CCNA Security 210-260 Certification Guide
Glen D. Singh Michael Vinod Vijay Anandh更新时间:2021-06-25 21:11:39
最新章节:Leave a review - let other readers know what you think封面
版权信息
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions
Get in touch
Reviews
Exploring Security Threats
Important terms in network security
Threats
Vulnerability
Analyzing vulnerability
Introduction to an attack
Passive attacks
Active attacks
Spoofing attacks
Internet protocol – the heart of internet communication
How is an IP datagram spoofed?
IP spoofing
Scanning
Hijacking an online session
Flooding
ARP spoofing attacks
Mitigating ARP spoofing attacks
The DHCP process
Why DHCP snooping?
Trusted and untrusted sources
Ping of Death
TCP SYN flood attacks
Password attacks
Buffer overflow attacks
Malware
Network security tools
Wireshark
Metasploit
Kali Linux
Summary
Delving into Security Toolkits
Firewall functions
Rules of a firewall
Types of firewall
Packet-filtering firewall/stateless firewall
Circuit-level gateway firewall/stateful firewall
Application-layer firewall
Zone-based firewall
Intrusion prevention system
Intrusion detection system
Virtual Private Network
Benefits of VPN
Site-to-site VPNs
Remote-access VPN
Content security
Content Security Policy
Cisco Email Security Appliance
Cisco IronPort Web Security Appliance
Endpoint security
Summary
Understanding Security Policies
Need for a security policy
Five steps for a security policy
Security policy components
Best example for a security policy – a password policy
How to develop a policy
Risk
Risk analysis
Benefits of risk analysis
Quantitative risk
Qualitative risk
Vulnerability
Weakness in technology
Weakness in configuration
Weakness in a security policy
Threat
Threat consequence
Disclosure
Threat action – exposure
Threat action – interception
Threat action – inference
Threat action – intrusion
Deception
Threat action – masquerade
Threat action - falsification
Threat action – repudiation
Disruption
Threat action – incapacitation
Types of threat
Asset
Why classifying of assets is required
Identifying the asset
Asset accountability
Creating a plan for asset classification
Implementing the plan
Countermeasures
Zones
Planes
Data plane
Control plane
Management plane
Regulatory compliance
Payment Card Industry Data Security Standard (PCI DSS)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA)
GLBA
PIPED Act
Data Protection Directive
Digital Millennium Copyright Act (DMCA)
Safe Harbor Act
Summary
Deep Diving into Cryptography
What is cryptography?
Objectives of cryptography
Confidentiality
Data integrity
Authentication
Non-repudiation
Terminologies
Types of encryption
Symmetric encryption
Asymmetric encryption
Types of cipher
Substitution cipher
Transposition cipher
Block ciphers
Stream ciphers
Key
Encryption algorithms
Data Encryption Standard
Triple Data Encryption Standard (3DES)
Advanced Encryption Standard (AES)
Rivest Cipher 4
RSA (Rivest Shamir Adleman)
Hashing algorithms
Message Digest 5 (MD5)
Secure Hashing Algorithm (SHA)
Hashed Message Authentication Code (HMAC)
Cryptographic systems
Digital signature
Secure Sockets Layer (SSL)
Transport Layer Security
Pretty Good Privacy
Public Key Infrastructure
Public Key Infrastructure components
Certificate Authority
Certificate management system
Digital certificate
X.509
Registration Authority (RA)
Putting the components of PKI together
Summary
Implementing the AAA Framework
Components of AAA
Implementing Cisco AAA - authentication
Implementing authentication using local services
Implementing authentication using external services
TACACS+
Configuring TACACS+
Using AAA with TACACS+
RADIUS
Configuring RADIUS
Using AAA with RADIUS
Example of AAA using local authentication
Choosing a protocol between the ACS server and the router
Example of AAA authentication using the TACACS+ server
Command list
Issues with authentication
Encryption
Symmetric encryption
Asymmetric encryption
Implementing Cisco AAA - authorization
Prerequisites for authorization
Configuring method lists for authorization
Different methods of authorization
Configuring the privilege level for AAA authorization
Example of AAA authorization with privilege levels
Implementing Cisco AAA - accounting
Configuring AAA - authorization and accounting
Step 1
Step 2
Step 3
Step 4
Summary
Securing the Control and Management Planes
Introducing the security policy
Phases of secure network life cycle
Initiation phase
Security categorization
Initial risk assessment
Acquisition and development phase
Risk assessment
Requirements analysis of security functions
Cost considerations and reporting
Security control development
Developmental security test and evaluation
Implementation phase
Operations and maintenance phase
Configuration management and control
Continuous monitoring
Disposal phase
Technologies to implement secure management network
Syslog protocol
Facility
Severity
Hostname
Timestamp
Message
Configuring Cisco router for syslog server
Network Time Protocol
Secure Shell (SSH)
Simple Network Management Protocol version 3
SNMP basic terminologies
SNMP view
SNMP group
SNMP user
SNMPv3 lab execution
Planning considerations for secure management
Guidelines for secure management and reporting
Log messaging implementation for security
Control Plane Policing
Implementing class-map
Summary
Protecting Layer 2 Protocols
Layer 2 attack mitigation
Features of the Virtual Local Area Network
VLAN tagging
Features of trunking
Trunking modes
VLAN Trunking Protocol
Spanning Tree Protocol fundamentals
Port states
Steps in implementing STP
Root bridge election
Root port election
Designated port election
Alternative port election
Cisco Discovery Protocol
Layer 2 protection toolkit
Protecting with a BPDU guard
Protecting with root guard
Combating DHCP server spoofing
Mitigating CAM-table overflow attacks
MAC spoofing attack
Port security configuration
Protect
Restrict
Shutdown
LAB: securing Layer 2 switches
Lab-port security
Summary
Protecting the Switch Infrastructure
Private VLANs VACL trunking vulnerabilities port security
What is a private VLAN?
Private VLAN lab
Access Control List
VLAN ACLs (VACLs)
Steps for configuring VACL:
Trunking-related attacks
VLAN hopping
Double-tagging
Summary
Exploring Firewall Technologies
Services offered by the firewall
Static-packet filtering
Circuit-level firewalls
Proxy server
Application server
Network Address Translation
Stateful inspection
Firewalls in a layered defense strategy
Transparent firewall
Application-layer firewalls
Authenticates individuals and not devices
It's more difficult to spoof and implement DoS attacks
Can monitor and filter application data
Logging information in more detail
Working with the application-layer firewall
Application-level proxy server
Typical proxy server deployment
Areas of opportunity
Packet filtering and the OSI model
Summary
Cisco ASA
Cisco ASA portfolio
ASA features
Stateful filtering
Packet filtering
Network Address Translation
Routing
Dynamic Host Configuration Protocol
Virtual Private Network
Botnet filtering
Advanced Malware Protection
Authentication authorization and accounting
Class map and policy map
Basic ASA configuration
Viewing the filesystem
Setting a hostname
Setting the clock
Assigning a domain name to the ASA
Securing access to the privilege exec mode
Saving the configurations
Setting a banner
Assigning IP addresses on the interfaces
Setting a default static route
Creating a local user account
Remote access
Setting up SSH
Setting up Telnet
Configuring Port Address Translation
Setting up the Adaptive Security Device Manager
Getting familiar with the ASDM
Summary
Advanced ASA Configuration
Routing on the ASA
Static routing
Configuring static routing using the CLI
Adding a default route using the ASDM
Adding a default route using the CLI
Open Shortest Path First
Configuring OSPF using the CLI
Routing Information Protocol
Configuring RIP using the CLI
Enhanced Interior Gateway Routing Protocol
Configuring EIGRP using the CLI
Device name passwords and domain name
Setting banners using the ASDM
Configuring interfaces
System time and Network Time Protocol
Configuring NTP using the CLI
Dynamic Host Configuration Protocol
Configuring DHCP using the CLI
Access control list on the ASA
Types of ACLs
Standard ACL
Applying an ACL on an interface
Extended ACL
Using the ASDM to create ACLs
Global ACL
Object groups
Configuring Object groups using the ASDM
Configuring object groups using the CLI
Service Groups
Creating policies on the ASA
Modular Policy Framework
Creating a policy
Example 1 – Inspecting FTP traffic from Outside to DMZ (using the CLI)
Example 2 – Inspecting FTP traffic from Outside to DMZ (using the ASDM)
Example 3 – Preventing a SYN Flood attack
Advanced NAT configurations
Static NAT
Dynamic NAT
Summary
Configuring Zone-Based Firewalls
Zone-Based Firewall terminologies
Overview of Cisco Common Classification Policy Language
Class maps
Policy maps
Service policy
Configuring a Zone-Based Firewall
Configuring a Cisco IOS router to use Cisco Configuration Professional (CCP)
Using Cisco Configuration Professional (CCP) to configure the Zone-Based Firewall
Verification commands
Using the command-line interface to configure the Zone-Based Firewall
Step 1 – Creating the zones
Step 2 – Identifying traffic by using Class Maps
Step 3 – Defining an action using policy maps
Step 4 – Identifying a zone-pair and creating match to a policy
Step 5 – Assigning the zones to the interfaces
Step 6 – Creating an ACL for access into the DMZ from any source
Summary
IPSec – The Protocol that Drives VPN
Terminologies
Virtual Private Network
Why would you need a VPN?
Confidentiality
What is encryption?
Types of encryption algorithms
Encryption Algorithms
Integrity
How does a device verify the integrity of a message?
Anti-replay
Authentication
Diffie-Hellman (DH)
Tunnel
What is IPSec?
Authentication Header
Encapsulation Security Payload
Modes of IPSec
Authentication header – Transport and tunnel modes
Encapsulating Security Payloads (ESP) – Transport mode and tunnel mode
ISAKMP
Internet Key Exchange
IKE phase 1
IKE phase 2
Summary
Configuring a Site-to-Site VPN
General uses of a site-to-site VPN
Configuring a site-to-site VPN using a Cisco IOS router
Verifying a site-to-site VPN on a Cisco IOS router
Configuring a site-to-site VPN using a Cisco ASA
Verifying a site-to-site VPN on a Cisco ASA
Summary
Configuring a Remote-Access VPN
Using a remote-access VPN
Clientless SSL VPN
AnyConnect SSL VPN
Configuring a clientless remote-access VPN
Verifying the clientless SSL VPN
Configuring a client-based remote-access VPN
Verifying the client-based VPN
Summary
Working with IPS
Terminologies
IDS and IPS
Intrusion Detection Systems
Intrusion Prevention Systems
Types of IDS and IPS
Detecting malicious traffic
Configuring an IPS on a Cisco IOS router
Configuring a Target Value Rating
Configuring an Event Action Override
Configuring an Event Action Filter
Configuring the IPS signatures
Summary
Application and Endpoint Security
Cisco Email Security Appliance (ESA) overview
Incoming mail processing
Outgoing mail processing
Cisco ESA deployment models
Cisco ESA configuration steps
Cisco Web Security Appliance overview
Cisco WSA deployment model
Cisco Cloud Web Security overview
Cisco Cloud Web Security deployment model
BYOD concepts
Mobile Device Management
Introduction to Cisco TrustSec
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
更新时间:2021-06-25 21:11:39