Introduction - Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition (2013)

Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition (2013)

Introduction

Network security is a complex and growing area of IT. As the premier provider of network security devices, Cisco Systems is committed to supporting this growing segment of the industry.

This book teaches you how to design, configure, maintain, and audit network security. It focuses on using Cisco IOS routers for protecting the network by capitalizing on their advanced features as a perimeter router, as a firewall, as an intrusion prevention system, and as a site-to-site VPN device. The book also covers the use of Cisco Catalyst switches for basic network security. While covering the topic of authentication, authorization, and accounting (AAA), this book also introduces Cisco Secure Access Control System (ACS). The final chapter also introduces how to use a Cisco Adaptive Security Appliance (ASA) for both clientless and full client remote-access VPNs. At the end of this book, you will be able to select and implement the appropriate Cisco appliances and services required to build flexible and secure networks.

This book provides you with the knowledge necessary to pass your CCNA Security certification (IINS v2.0) because it provides in-depth information to help you prepare for the IINS exam, which grants the CCNA Security certification. It also starts you on the path toward attaining your Cisco Certified Network Professional (CCNP) Security certification.

The commands and configuration examples presented in this book are based on Cisco IOS Releases 15, Cisco ASA 8.4, and Cisco ACS 5.2.

Goals and Methods

The most important and somewhat obvious goal of this book is to help you pass the IINS v2.0 exam (640-554). In fact, if the primary objective of this book were different, the book’s title would be misleading; however, the methods used in this book to help you achieve the CCNA Security are designed to also make you much more knowledgeable about how to do your job.

Although this book has more than enough questions to help you prepare for the actual exam, the method in which they are used is not to simply make you memorize as many questions and answers as you possibly can. One key methodology used in this book is to help you discover the exam topics that you need to review in more depth, to help you fully understand and remember those details, and to help you prove to yourself that you have retained your knowledge of those topics. So, this book does not try to help you pass by memorization, but helps you truly learn and understand the topics. The IINS v2.0 exam, which grants the CCNA Security certification, is just one of the foundation topics in the CCNP Security certification, and mastering the knowledge covered by the exam is vitally important to consider yourself a truly skilled security specialist. This book would do you a disservice if it didn’t attempt to help you learn the material. To that end, the book will help you pass the CCNA Security exam by using the following methods:

• Helping you discover which test topics you have not mastered

• Providing explanations and information to fill in your knowledge gaps

• Providing practice questions on the topics

Who Should Read This Book?

This book is not designed to be a general security topics book, although it can be used for that purpose. This book is intended to tremendously increase your chances of passing the CCNA Security exam. Although other objectives can be achieved from using this book, the book is written with three goals in mind: to improve your knowledge of Cisco IOS security, to introduce you to Cisco ASA, and to help you pass the CCNA Security exam.

So why should you want to pass the CCNA Security exam? Because it is one of the milestones toward getting the CCNP Security certification, no small feat in itself. What would getting the CCNP Security certification mean to you? A raise, a promotion, or other recognition? A way to enhance your résumé, and demonstrate that you are serious about continuing the learning process and that you are not content to rest on your laurels? A chance to work in one of the most thrilling and fastest growing sectors of IT, network security? An opportunity to please your reseller-employer, who needs more certified employees for a higher discount from Cisco? These are some of many reasons people pursue the CCNP Security certification.

Strategies for Exam Preparation

The strategy you use for CCNA Security might be slightly different from strategies used by other readers, mainly based on the skills, knowledge, and experience you already have obtained. For instance, if you have attended the IINS course, you might take a different approach than someone who learned firewalling via on-the-job training.

The best way to prepare for this exam is to focus on one chapter at a time and take notes. Some chapters are purely theoretical, such as Chapter 12, which introduces cryptography and VPN technologies. Other chapters are more hands-on where configuration of a Cisco router or a Cisco firewall is demonstrated. Ideally, you will practice the suggested configurations on Cisco equipment to sharpen your hands-on skills prior to attempting the IINS v2.0 exam, in order to achieve the CCNA Security certification.

How This Book Is Organized

Although this book could be read cover to cover, it is designed to be flexible and allow you to move between chapters. However, if you do intend to read every chapter, the order in the book is an excellent sequence to use. Chapters 1 to 15, separated in four parts, cover the following topics:

Chapter 1, “Network Security Concepts and Policies”: This chapter discusses how to develop a comprehensive network security policy to counter threats against information security. It also teaches you about possible threats and how to describe and implement the process of developing a security policy. It covers the identification of common vulnerabilities and threats, mitigation strategies, and the implementation of a security architecture using a lifecycle approach.

Chapter 2, “Security Strategy and Cisco Borderless Network”: This chapter discusses the concept of Borderless Networks. It discusses Cisco Borderless Network Architecture, including the components and underlying technologies. You will learn about the Cisco Security portfolio products that address specifically issues of Borderless Networks, and more precisely about Cisco SecureX. This chapter introduces Cisco threat control and containment products and VPN technologies that will be covered in greater detail in subsequent chapters.

Chapter 3, “Network Foundation Protection and Cisco Configuration Professional”: This chapter deals with Cisco IOS Network Foundation Protection (NFP) as a framework for infrastructure protection, all its components, and commonly used countermeasures as found in Cisco IOS devices. More precisely, this chapter differentiates the security measures to be implemented on the three conceptual planes of Cisco IOS devices: the control plane, the data plane, and the management plane. This chapter also discusses using Cisco Configuration Professional (CCP) to implement security controls on Cisco IOS routers.

Chapter 4, “Securing the Management Plane on Cisco IOS Devices and AAA”: This chapter describes how to securely implement the management and reporting features of Cisco IOS devices. It discusses technologies surrounding network management, such as syslog, Network Time Protocol, Secure Shell, and Simple Network Management Protocol. It discusses proper password management, the recovery procedure of the configuration file, and the safeguarding of the IOS. This chapter introduces the subject of authentication, authorization, and accounting (AAA) both locally and on an external database, including the Cisco Secure Access Control System (ACS).

Chapter 5, “Securing the Data Plane on Cisco Catalyst Switches”: This chapter explains how Cisco IOS routers and switches have their own set of network security requirements. It introduces fundamental switching concepts, such as VLANs, trunking, and Spanning Tree, and shows how attackers can exploit vulnerabilities in the switching infrastructure. It then describes a strategy for protecting the switch data plane using port security.

Chapter 6, “Securing the Data Plane in IPv6 Environments”: This chapter explains the need for IPv6 and presents its fundamental features, as well as enhancements when compared to IPv4. It covers IPv6 addressing scheme, components, and design principles and how routing functions. The chapter then presents potential threats and develops a strategy for IPv6 security.

Chapter 7, “Planning a Threat Control Strategy”: This chapter suggests design principles to plan a threat control and containment strategy using firewalls and intrusion prevention systems in Cisco IOS environments. This chapter provides a general evaluation of the current state of enterprise security in the presence of evolving threats. It presents the design considerations for a threat protection strategy as part of a risk management strategy with Cisco threat control and containment solutions.

Chapter 8, “Access Control Lists for Threat Mitigation”: Cisco provides basic traffic filtering capabilities with access control lists (ACL). This chapter covers the benefits of ACLs and describes their building blocks. The chapter describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments. It also demonstrates how to configure ACLs using both CLI and CCP and how to use object groups. ACLs are examined in the context of IPv4 and IPv6.

Chapter 9, “Firewall Fundamentals and Network Address Translation”: This chapter explains the operations of the different types of firewall technologies and the role they play in network access control and security architectures. It also describes guidelines for firewall rule set creation. The chapter then describes the function and building blocks of Network Address Translation.

Chapter 10, “Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA”: This chapter explains the two Cisco Firewall solutions: Cisco IOS Zone-Based Policy Firewalls and Cisco Adaptive Security Appliance. It describes in detail Cisco IOS Zone-Based Policy Firewall, and how the solution uses the Cisco Common Classification Policy Language (C3PL) for creating firewall policies. The chapter then presents the Cisco ASA firewall, identifying key supported features and the building blocks of its configuration using ASDM. The chapter also briefly describes the deployment of policies using the Cisco Modular Policy Framework.

Chapter 11, “Intrusion Prevention Systems”: This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS). It explains the underlying IDS and IPS technology embedded in the Cisco IOS IPS solutions. It describe the use of signatures, the need for IPS alarm monitoring, and the design considerations in deploying IPS.

Chapter 12, “Fundamentals of Cryptography and VPN Technologies”: This chapter introduces the concepts of cryptography and covers encryption, hashing, and digital signatures and how these techniques provide confidentiality, integrity, authenticity, and nonrepudiation. You will learn about algorithms, symmetric and asymmetric encryption, digital signatures, and Public Key Infrastructure (PKI).

Chapter 13, “IPsec Fundamentals”: This chapter covers the role and operational impact of IPsec’s main components and its modes of operation in various scenarios. It provides a detailed description of the phases of IPsec connectivity. It also provides an overview of IPv6 VPNs.

Chapter 14, “Site-to-Site IPsec VPNs with Cisco IOS Routers”: This chapter explains how to configure site-to-site virtual private networks (VPN) using Cisco IOS routers. You will learn how to use both CLI commands and Cisco Configuration Professional to configure, validate, and monitor the VPN configuration. You will also learn site-to-site VPN troubleshooting techniques.

Chapter 15, “SSL VPNs with Cisco ASA”: This chapter describes the use cases and operational requirements of SSL VPNs and offers a detailed presentation on the operations of SSL. The chapter explains configurations, deployment options, and design considerations. It describes the steps to configure both Cisco VPN clientless mode and Cisco full-tunnel mode on Cisco ASA using the Cisco AnyConnect client. The VPN configuration is demonstrated using Cisco ASDM.

Icons Used in This Book

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:

Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).

Italic indicates arguments for which you supply actual values.

• Vertical bars (|) separate alternative, mutually exclusive elements.

• Square brackets ([ ]) indicate an optional element.

• Braces ({ }) indicate a required choice.

• Braces within brackets ([{ }]) indicate a required choice within an optional element.