CCIE Security Exam Certification Guide (CCIE Self-Study) (CCIE Self-Study)

Henry Benjamin, Cisco Press

ISBN:1587200651, Edition: , 2003-04-04

Price: $69.95

Table of Contents

Foreword xvi

Introduction xvii

Conclusion xxi

Chapter 1 Using This Book to Prepare for the CCIE Security Written Exam 3
CCIE Security Certification 4
CCIE Security Written Exam Blueprint 4
How to Prepare for the CCIE Security Written Exam Using This Book 7

Chapter 2 General Networking Topics 11
"Do I Know This Already?" Quiz 12
Foundation Topics 21
Networking Basics-The OSI Reference Model 21
Layer 1: The Physical Layer 21
Layer 2: The Data Link Layer 22
Layer 3: The Network Layer 23
Layer 4: The Transport Layer 24
Layer 5: The Session Layer 24
Layer 6: The Presentation Layer 24
Layer 7: The Application Layer 25
TCP/IP and OSI Model Comparison 25
Example of Peer-to-Peer Communication 25
Ethernet Overview 27
Switching and Bridging 28
Bridge Port States 31
FastEther Channel 31
Internet Protocol 33
Variable-Length Subnet Masks 38
Classless Interdomain Routing 39
Transmission Control Protocol 40
TCP Mechanisms 41
TCP Services 45
Address Resolution Protocol (ARP) 45
Reverse ARP 46
Dynamic Host Configuration Protocol 46
Hot Standby Router Protocol 47
Internet Control Message Protocol 52
Telnet 53
File Transfer Protocol and Trivial File Transfer Protocol 53
Routing Protocols 53
Routing Information Protocol 57
EIGRP 62
OSPF 66
Border Gateway Protocol 76
ISDN 79
Basic Rate and Primary Rate Interfaces 80
ISDN Framing and Frame Format 80
ISDN Layer 2 Protocols 80
Cisco IOS ISDN Commands 82
IP Multicast 83
Asynchronous Communications and Access Devices 84
Foundation Summary 87
Requirements for FastEther Channel 89
Q & A 93
Scenario 99
Scenario 2-1: Routing IP on Cisco Routers 99
Scenario Answers 101
Scenario 2-1 Answers: Routing IP on Cisco Routers 101

Chapter 3 Application Protocols 103
"Do I Know This Already?" Quiz 103
Foundation Topics 110
Domain Name System 110
Trivial File Transfer Protocol 113
File Transfer Protocol 115
Active FTP 116
Passive FTP 117
Hypertext Transfer Protocol 118
Secure Socket Layer 120
Simple Network Management Protocol 121
SNMP Notifications 122
SNMP Examples 126
Simple Mail Transfer Protocol 127
Network Time Protocol 128
Secure Shell 132
Foundation Summary 134
Q & A 136
Scenario 140
Scenario 3-1: Configuring DNS, TFTP, NTP, and SNMP 140
Scenario Answers 142
Scenario 3-1 Solutions 142

Chapter 4 Cisco IOS Specifics and Security 145
"Do I Know This Already?" Quiz 145
Foundation Topics 150
Cisco Hardware 150
Random-Access Memory (RAM) 151
Nonvolatile RAM (NVRAM) 151
System Flash 151
Central Processing Unit 152
Read-Only Memory 153
Configuration Registers 154
Cisco Interfaces 156
Saving and Loading Files 158
show and debug Commands 159
Router CLI 159
show Commands 159
Debugging Cisco Routers 168
Password Recovery 174
Basic Security on Cisco Routers 179
IP Access Lists 182
Access Lists on Cisco Routers 182
Extended Access Lists 187
Foundation Summary 191
Q & A 193
Scenario 195
Scenario 4-1: Configuring Cisco Routers for Passwords and Access Lists 195
Scenario Answers 197

Chapter 5 Security Protocols 199
"Do I Know This Already?" Quiz 199
Foundation Topics 208
Authentication, Authorization, and Accounting (AAA) 208
Authentication 210
Authorization 210
Accounting 211
Remote Authentication Dial-In User Service (RADIUS) 212
RADIUS Configuration Task List 215
Terminal Access Controller Access Control System Plus (TACACS+) 218
TACACS+ Configuration Task List 220
TACACS+ Versus RADIUS 224
Kerberos 225
Kerberos Configuration Task List 228
Virtual Private Dial-Up Networks (VPDN) 229
VPDN Configuration Task List 232
Encryption Technology Overview 235
Data Encryption Standard (DES) and Triple Data Encryption
Standard (3DES) 237
Digital Signature Standard (DSS) 238
Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) 239
Diffie-Hellman 240
IP Security IPSec 242
Internet Key Exchange (IKE) 246
IKE Phase I Messages Types 1-6 247
IKE Phase II Message Types 1-3 248
Cisco IOS IPSec Configuration 252
Certificate Enrollment Protocol (CEP) 259
Foundation Summary 260
Q & A 265
Scenario 271
Scenario 5-1: Configuring Cisco Routers for IPSec 271
Scenario Answers 275
Scenario 5-1 Solutions 275

Chapter 6 Operating Systems and Cisco Security Applications 279
"Do I Know This Already?" Quiz 279
Foundation Topics 284
UNIX 284
UNIX Command Structure 285
UNIX Permissions 288
UNIX File Systems 289
Microsoft NT Systems 290
Browsing and Windows Names Resolution 291
Scaling Issues in Windows NT 292
Login and Permissions 293
Windows NT Users and Groups 294
Windows NT Domain Trust 294
Common Windows DOS Commands 295
Cisco Secure for Windows and UNIX 297
Cisco Secure Policy Manager 299
Cisco Secure Intrusion Detection System and Cisco Secure Scanner 299
NetRanger (Cisco Secure Intrusion Detection System) 300
NetSonar (Cisco Secure Scanner) 302
Cisco Security Wheel 304
Foundation Summary 305
Q & A 308
Scenarios 311
Scenario 6-1: NT File Permissions 311
Scenario 6-2: UNIX File Permissions 311
Scenario Answers 312
Scenario 6-1 Solution 312
Scenario 6-2 Solution 312

Chapter 7 Security Technologies 315
"Do I Know This Already?" Quiz 315
Foundation Topics 320
Advanced Security Concepts 320
Network Address Translation and Port Address Translation 324
NAT Operation on Cisco Routers 326
Cisco Private Internet Exchange (PIX) 328
Configuring a PIX 332
Cisco PIX Firewall Software Features 342
Cisco IOS Firewall Security Feature Set 344
CBAC Configuration Task List 346
Public Key Infrastructure 348
Virtual Private Networks 349
Foundation Summary 352
Q & A 355
Scenario 358
Scenario 7-1: Configuring a Cisco PIX for NAT 358
Scenario Answer 359
Scenario 7-1 Solution 359

Chapter 8 Network Security Policies, Vulnerabilities, and Protection 361
"Do I Know This Already?" Quiz 361
Foundation Topics 365
Network Security Policies 365
Standards Bodies and Incident Response Teams 366
Incident Response Teams 367
Internet Newsgroups 368
Vulnerabilities, Attacks, and Common Exploits 369
Intrusion Detection System 372
Protecting Cisco IOS from Intrusion 375
Foundation Summary 381
Q & A 384
Scenario 387
Scenario 8-1: Defining IOS Commands to View DoS Attacks in Real Time 387
Scenario Answer 388
Scenario 8-1 Solution 388

Chapter 9 CCIE Security Self-Study Lab 391
How to Use This Chapter 391
Goal of This Lab 391
CCIE Security Self-Study Lab Part I Goals 392
CCIE Security Self-Study Lab Part II Goals 393
General Lab Guidelines and Setup 393
Communications Server 396
CCIE Security Self-Study Lab Part I: Basic Network Connectivity (4 Hours) 397
Basic Frame Relay Setup 397
Physical Connectivity 403
Catalyst Ethernet Switch Setup I 403
Catalyst Ethernet Switch Setup II 408
IP Host Lookup and Disable DNS 414
PIX Configuration 414
IGP Routing 419
Basic ISDN Configuration 432
DHCP Configuration 438
BGP Routing Configuration 439
CCIE Security Self-Study Lab Part II: Advanced Security Design (4 Hours) 442
IP Access List 442
Prevent Denial-of-Service Attacks 444
Time-Based Access List 446
Dynamic Access List/Lock and Key Feature 448
IOS Firewall Configuration on R5 450
IPSec Configuration 452
Advanced PIX Configuration 458
ACS Configuration 461
Final Configurations 470
Conclusion 486

Appendix A Answers to Quiz Questions 489

Appendix B Study Tips for CCIE Security Examinations 569

Appendix C Sample CCIE Routing and Switching Lab 583

Index 599