Implementing Cisco IOS Network Security (IINS 640-554) Fo... et plus d'un million d'autres livres sont disponibles pour le Kindle d'Amazon. En savoir plus


ou
Identifiez-vous pour activer la commande 1-Click.
Plus de choix
Vous l'avez déjà ? Vendez votre exemplaire ici
Commencez à lire Implementing Cisco IOS Network Security sur votre Kindle en moins d'une minute.

Vous n'avez pas encore de Kindle ? Achetez-le ici ou téléchargez une application de lecture gratuite.

Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide [Anglais] [Relié]

Catherine Paquet

Prix : EUR 61,90 Livraison à EUR 0,01 En savoir plus.
  Tous les prix incluent la TVA
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Il ne reste plus que 5 exemplaire(s) en stock (d'autres exemplaires sont en cours d'acheminement).
Expédié et vendu par Amazon. Emballage cadeau disponible.
Voulez-vous le faire livrer le samedi 1 août ? Choisissez la livraison en 1 jour ouvré sur votre bon de commande. En savoir plus.
‹  Retourner à l'aperçu du produit

Table des matières

Introduction xxviii

Part I Networking Security Fundamentals

Chapter 1 Network Security Concepts and Policies 1

Building Blocks of Information Security 2

Basic Security Assumptions 2

Basic Security Requirements 2

Data, Vulnerabilities, and Countermeasures 3

  Data Classification 4

  Vulnerabilities Classifications 7

  Countermeasures Classification 8

  Need for Network Security 12

  Intent Evolution 13

  Threat Evolution 14

  Trends Affecting Network Security 16

Adversaries, Methodologies, and Classes of Attack 19

  Adversaries 20

  Methodologies 21

  Threats Classification 23

  Man-in-the-Middle Attacks 32

  Overt and Covert Channels 33

  Botnets 37

  DoS and DDoS Attacks 37

Principles of Secure Network Design 39

  Defense in Depth 41

Evaluating and Managing the Risk 42

Levels of Risks 43

Risk Analysis and Management 44

  Risk Analysis 44

  Building Blocks of Risk Analysis 47

  A Lifecycle Approach to Risk Management 49

Regulatory Compliance 50

Security Policies 53

Security Policy Components 55

  Governing Policy 56

  End-User Policies 57

  Technical Policies 57

  Standards, Guidelines, and Procedures 59

  Security Policy Roles and Responsibilities 61

  Security Awareness 62

Secure Network Lifecycle Management 63

IT Governance, Risk Management, and Compliance 64

Secure Network Life Cycle 64

  Initiation Phase 65

  Acquisition and Development Phase 65

  Implementation Phase 66

  Operations and Maintenance Phase 67

  Disposition Phase 67

  Models and Frameworks 67

Network Security Posture 69

Network Security Testing 70

  Security Testing Techniques 70

  Common Testing Tools 71

Incident Response 72

Incident Management 73

  Computer Crime Investigations 74

  Laws and Ethics 75

  Liability 76

Disaster Recovery and Business Continuity Planning 77

     Business Continuity Concepts 78

Summary 79

References 79

Publications 79

Web Resources 80

Review Questions 80

Chapter 2 Security Strategy and Cisco Borderless Network 85

Borderless Networks 85

Cisco Borderless Network Security Architecture 86

Borderless End Zone 88

Borderless Internet 89

Borderless Data Center 90

Policy Management Layer 91

Borderless Network Services 91

Borderless Security Products 92

SecureX, a Context-Aware Security Approach 93

  SecureX Core Components 94

Threat Control and Containment 98

Cisco Security Intelligence Operation 99

Cloud Security, Content Security, and Data Loss Prevention 100

  Content Security 101

  Data Loss Prevention 101

  Cloud-Based Security 101

  Web Security 101

  Email Security 104

Secure Connectivity Through VPNs 105

Security Management 106

  Cisco Security Manager 107

Summary 108

References 108

Review Questions 109

Part II Protecting the Network Infrastructure

Chapter 3 Network Foundation Protection and Cisco Configuration Professional 111

Threats Against the Network Infrastructure 112

Cisco NFP Framework 114

Control Plane Security 118

  CoPP 119

  CPPr 119

  Traffic Classes 120

  Routing Protocol Integrity 121

  Cisco AutoSecure 122

Management Plane Security 123

  Secure Management and Reporting 124

  Role-Based Access Control 126

  Deploying AAA 127

Data Plane Security 128

  Access Control List Filtering 128

Cisco Configuration Professional 131

CCP Initial Configuration 133

Cisco Configuration Professional User Interface and Features 136

  Menu Bar 136

  Toolbar 138

  Navigation Pane 138

  Content Pane 142

  Status Bar 142

Cisco Configuration Professional Building Blocks 142

Communities 142

  Creating Communities 143

  Managing Communities 144

Templates 145

User Profiles 147

Using CCP to Harden Cisco IOS Devices 148

  Security Audit 149

  One-Step Lockdown 152

  Cisco IOS AutoSecure 152

Summary 154

References 155

Review Questions 155

Chapter 4 Securing the Management Plane on Cisco IOS Devices and AAA 159

Configuring Secure Administration Access 159

Configuring an SSH Daemon for Secure Management Access 161

Configuring Passwords on Cisco IOS Devices 163

  Setting Timeouts for Router Lines 164

  Configuring the Minimum Length for Router Passwords 165

  Enhanced Username Password Security 166

Securing ROM Monitor 167

Securing the Cisco IOS Image and Configuration Files 168

Configuring Multiple Privilege Levels 170

Configuring Role-Based Command-Line Interface Access 171

Implementing Secure Management and Reporting 174

Planning Considerations for Secure Management and Reporting 175

Secure Management and Reporting Architecture 176

  Secure Management and Reporting Guidelines 176

Enabling Time Features 176

  Network Time Protocol 177

Using Syslog Logging for Network Security 178

  Implementing Log Messaging for Security 179

Using SNMP to Manage Network Devices 182

  SNMPv3 Architecture 183

  Enabling SNMP Options Using Cisco CCP 185

Configuring AAA on a Cisco Router 186

Authentication, Authorization, and Accounting 186

  Authenticating Router Access 188

Configuring AAA Authentication and Method Lists 190

Configuring AAA on a Cisco Router Using the Local Database 191

  Configuring AAA Local Authentication 192

AAA on a Cisco Router Using Cisco Secure ACS 198

  Cisco Secure ACS Overview 198

  Cisco Identity Services Engine 204

TACACS+ and RADIUS Protocols 205

TACACS+ 205

RADIUS 206

Comparing TACACS+ and RADIUS 206

AAA on a Cisco Router Using an External Database 208

Configuration Steps for AAA Using an External Database 208

  AAA Servers and Groups 208

  AAA Authentication Method Lists 210

  AAA Authorization Policies 211

  AAA Accounting Policies 213

AAA Configuration for TACACS+ Example 215

Troubleshooting TACACS+ 216

Deploying and Configuring Cisco Secure ACS 218

Evolution of Authorization 219

  Before: Group-Based Policies 219

  Now: More Than Just Identities 220

Rule-Based Policies 222

Configuring Cisco Secure ACS 5.2 223

  Configuring Authorization Policies for Device Administration 224

Summary 230

References 230

Review Questions 231

Chapter 5 Securing the Data Plane on Cisco Catalyst Switches 233

Overview of VLANs and Trunking 234

Trunking and 802.1Q 235

  802.1Q Tagging 236

  Native VLANs 237

Configuring VLANs and Trunks 237

  Step 1: Configuring and Verifying 802.1Q Trunks 238

  Step 2: Creating a VLAN 240

  Step 3: Assigning Switch Ports to a VLAN 242

  Step 4: Configuring Inter-VLAN Routing 243

Spanning Tree Overview 244

STP Fundamentals 245

Verifying RSTP and PVRST+ 248

Mitigating Layer 2 Attacks 249

Basic Switch Operation 249

Layer 2 Best Practices 250

Layer 2 Protection Toolkit 250

Mitigating VLAN Attacks 251

  VLAN Hopping 251

Mitigating Spanning Tree Attacks 254

  PortFast 255

Mitigating CAM Table Overflow Attacks 259

Mitigating MAC Address Spoofing Attacks 260

Using Port Security 261

  Errdisable Recovery 263

Summary 270

References 271

Review Questions 271

Chapter 6 Securing the Data Plane in IPv6 Environments 275

The Need for IPv6 275

IPv6 Features and Enhancements 278

IPv6 Headers 279

Stateless Address Autoconfiguration 280

Internet Control Message Protocol Version 6 281

IPv6 General Features 282

Transition to IPv6 283

IPv6 Addressing 285

IPv6 Address Representation 285

IPv6 Address Types 286

  IPv6 Unicast Addressing 286

Assigning IPv6 Global Unicast Addresses 291

  Manual Interface Assignment 291

  EUI-64 Interface ID Assignment 291

  Stateless Autoconfiguration 292

  DHCPv6 (Stateful) 292

IPv6 EUI-64 Interface Identifier 292

IPv6 and Cisco Routers 293

IPv6 Address Configuration Example 294

Routing Considerations for IPv6 294

Revisiting Threats: Considerations for IPv6 295

Examples of Possible IPv6 Attacks 298

  Recommended Practices 300

Summary 301

References 301

Review Questions 302

Part III Threat Control and Containment

Chapter 7 Planning a Threat Control Strategy 305

Threats Revisited 305

Trends in Network Security Threats 306

Threat Mitigation and Containment: Design Fundamentals 307

  Threat Control Design Guidelines 308

  Application Layer Visibility 309

  Distributed Security Intelligence 309

  Security Intelligence Analysis 310

Integrated Threat Control Strategy 311

Cisco Threat Control and Containment Categories 311

  Integrated Approach to Threat Control 312

  Application Awareness 313

  Application-Specific Gateways 313

  Security Management 313

  Cisco Security Intelligence Operations Site 313

Cisco Threat Control and Containment Solutions Fundamentals 314

  Cisco Security Appliances 314

  Cisco IPSs 316

Summary 317

References 318

Review Questions 318

Chapter 8 Access Control Lists for Threat Mitigation 319

ACL Fundamentals 320

Types of IP ACLs 324

ACL Wildcard Masking and VLSM Review 325

Subnetting Overview 326

  Subnetting Example: Class C 326

  Subnetting Example 327

Variable-Length Subnet Masking 328

  A Working VLSM Example 329

ACL Wildcard Bits 331

  Example: Wildcard Masking Process for IP Subnets 332

  Example: Wildcard Masking Process with a Single IP Address 333

  Example: Wildcard Masking Process with a Match Any IP Address 334

Using ACLs to Control Traffic 335

  Example: Numbered Standard IPv4 ACL–Deny a Specific Subnet 336

  Numbered Extended IPv4 ACL 338

  Displaying ACLs 342

Enhancing ACLs with Object Groups 343

ACL Considerations 345

Configuring ACLs for Threat Control Using Cisco Configuration Professional 347

Rules in Cisco Configuration Professional 347

  Working with ACLs in CCP 348

  ACL Editor 349

  Adding Rules 350

  Associating Rules with Interfaces 352

  Enabling Logging with CCP 354

  Monitoring ACLs with CCP 356

  Configuring an Object Group with CCP 357

Using ACLs in IPv6 Environments 360

Summary 363

References 364

Review Questions 364

Chapter 9 Firewall Fundamentals and Network Address Translation 367

Introducing Firewall Technologies 367

Firewall Fundamentals 367

Firewalls in a Layered Defense Strategy 370

Static Packet-Filtering Firewalls 372

Application Layer Gateways 374

Dynamic or Stateful Packet-Filtering Firewalls 378

Other Types of Firewalls 382

  Application Inspection Firewalls, aka Deep Packet Inspection 382

  Transparent Firewalls (Layer 2 Firewalls) 383

NAT Fundamentals 384

Example of Translating an Inside Source Address 387

NAT Deployment Choices 389

Firewall Designs 390

Firewall Policies in a Layered Defense Strategy 391

Firewall Rules Design Guidelines 392

Summary 394

References 394

Review Questions 394

Chapter 10 Cisco Firewalling Solutions: Cisco IOS Zone-Based Firewall and Cisco ASA 397

Cisco Firewall Solutions 398

Cisco IOS Zone-Based Policy Firewall 398

Zone-Based Policy Firewall Overview 398

Zones and Zone Pairs 402

  Self Zone 402

  Zone-Based Topology Examples 403

Introduction to Cisco Common Classification Policy Language 403

Zone-Based Policy Firewall Actions 407

Service Policy Zone Pair Assignments 408

Zone-Based Policy Firewall: Default Policies, Traffic Flows, and Zone Interaction 408

  Zone-Based Policy Firewall: Rules for Router Traffic 409

Configuring Basic Interzone Policies Using CCP and the CLI 411

  Step 1: Start the Basic Firewall Wizard 412

  Step 2: Select Trusted and Untrusted Interfaces 413

  Step 3: Review and Verify the Resulting Policies 416

  Verifying and Tuning the Configuration 416

  Step 4: Enabling Logging 417

  Step 5: Verifying Firewall Status and Activity 419

  Step 6: Modifying Zone-Based Firewall Configuration Objects 420

  Step 7: Verifying the Configuration Using the CLI 421

Configuring NAT Services for Zone-Based Firewalls 422

  Step 1: Run the Basic NAT Wizard 423

  Step 2: Select NAT Inside and Outside Interfaces 424

  Step 3: Verify NAT with CCP and the CLI 426

Cisco ASA Firewall 427

Stateful Packet Filtering and Application Awareness 427

Network Services Offered by the Cisco ASA 5500 Series 428

  Network Address Translation 428

  Additional Network Services 431

Cisco ASA Security Technologies 431

  Cisco ASA Configuration Fundamentals 432

  Cisco ASA 5505 435

Cisco ASDM 436

  Preparing the Cisco ASA 5505 for ASDM 437

  Cisco ASDM Features and Menus 438

Cisco Modular Policy Framework 443

  Class Map: Identifying Traffic on Which a Policy Will Be Enforced 443

  Policy Map: Configuring the Action That Will Be Applied to the Traffic 444

  Service Policy: Activating the Policy 444

  Cisco ASA Modular Policy Framework: Simple Example 445

Basic Outbound Access Control on Cisco ASA Using Cisco ASDM 446

  Scenario Configuration Steps Using Cisco ASDM 446

Summary 461

References 462

Cisco.com Resources 462

Other Resources 462

CCP and ASDM Demo Mode Tutorials 462

Review Questions 463

Chapter 11 Intrusion Prevention Systems 467

IPS Fundamentals 467

Introducing IDS and IPS 467

  So, IDS or IPS? Why Not Both? 473

  Alarm Types 474

Intrusion Prevention Technologies 475

  Signature-Based IDS/IPS 476

  Policy-Based IDS/IPS 477

  Anomaly-Based IDS/IPS 477

  Reputation-Based IPS 478

IPS Attack Responses 478

  IPS Anti-Evasion Techniques 480

  Risk-Based Intrusion Prevention 482

  IPv6-Aware IPS 484

Alarms 484

  IPS Alarms: Event Monitoring and Management 485

  Global Correlation 486

IPS Deployment 488

  Cisco IPS Offerings 490

  IPS Best Practices 492

  Cisco IPS Architecture 494

Cisco IOS IPS 495

Cisco IOS IPS Features 495

  Scenario: Protecting the Branch Office Against Inside Attack 497

Signatures 497

Signature Files 498

  Signature Management 500

  Examining Signature Microengines 500

Signature Tuning 502

  Optimal Signature Set 504

  Monitoring IPS Alarms and Event Management 505

Configuring Cisco IOS IPS Using Cisco Configuration Professional 507

 Step 1: Download Cisco IOS IPS Signature Package 508

  Step 2: Launch IPS Policies Wizard 509

  Step 3: Verify Configuration and Signature Files 515

  Step 4: Perform Signature Tuning 517

  Step 5: Verify Alarms 521

Configuring Cisco IOS IPS Using the CLI 524

Summary 529

References 530

Cisco.com Resources 530

General IDS/IPS Resource 530

Review Questions 530

Part IV Secure Connectivity

Chapter 12 Fundamentals of Cryptography and VPN Technologies 533

VPN Overview 534

VPN Types 535

  Site-to-Site VPNs 536

  Remote-Access VPNs 537

Examining Cryptographic Services 538

Cryptology Overview 538

  The History of Cryptography 540

  Ciphers 540

Block and Stream Ciphers 547

  Block Ciphers 547

  Stream Ciphers 548

The Process of Encryption 549

  Encryption Application Examples 550

  Cryptanalysis 551

  Desirable Encryption Algorithm Features 554

Key Management 555

  Key Management Components 555

     Keyspaces 556

  Key Length Issues 556

  Example of the Impact of Key Length 557

Symmetric and Asymmetric Encryption Overview 557

Symmetric Encryption Algorithms 558

  Comparing Symmetric Encryption Algorithms 560

  DES Modes of Operation 561

  DES Security Guidelines 561

  The Rijndael Cipher 563

  AES Versus 3DES 564

Asymmetric Encryption Algorithms 565

  Public Key Confidentiality 566

Encryption Algorithm Selection 567

Cryptographic Hashes and Digital Signatures 568

Hashing Algorithms 571

  MD5 572

  SHA-1 572

  SHA-2 573

Hashed Message Authentication Codes 573

Overview of Digital Signatures 575

  Digital Signatures = Encrypted Message Digest 578

Diffie-Hellman 579

Diffie-Hellman Example 581

Cryptographic Processes in VPNs 582

Asymmetric Encryption: Digital Signatures 583

Asymmetric Encryption Overview 583

  Public Key Authentication 584

RSA and Digital Signatures 585

Public Key Infrastructure 587

PKI Terminology and Components 589

Certificate Classes 590

Certificate Authorities 590

PKI Standards 593

  Certificate Revocation 599

Certificate Use 600

  Digital Certificates and CAs 601

Summary 602

References 603

Books and Articles 603

Standards 603

Encryption Regulations 603

Review Questions 604

Chapter 13 IPsec Fundamentals 609

IPsec Framework 609

Suite B Cryptographic Standard 611

Encryption Algorithms 612

Key Exchange: Diffie-Hellman 613

Data Integrity 614

Authentication 615

IPsec Protocol 616

Authentication Header 618

Encapsulating Security Payload 619

IPsec Modes of Operations 620

  Transport Mode 621

  Tunnel Mode 621

IKE Protocol 622

IKEv1 Modes 624

IKEv1 Phases 625

  IKEv1 Phase 1 625

  IKEv1 Phase 1 Example 626

  IKEv1 Phase 2 631

IKE Version 2 632

IKEv1 Versus IKEv2 633

IPv6 VPNs 635

IPsec Services for Transitioning to IPv6 636

Summary 637

References 637

Books 637

Cisco.com Resources 637

Review Questions 637

Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers 641

Site-to-Site IPsec: Planning and Preparation 641

Site-to-Site IPsec VPN Operations 642

Planning and Preparation Checklist 643

Building Blocks of Site-to-Site IPsec 643

  Interesting Traffic and Crypto ACLs 643

  Mirrored Crypto ACLs 644

  Cipher Suite 645

  Crypto Map 646

Configuring a Site-to-Site IPsec VPN Using CCP 647

Initiating the VPN Wizard 647

  VPN Connection Information 649

  IKE Proposals 652

  Transform Set 653

  Traffic to Protect 654

  Configuration Summary 656

Creating a Mirror Configuration for the Peer Site 657

Verifying the IPsec Configuration Using CCP and CLI 658

Verifying IPsec Configuration Using CLI 658

Verifying IKE Policy Using the CLI 659

  Verifying IKE Phase 2 Policy Using the CLI 660

  Verifying Crypto Maps Using the CLI 660

Monitoring Established IPsec VPN Connections 661

IKE Policy Negotiation 662

VPN Troubleshooting 662

Monitoring IKE Security Association 664

Monitoring IPsec Security Association 664

Summary 665

References 666

Review Questions 666

Chapter 15 SSL VPNs with Cisco ASA 669

SSL VPNs in Borderless Networks 670

Cisco SSL VPN 671

SSL and TLS Protocol Framework 672

SSL and TLS 673

SSL Cryptography 674

SSL Tunnel Establishment 675

  SSL Tunnel Establishment Example 676

Cisco SSL VPN Deployment Options and Considerations 679

Cisco SSL VPN Client: Full Network Access 681

SSL VPN on Cisco ASA in Clientless Mode 683

Clientless Configuration Scenario 683

Task 1: Launch the Clientless SSL VPN Wizard from ASDM 684

Task 2: Configure the SSL VPN Interface 684

Task 3: Configure User Authentication 686

Task 4: Configure User Group Policy 686

Task 5: Configure a Bookmark List 687

Task 6: Verify the Clientless SSL VPN Wizard Configuration 690

Log In to the VPN Portal: Clientless SSL VPN 690

SSL VPN on ASA Using the Cisco AnyConnect VPN Client 692

Cisco AnyConnect Configuration Scenario 693

Phase 1: Configure Cisco ASA for Cisco AnyConnect 693

  Task 1: Connection Profile Identification 694

  Task 2: VPN Protocols and Device Certificate 695

  Task 3: Client Image 696

  Task 4: Authentication Methods 697

  Task 5: Client Address Assignment 698

  Task 6: Network Name Resolution Servers 700

  Task 7: Network Address Translation Exemption 700

  Task 8: AnyConnect Client Deployment Summary 702

Phase 2: Configure the Cisco AnyConnect VPN Client 702

Phase 3: Verify VPN Connectivity with Cisco AnyConnect VPN Client 706

  Verifying VPN Connectivity from Cisco ASA 706

Summary 707

References 708

Review Questions 708

Appendix A Answers to Chapter Review Questions 711

 

 

9781587142727   TOC   10/16/2012

 

‹  Retourner à l'aperçu du produit