 IINS exam because each part of the book is selfcontained. Although it is recommended that you follow the parts sequentially, there are frequent cross-references to content contained in other chapters if you choose to follow your own path through this book.

Each chapter follows a uniform structure, with graphical cues about especially important or useful material. The structure of a typical chapter is as follows:

Terms You'll Need to Understand: Each chapter begins with a list of the terms you'll need to understand, which define the concepts that you'll need to master before you can be fully conversant with the chapter's subject matter.

Exam Topics Covered in This Chapter: Cisco publishes a list of exam topics for the 640-553 IINS exam. Each chapter of this book begins by listing the exam topics covered in that chapter. See the following 'Self Assessment' element for a complete list of the topics and the chapters where they are covered.

Exam Alerts: Throughout the topical coverage, Exam Alerts highlight material most likely to appear on the exam by using a special layout that looks like this:

--------------------------------------------------------------------------------

Warning - This is what an Exam Alert looks like. An Exam Alert stresses concepts, terms, or activities that will most likely appear in one or more certification exam questions. For that reason, any information found offset in Exam Alert format is worthy of unusual attentiveness on your part.

--------------------------------------------------------------------------------

Even if material isn't flagged as an Exam Alert, all content in this book is associated in some way with test-related material. What appears in the chapter content is critical knowledge.

Notes: This book is an overall examination of basic Cisco network security concepts and practice. As such, there are a number of side excursions into other aspects of network security and prerequisite networking knowledge. So that these do not distract from the topic at hand, this material is placed in notes.

--------------------------------------------------------------------------------

Note - Cramming for an exam will get you through a test, but it won't make you a competent network security practitioner. Although you can memorize just the facts you need to become certified, your daily work in the field will rapidly put you in water over your head if you don't know the underlying principles behind a Cisco Self-Defending Network.

--------------------------------------------------------------------------------

Practice Questions: This section presents a short list of test questions (most chapters have 10 of these) related to the specific chapter topics. Each question has a follow-on explanation of both correct and incorrect answers-this is very important because it is more important to know why you were wrong. Computers are binary and will accept right or wrong as answers, but we aren't, so we don't!

In addition to the topical chapters, this book also provides the following:

Practice Exams: Part V contains the sample tests that are a very close approximation of the types of questions you are likely to see on the current CCNA Security exam.

Answer Keys for Practice Exams: Part V also contains detailed answers to the practice exam questions. Like the questions at the end of the chapters, these explain both the correct answers and the incorrect answers and are therefore very helpful to go through thoroughly as you grade your practice exam. Knowing the topics you struggle with and why you got a question wrong is crucial.

Cram Sheet: This appears as a tear-away sheet inside the front cover of the book. It is a valuable tool that represents a collection of the most difficult-to-remember facts and numbers that the author thinks you should memorize before taking the test.

CD: The CD that accompanies this book features an innovative practice test engine powered by MeasureUp, including 100 practice questions. The practice exam contains question types covering all the topics on the CCNA Security exam, providing you with a challenging and realistic exam simulation environment.

Contacting the Author
I've tried to create a real-world tool and clearly written book that you can use to prepare for and pass the CCNA Security certification exam. That said, I am interested in any feedback that you have that might help make this Exam Cram better for future test-takers. Constructive and reasonable criticism is always welcome and will most certainly be responded to. You can contact the publisher, or you can reach me by email at eric@breezy.ca.

Please also share your exam experience. Did this book help you pass this exam? Did you feel better prepared after you read the book? Was it a confidence booster? Would you recommend this book to your colleagues?

Thanks for choosing me as your personal trainer, and enjoy the book!

-Eric Stewart

Copyright Pearson Education. All rights reserved.


About the Authors

top


Eric Stewart is a self-employed network security contractor who finds his home in Ottawa, Canada. Trained as a computer engineer at the Royal Military College, and later in computer science and economics at Carleton University, Eric has over 20 years of experience in the information technology field-the last 12 years focusing primarily on Cisco Systems routers, switches, VPN concentrators, and security appliances. He likes to divide his time evenly between his two great loves in the field: teaching and doing! The majority of Eric's consulting work has been in the implementation of major security infrastructure initiatives and architectural reviews with the Canadian Federal Government, working at such departments as Foreign Affairs and International Trade (DFAIT) and the Canadian Air Transport Security Authority (CATSA). A Cisco Certified Systems Instructor (CCSI), he especially enjoys imparting the joy that he takes in his work to his students, as he will often be found enthusiastically teaching Cisco CCNA, CCNP, and CCSP curriculum to students throughout North America and the world.

His previous work with Cisco Press has been as the development editor for two titles, Authorized CCDA Self-Study Guide: Designing for Cisco Internetwork Solutions (DESGN) (Exam 640-863) and Router Security Strategies: Securing IP Network Traffic Planes.

Eric has a lovely wife, Carol Ann, who is an accomplished music teacher, as well as two teenage children, Scott and Meaghan