CCSP complete study guide: 642-501, 642-511, 642-521, 642-531, 642-541

Todd Lammle, Wade Edwards, Tom Lancaster, Justin Menga, Eric Quinn, Jason Rohm, Carl Timm, Bryant Tow9780782144222, 0-7821-4422-5

To ensure adequate support for their security products and services, Cisco released a professional-level certification, Cisco Certified Security Professional (CCSP). This single volume, from the leader in certification, provides complete and up-to-date coverage of all five exams required for the CCSP certification: 640-501, 640-511, 640-521, 640-531, 640-541. Not only is it handy to have all the necessary study information compiled in one guide, it is also the most economical self-study solution. The companion CD includes advanced testing engine containing chapter review questions and ten bonus exams, flashcards for PCs, Pocket PCs, and Palm devices, and the entire book in PDF.

---

Table of contents :
Cover……Page 2
Contents at a Glance……Page 9
Contents……Page 11
Introduction……Page 28
Assessment Test 1……Page 53
Advanced Assessment Test 2……Page 67
Assessment Test 3……Page 69
Assessment Test 3……Page 71
Assessment Test 4……Page 72
Assessment Test 4……Page 76
Assessment Test 5……Page 78
Assessment Test 5……Page 80
Part I Securing Cisco IOS Networks (SECUR)……Page 82
Introduction to Network Security……Page 84
Types of Network Security Threats……Page 86
Technology Weaknesses……Page 87
Configuration Weaknesses……Page 88
Policy Weaknesses……Page 90
Types of Network Attacks……Page 91
Eavesdropping……Page 93
Denial-of-Service Attacks……Page 95
Unauthorized Access……Page 96
Session Hijacking or Replaying……Page 97
Smurfing Attacks……Page 98
Application-Layer Attacks……Page 99
The Corporate Security Policy……Page 100
Summary……Page 101
Exam Essentials……Page 102
Introduction to AAA Security……Page 104
and Cisco AAA……Page 105
Authentication Methods……Page 107
Security Server Authentication……Page 109
PAP and CHAP Authentication……Page 111
PPP Callback……Page 113
Securing Access to the Exec Mode……Page 116
Enabling AAA Locally on the NAS……Page 119
Configuring Authentication on the NAS……Page 120
Configuring Authorization on the NAS……Page 122
Configuring Accounting on the NAS……Page 125
Verifying the NAS Configuration……Page 127
Troubleshooting AAA on the Cisco NAS……Page 128
Summary……Page 130
Exam Essentials……Page 131
Configuring Cisco Secure ACS and TACACS+……Page 132
Introduction to the Cisco Secure ACS……Page 133
Using User Databases for Authentication……Page 135
Populating the User Database……Page 136
New ACS Features……Page 137
Installing Cisco Secure ACS 3.0……Page 138
Administering Cisco Secure ACS……Page 145
TACACS+ Overview……Page 152
Configuring TACACS+……Page 153
for RADIUS……Page 155
Verifying TACACS+……Page 159
Exam Essentials……Page 162
Cisco Perimeter Router Problems and Solutions……Page 164
Session Replay Problems……Page 166
Malicious Destruction……Page 167
Fighting Rerouting Attacks……Page 169
Fighting Denial-of-Service Attacks……Page 171
Disabling Echo……Page 173
Disabling the HTTP Interface……Page 174
Disabling the Generation of ICMP Unreachable Messages……Page 175
Enabling the Nagle TCP Congestion Algorithm……Page 176
Configuring SNMP……Page 177
Disabling the Default Forwarded UDP Protocols……Page 178
Exam Essentials……Page 180
Control Configuration……Page 182
Understanding the Cisco IOS Firewall……Page 183
CBAC Compared to ACLs……Page 184
CBAC-Supported Protocols……Page 187
Introduction to CBAC Configuration……Page 188
Configuring Global Timeouts and Thresholds……Page 189
Configuring PAM……Page 191
Defining Inspection Rules……Page 195
Applying Inspection Rules and ACLs to Router Interfaces……Page 197
Testing and Verifying CBAC……Page 198
Summary……Page 200
Exam Essentials……Page 201
Intrusion Detection……Page 202
Authentication Proxy……Page 204
Configuring the AAA Server……Page 206
Configuring AAA……Page 209
Configuring the Authentication Proxy……Page 213
Testing and Verifying Your Configuration……Page 214
Introduction to the Cisco IOS Firewall IDS……Page 216
Configuring, Disabling, and Excluding Signatures……Page 218
Setting Default Actions……Page 220
Creating an Audit Rule……Page 222
Applying the Audit Rule……Page 223
Verifying the Configuration……Page 224
Stopping the IOS Firewall IDS……Page 226
Summary……Page 227
Exam Essentials……Page 228
IOS IPSec Support……Page 230
What Is a Virtual Private Network?……Page 231
Introduction to Cisco IOS IPSec……Page 232
IPSec Transforms……Page 233
IPSec Operation……Page 235
IPSec Encapsulation……Page 238
Internet Key Exchange (IKE)……Page 240
Exam Essentials……Page 246
Support……Page 248
Pre-shared Keys Site-to-Site……Page 249
Configuring IKE……Page 250
Configuring IPSec……Page 256
Testing and Verifying IPSec……Page 265
Configuring IPSec Manually……Page 267
Configuring IPSec for RSA-Encrypted Nonces……Page 268
Authority Support Site-to-Site……Page 273
Configuring CA Support……Page 274
Configuring IPSec for CA……Page 279
Testing and Verifying IPSec for CA……Page 286
Exam Essentials……Page 287
Easy VPN……Page 290
Introduction to Cisco Easy VPN……Page 291
The Easy VPN Server……Page 292
Software Client……Page 294
Easy VPN Server Configuration Tasks……Page 296
Router and Security Device Manager Overview……Page 297
Summary……Page 298
Exam Essentials……Page 299
Part II Cisco Secure PIX Firewall Advanced……Page 300
PIX Firewall Basics……Page 302
What Is a Firewall?……Page 303
Reviewing Firewall Technologies……Page 305
Packet-Filtering Firewalls……Page 306
Stateful Firewalls……Page 307
Firewall Technology Combinations……Page 308
PIX Firewall Features……Page 311
PIX Firewall Components……Page 312
NAT Mechanisms……Page 318
Packet Processing……Page 319
The Adaptive Security Algorithm and Security Levels……Page 320
Overview of Configuration……Page 322
Configuring an IOS Switch……Page 323
Connecting to the Module……Page 325
Configuring the FWSM……Page 326
CLI Access Methods……Page 327
CLI Modes……Page 328
Editing in the CLI……Page 329
Basic Commands……Page 330
Summary……Page 336
Exam Essentials……Page 337
Configuration……Page 338
Preparing for Firewall Configuration……Page 339
The Remote Access Commands……Page 340
The clock Command……Page 342
The ntp Command……Page 343
The domain-name and hostname Commands……Page 344
The dhcpd Command……Page 345
The logging Command……Page 347
Naming an Interface and Assigning a Security Level……Page 348
Down the Interface……Page 350
Assigning an IP Address……Page 352
Setting the Maximum Transfer Unit……Page 353
Understanding Address Translation……Page 354
NAT, PAT, and Security……Page 357
Configuring NAT……Page 358
Configuring PAT……Page 367
Configuring NAT on Multiple Interfaces……Page 371
Configuring Routing……Page 379
Configuring Dynamic Routing……Page 380
Configuring Static Routing……Page 382
Configuring Multicast Routing……Page 385
Exam Essentials……Page 387
and AAA……Page 388
Using PIX Firewall ACLs……Page 389
Creating a PIX ACL……Page 390
Applying a PIX ACL……Page 391
Converting Conduits to ACLs……Page 392
How Does URL Filtering Work?……Page 393
Configuring the PIX Firewall for URL Filtering……Page 394
PPPoE and the PIX Firewall……Page 396
Configuring the PPPoE Client Username and Password……Page 397
Enabling PPPoE on the PIX Firewall……Page 398
Verifying PPPoE Operation……Page 399
Object Groups……Page 400
Configuring Object Groups……Page 401
Using Object Groups……Page 404
Installing Cisco Secure ACS for Windows 2000/NT……Page 405
Implementing AAA on the PIX Firewall……Page 411
Downloadable PIX ACLs……Page 418
Summary……Page 419
Exam Essentials……Page 420
Detection……Page 422
Advanced Protocol Handling……Page 423
Special Protocol Support Basics……Page 424
File Transfer Protocol……Page 426
Remote Shell……Page 429
SQL*Net……Page 430
Multimedia Support……Page 431
Alternative Solutions to Problem Protocols……Page 433
AAA Flood Guard……Page 434
SYN Flood Guard……Page 435
Mail Guard……Page 436
IP Fragmentation Guard……Page 440
IP Audit……Page 443
Shunning……Page 450
Exam Essentials……Page 451
and PDM……Page 452
Points of Failure……Page 453
Fault-Tolerant Strategies……Page 457
PIX Firewall Failover Features……Page 458
How PIX Firewall Failover Works……Page 459
Stateful Failover……Page 466
Basic Failover Configuration……Page 467
PDM Overview……Page 471
Operating Requirements……Page 472
Preparing for PDM……Page 473
Using PDM to Configure the PIX Firewall……Page 475
Exam Essentials……Page 484
PIX Firewall……Page 486
Preparing to Configure VPN support……Page 487
Configuring the IKE Policy……Page 488
Configuring Pre-shared Keys……Page 490
Authorities (CAs) on a Firewall……Page 491
Creating Crypto ACLs……Page 496
Creating and Configuring Transform Sets……Page 497
Setting the Tunnel Lifetime……Page 499
Creating Crypto Maps……Page 500
Viewing Configuration Information……Page 503
Extended Authentication (Xauth)……Page 507
IKE Mode Config for Dynamic Addressing……Page 508
Pushing Additional Attributes to the VPN Client……Page 509
Common Commands……Page 510
Cisco VPN Client……Page 513
Deploying the VPN Client……Page 514
Using PDM to Create VPNs……Page 520
Setting Up a Site-to-Site VPN……Page 522
Setting Up a Remote Access VPN……Page 527
and Maintenance……Page 532
Cisco Secure Policy Manager (CSPM)……Page 533
PIX Management Center (MC)……Page 534
Auto Update Server (AUS)……Page 537
Exam Essentials……Page 541
Part III Cisco Secure Virtual Private Networks……Page 544
Networks……Page 546
Major Types of VPNs……Page 547
VPN Devices……Page 548
Introducing IPSec……Page 551
IPSec Building Blocks: AH and ESP……Page 552
Encryption……Page 557
Diffie-Hellman Key Exchange……Page 558
Internet Key Exchange……Page 559
Transform Sets……Page 562
IPSec Security Associations……Page 564
How IPSec Works……Page 565
Defining Interesting Traffic……Page 566
IKE Phase 1……Page 567
IKE Phase 2……Page 568
IPSec Task Flow……Page 569
Filtering Problems……Page 571
Summary……Page 572
Exam Essentials……Page 573
VPN Devices……Page 574
Introducing the VPN 3000 Concentrators……Page 575
Overview of the VPN 3005 Concentrator……Page 576
Overview of VPN 3015 through 3080 Concentrators……Page 578
VPN Concentrator Client Support……Page 580
Hardware Client……Page 581
Configuring the 3002 CLI Quick Configuration Utility……Page 582
Quick Configuration Utility……Page 586
Managing the Hardware Client……Page 594
Additional VPN 3002 Client Features……Page 595
Introducing the VPN Software Clients……Page 601
Setting Authentication Properties……Page 602
Installing a Certificate……Page 604
Preconfiguring the VPN Client……Page 607
Client Auto-Initiation……Page 610
Summary……Page 612
Exam Essentials……Page 613
Concentrator……Page 614
Starting the CLI……Page 617
Using Web Quick Configuration Mode……Page 624
Setting System Information……Page 626
Setting the Address Assignment……Page 627
Configuring Authentication……Page 628
Setting a Group Name……Page 629
Management……Page 630
Setting Up Groups……Page 631
Configuring an Authentication Server……Page 640
Configuring Access Hours and Filters……Page 641
Configuring Backup on the Hardware Client……Page 644
Configuring Load Balancing……Page 645
Configuring LAN-to-LAN IPSec……Page 647
Updating Clients Automatically……Page 649
Setting Up the Stateful Firewall……Page 652
Introducing the Public Key Infrastructure……Page 655
Requesting and Installing Concentrator Certificates……Page 656
Requesting and Installing Client Certificates……Page 664
Software Client……Page 667
Software Client’s Central Policy Protection Feature……Page 668
Client Firewall Statistics……Page 669
Customizing Firewall Policy……Page 671
for IPSec over UDP and IPSec over TCP……Page 672
Configuring IPSec over UDP……Page 673
Configuring IPSec over TCP……Page 675
Exam Essentials……Page 676
Concentrator……Page 678
Monitoring the VPN Concentrator……Page 679
Viewing Concentrator Monitoring Information……Page 680
Configuring Logging and SNMP Traps……Page 690
Configuring Access Rights……Page 697
Administering File Management……Page 701
Updating Software……Page 704
Summary……Page 705
Exam Essentials……Page 706
Part IV Cisco Secure Intrusion Detection Systems……Page 708
and Protection……Page 710
Understanding Security Threats……Page 711
Hacker Characteristics……Page 712
Attack Types……Page 713
Securing the Network……Page 727
Monitoring Network Security……Page 736
Testing Network Security……Page 737
Improving Network Security……Page 738
Triggers……Page 739
IDS System Location……Page 742
IDS Evasive Techniques……Page 745
Cisco Secure Intrusion Protection……Page 746
Introduction to Cisco Secure IDS……Page 748
Cisco Secure IDS Features……Page 749
Cisco Secure Sensor Platforms……Page 753
Cisco Secure IDS Management Platforms……Page 757
Cisco Host IDS Platforms……Page 759
Summary……Page 762
Exam Essentials……Page 763
and IDSMs……Page 764
Sensor Selection Considerations……Page 765
Sensor Deployment Considerations……Page 769
Secure IDS Sensors……Page 774
Planning the Installation……Page 775
Physically Installing the Sensor……Page 776
Gaining Initial Management Access……Page 785
Logging In to the Sensor……Page 789
Configuring the Sensor for the First Time……Page 791
Administering the Sensor……Page 805
Cisco Secure IDS Architecture……Page 809
Summary……Page 813
Exam Essentials……Page 814
Sensors……Page 816
Capturing Traffic……Page 817
4200 Series Sensors……Page 818
Configuring Traffic Capture Using SPAN……Page 824
Configuring Traffic Capture Using RSPAN……Page 831
Configuring Traffic Capture for the IDSM……Page 842
Configuring SPAN for the IDSM-2……Page 846
Configuring Traffic Capture Using VACLs……Page 848
Configuring Traffic Capture using the……Page 855
Configuring the Sensing Interface to Control Trunk Traffic……Page 857
Restricting VLANs on CatOS……Page 858
Assigning the Command-and-Control Port VLAN……Page 859
for the NM-CIDS……Page 860
Exam Essentials……Page 862
Manager……Page 864
IDM Components and System Requirements……Page 865
Accessing the IDM for the First Time……Page 866
Navigating the IDM……Page 869
Performing Sensor Setup Using the IDM……Page 871
Configuring Intrusion Detection Using the IDM……Page 877
Configuring Blocking Using the IDM……Page 894
Configuring Auto Update Using the IDM……Page 918
Secure IDS Sensors Using the IDM……Page 921
IDM Administration……Page 922
IDM Monitoring……Page 935
Summary……Page 942
Exam Essentials……Page 943
the IDS Event Viewer……Page 946
Cisco Secure IDS Signatures……Page 947
Cisco Secure IDS Signature Engines……Page 949
Signature Engine Parameters……Page 954
Configuring Signatures Using the IDM……Page 965
Configuring Signatures Using the CLI……Page 974
Introduction to the IDS Event Viewer……Page 979
Installing the IEV……Page 981
Accessing the IEV for the First Time……Page 982
Adding Sensors to the IEV……Page 984
Configuring Filters and Views……Page 988
Creating a View……Page 995
Configuring Application Settings and Preferences……Page 1002
Administering the IEV Database……Page 1005
Summary……Page 1019
Exam Essentials……Page 1020
Management……Page 1022
CiscoWorks VMS Components……Page 1023
CiscoWorks VMS System Requirements……Page 1025
Installing CiscoWorks Common Services……Page 1029
Security Monitoring Center……Page 1033
Starting the CiscoWorks Desktop……Page 1037
Adding Users……Page 1040
Licensing CiscoWorks VMS Components……Page 1041
the IDS MC……Page 1043
IDS Management Center Architecture……Page 1044
Starting the IDS Management Center……Page 1045
Configuring Sensor Groups……Page 1047
Adding Sensors to the IDS MC……Page 1049
Configuring Sensors Using the IDS MC……Page 1052
Sensor Configurations……Page 1077
Updating Cisco Secure IDS Sensors……Page 1084
Configuring System Configuration Settings……Page 1087
Configuring Database Rules……Page 1088
Configuring Report Settings……Page 1092
Exam Essentials……Page 1095
Monitoring……Page 1098
Security Monitor Features……Page 1099
Supported Devices for the Security Monitor……Page 1100
Accessing the Security Monitor for the First Time……Page 1101
Defining Devices to Monitor……Page 1104
Verifying Sensor Connection Status……Page 1110
Viewing Events……Page 1111
Defining Notifications Using Event Rules……Page 1126
Monitoring Center……Page 1133
Configuring System Configuration Settings……Page 1134
Configuring Database Rules……Page 1137
Configuring Reports……Page 1138
Summary……Page 1142
Exam Essentials……Page 1143
Part V Cisco SAFE Implementation……Page 1146
Fundamentals……Page 1148
Network Security……Page 1149
Network Attack Taxonomy……Page 1152
of Service (DDOS)……Page 1153
IP Weaknesses……Page 1154
Network Reconnaissance……Page 1155
Packet Sniffers……Page 1156
Password Attacks……Page 1157
Trust Exploitation……Page 1158
Virus……Page 1159
Management Protocols and Functions……Page 1160
SNMP……Page 1161
NTP……Page 1162
SAFE Architectural Overview……Page 1163
SAFE SMR Architecture……Page 1165
SAFE Axioms……Page 1166
Routers Are Targets……Page 1167
Hosts Are Targets……Page 1168
Intrusion Detection Systems Mitigate Attacks……Page 1169
Identifying the Security Wheel……Page 1170
Exam Essentials……Page 1172
Portfolio……Page 1174
Cisco Security Portfolio Overview……Page 1175
Network Solutions……Page 1176
Site-to-Site VPN Solution……Page 1178
Remote Access VPN Solution……Page 1180
Firewall-Based VPN Solution and Perimeter Security……Page 1182
Understanding Intrusion Protection……Page 1183
IDS……Page 1184
Secure Scanner……Page 1185
Understanding Identity……Page 1186
Cisco Secure Access Control Server (ACS)……Page 1187
Cisco AVVID……Page 1188
Exam Essentials……Page 1190
Designs……Page 1192
Corporate Internet Module……Page 1193
Campus Module……Page 1196
Medium Network Design Overview……Page 1198
Corporate Internet Module……Page 1199
Campus Module……Page 1201
WAN Module……Page 1203
Implementing the ISP Router……Page 1204
Implementing the IOS-based Firewall……Page 1208
Implementing the PIX Firewall……Page 1215
Exam Essentials……Page 1219
Network Design……Page 1222
Design Overview……Page 1223
Key Devices……Page 1224
Software Access Option……Page 1225
Remote Site Firewall Option……Page 1230
VPN Hardware Client Option……Page 1232
Remote Site Router Option……Page 1237
Exam Essentials……Page 1240
Index……Page 1242