xxxiOverview of the Cisco Certification Process The network security market is currently in a position where the demand for qualified engineers vastly surpasses the supply.. Although a p
Trang 1xxxi
Overview of the Cisco Certification Process
The network security market is currently in a position where the demand for qualified engineers vastly surpasses the supply For this reason, many engineers consider migrating from routing/ networking over to network security Remember that “network security” is just “security” applied
to “networks.” This sounds like an obvious concept, but it is actually a very important one if you are pursuing your security certification You must be very familiar with networking before you can begin to apply the security concepts Although a previous Cisco certification is not required to begin the Cisco security certification process, it is a good idea to at least complete the CCNA certification The skills required to complete the CCNA will give you a solid foundation that you can expand into the network security field
The security certification is called Cisco Certified Security Professional (CCSP) and consists of the following exams:
■ CSVPN—Cisco Secure Virtual Private Networks (642-511)
■ CSPFA—Cisco Secure PIX Firewall Advanced (642-521)
■ SECUR—Securing Cisco IOS Networks (642-501)
14 Configure a Cisco Router for
IPSec Using Preshared Keys
VPNs using IPSec and Cisco IOS firewalls are discussed in Chapter 17.
15 Verify the IKE and IPSec
Configuration
The steps required to verify the configuration of IKE and IPSec are referenced in Chapter 17.
16 Explain the issues Regarding
Configuring IPSec Manually and Using RSA-Encrypted Nonces
The implementation of IPSec using RSA-encrypted nonces is discussed in Chapter 17.
17 Advanced IPSec VPNs Using
Cisco Routers and CAs
Configuring VPNs using a certificate authority for peer authentication is a very scalable method for building multiple VPNs This type of configuration is discussed in Chapter 18.
18 Describe the Easy VPN Server The Easy VPN Server is defined in Chapter 19 The
configuration steps for building VPNs using Easy VPN Server are also covered in this chapter.
19 Managing Enterprise VPN
Routers
The products used to centrally manage an enterprise-level VPN using Cisco VPN routers are discussed in Chapter 20.
Table I-1 SECUR Foundation Topics and Descriptions (Continued)
Reference
Trang 2The requirements for and explanation of the CCSP certification are outlined at the Cisco Systems
website Go to Cisco.com, click Learning & Events>Career Certifications and Paths.
Taking the SECUR Certification Exam
As with any Cisco certification exam, it is best to be thoroughly prepared before taking the exam There is no way to determine exactly what questions are on the exam, so the best way to prepare is
to have a good working knowledge of all subjects covered on the exam Schedule yourself for the exam and be sure to be rested and ready to focus when taking the exam
The best place to find out the latest available Cisco training and certifications is http://
www.cisco.com/en/US/learning/index.html
Tracking CCSP Status
You can track your certification progress by checking https://www.certmanager.net/~cisco_s/ login.html You will need to create an account the first time you log on to the site
How to Prepare for an Exam
The best way to prepare for any certification exam is to use a combination of the preparation re-sources, labs, and practice tests This guide has integrated some practice questions and labs to help you better prepare If possible, you want to get some hands-on time with the Cisco IOS routers There is no substitute for experience, and it is much easier to understand the commands and con-cepts when you can actually work with the Cisco IOS router If you do not have access to a Cisco IOS router, you can choose from among a variety of simulation packages available for a reasonable price Last, but certainly not least, Cisco.com provides a wealth of information about the Cisco IOS Software, and all the products that operate using Cisco IOS Software and the products that interact with Cisco routers No single source can adequately prepare you for the SECUR exam unless you already have extensive experience with Cisco products and a background in networking or network security At a minimum you will want to use this book combined with the Technical Assistance Center (http://www.cisco.com/public/support/tac/home.shtml) to prepare for this exam
Assessing Exam Readiness
After completing a number of certification exams, I have found that you don’t really know if you’re adequately prepared for the exam until you have completed about 30 percent of the questions At this point, if you aren’t prepared it’s too late The best way to determine your readiness is to work through the “Do I Know This Already?” portions of the book, the review questions in the “Q&A”
Trang 3xxxiii
sections at the end of each chapter, and the case studies/scenarios It is best to work your way through the entire book unless you can complete each subject without having to do any research or look up any answers
Cisco Security Specialist in the Real World
Cisco has one of the most recognized names on the Internet You cannot go into a data center or server room without seeing some Cisco equipment Cisco-certified security specialists are able
to bring quite a bit of knowledge to the table due to their deep understanding of the relationship between networking and network security This is why the Cisco certification carries such clout Cisco certifications demonstrate to potential employers and contract holders a certain professional-ism and the dedication required to complete a goal Face it, if these certifications were easy to acquire, everyone would have them
Cisco IOS Software Commands
A firewall or router is not normally something to play with That is to say that once you have it properly configured, you will tend to leave it alone until there is a problem or you need to make some
other configuration change This is the reason that the question mark (?) is probably the most widely
used Cisco IOS Software command Unless you have constant exposure to this equipment it can be difficult to remember the numerous commands required to configure devices and troubleshoot
problems Most engineers remember enough to go in the right direction but will use the ? to help
them use the correct syntax This is life in the real world Unfortunately, the question mark is not
always available in the testing environment Many questions on this exam require you to select the best command to perform a certain function It is extremely important that you familiarize yourself with the different commands and their respective functions
This book follows the Cisco Systems, Inc., conventions for citing command syntax:
■ Boldface indicates the command or keyword that is entered by the user literally as shown
■ Italics indicate arguments for the command or option for which the user supplies a value.
■ Vertical bars/pipe symbol ( | ) separate alternative, mutually exclusive, command options That
is, the user can enter one and only one of the options divided by the pipe symbol
■ Square brackets ([ ]) indicate optional elements for the command
■ Braces ( { } ) indicate a required option for the command The user must enter this option
■ Braces within brackets ( [{ }] ) indicate a required choice if the user implements the optional element for the command
Trang 4when assigning network segments in this book Note that the address space we have selected is all reserved space per RFC 1918 We understand that these addresses are not routable across the Internet and are not normally used on outside interfaces Even with the millions of IP addresses available on the Internet, there is a slight chance that we could have chosen to use an address that the owner did not want published in this book
Figure I-2 Addressing for Examples
It is our hope that this will assist you in understanding the examples and the syntax of the many commands required to configure and administer Cisco IOS routers
Exam Registration
The SECUR exam is a computer-based exam, with multiple-choice, fill-in-the-blank, list-in-order, and simulation-based questions.You can take the exam at any Pearson VUE (http://www.pearsonvue.com)
or Prometric (http://www.2test.com) testing center Your testing center can tell you the exact length
of the exam Be aware that when you register for the exam, you might be told to allow a certain amount of time to take the exam that is longer than the testing time indicated by the testing software when you begin This is because VUE and Prometric want you to allow for some time to get settled and take the tutorial about the testing engine
Book Content Updates
Because Cisco Systems will occasionally update exam objectives without notice, Cisco Press may post additional preparatory content on the web page associated with this book at
http://www.ciscopress.com/1587200899 It’s a good idea to check the website a couple of weeks before taking your exam, to review any updated content that may be posted online We also recommend that you periodically check back to this page on the Cisco Press website to view any errata or supporting book files that may be available
DMZ 172.16.1.0/24
Inside 10.10.10.0/24
Outside 192.168.0.0/15
(or any public space)
Internet
Trang 6PART I: An Overview of Network Security
Chapter 1 Network Security Essentials
Chapter 2 Attack Threats Defined and Detailed
Chapter 3 Defense in Depth
Trang 7Although Cisco has not defined specific exam objectives that apply to this part of the book, it
is imperative that you have an in-depth understanding of network security principles This part
is designed to give you the foundation you need to fully grasp the topics covered remaining parts
of the book
Trang 8This chapter covers the following subjects:
■ Definition of Network Security
■ Balancing Business Need with Security Requirement
■ Security Policies
■ Network Security as a Process
■ Network Security as a Legal Issue
Trang 9C H A P T E R 1
Network Security Essentials
The term network security defines a broad range of complex subjects To understand the
individual subjects and how they relate to each other, it is important for you to first look at the big picture and get an understanding of the importance of the entire concept Ask yourself why you lock the door to your home The answer is likely that you do not want someone to walk in and steal your stuff You can think of network security in much the same fashion Security is applied to your network to prevent unauthorized intrusions and theft or damage of property In this case the “property” is “data.” In this information age, data has become a very valuable commodity with both public and private organizations making the security of their assets a very high priority
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter If you already intend to read the entire chapter, you do not necessarily need to answer these questions now
The 11-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time
Table 1-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics
Table 1-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section Questions Covered in This Section
Definition of Network Security 11 Balancing the Business Need with the Security Requirement
9
Security Policies 1, 2, 3, 5, 6, 7, 10 Network Security as a Process 4
Network Security as a Legal Issue 8
Trang 101. Which of the following should be included in the security policy?
a. Capabilities of the firewall
b. Manufacturer of the firewall
c. User responsibilities
d. Sanctions for violating the policy
e. A network diagram
f. Routing protocols used
2. Which of the following employees should have access to a copy of the security policy?
a. Managers
b. Network engineers
c. Human resources
d. Temporary employees
e. All employees
3. Which of the following is true about a security policy?
a. The policy should require testing
b. The policy should not be revealed to the general public
c. Cisco equipment should be specified
d. The policy is a business document, not a technical document
e. The policy should be changed every six months
4. Which of the following are acts directed by “the security wheel”?
a. Configuring
b. Securing
c. Implementation
d. Testing
e. Monitoring and responding
you should mark this question wrong for purposes of the self-assessment Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security
Trang 11“Do I Know This Already?” Quiz 7
5. Which of the following are benefits of a security policy?
a. Leads to stability of the network
b. Allows management to bypass security efforts
c. Allows the technical team to have an unlimited budget
d. Enables users to know the consequences of their actions
e. Informs the user of how to break into systems
6. What are reasons for implementing a security policy?
f. Enables management to judge the effectiveness of security efforts
g. Enables the technical team to understand their goals
h. Enables users to browse the web without fear of getting a virus
i. Enables management to justify a larger technical team
j. Lessens costs due to network downtime
7. True or False: The security policy is a document that is designed to allow the business to participate in certain electronic communications?
a. True
b. False
8. Choose the six main goals of security policy:
a. Guides the technical team in purchasing equipment
b. Guides the technical team in choosing their equipment
c. Guides the technical team in configuring the equipment
d. Gains management approval for new personnel
e. Defines the use of the best-available technology
f. Defines the responsibilities for users and administrators
g. Defines sanctions for violating the policies
h. Provides a Cisco-centered approach to security
i. Defines responses and escalations to recognized threats
Trang 12b. The business need overrides security.
c. You have to factor security with the Bell-LaPadula Security Model
d. Security isn’t important unless your business is big enough to sue
e. None of the above
10. What IETF RFC governs the Site Security Handbook?
a. RFC 1918
b. RFC 2196
c. RFC 1700
d. RFC 1500
11. True or False: Network security can be achieved by having consultants install firewalls at your network perimeter
a. True
b. False
The answers to the “Do I Know This Already?” quiz are found in the appendix The suggested choices for your next step are as follows:
■ 8 or less overall score—Read the entire chapter This includes the “Foundation Topics” and
“Foundation Summary” sections and the “Q&A” section
■ 9 or 10 overall score—If you want more review on these topics, skip to the “Foundation
Summary” section and then go to the “Q&A” section Otherwise, move on to the next chapter