Brandon James Carroll

ISBN-10: 1-58705-503-1

ISBN-13: 978-158705-503-4

As a final exam preparation tool, the CCSP SND Quick Reference provides a concise review of all objectives on the new CCSP SND exam (642-552). This digital Short Cut provides you with detailed, graphical-based information, highlighting only the key topics in cram-style format.

With this document as your guide, you will review topics on securing network routers and switches with Cisco IOS features available through the CLI and web-based GUIs. These fact-filled Quick Reference Sheets allow you to get all-important information at a glance, helping you focus your study on areas of weakness and to enhance memory retention of essential exam concepts.

Table of Contents

Chapter 1 Introduction to Network Security Policies

Chapter 2 Securing the Perimeter

Chapter 3 Securing LAN and WLAN Devices

Chapter 4 Cisco IOS Firewall Configuration

Chapter 5 Securing Networks with Cisco IOS IPS

Chapter 6 Building IPsec VPNs

About the author:

Brandon James Carroll is one of the country’s leading instructors for Cisco security technologies, teaching classes that include the CCNA, CCNP, CCSP courses, a number of the CCVP courses, as well as custom developed courseware. In his 6 years with Ascolta, Brandon has developed and taught many private Cisco courses for companies such as Boeing, Intel, and Cisco itself. He is a CCNA, CCNP, CCSP, and certified Cisco instructor. Brandon is the author of Cisco Access Control Security.

Prior to becoming a technical instructor for Ascolta, Mr. Carroll was a technician and an ADSL specialist for GTE Network Services and Verizon Communications. His duties involved ISP router support and network design. As a lead engineer, he tested and maintained Frame Relay connections between Lucent B-STDX and Cisco routers. His team was in charge of troubleshooting ISP Frame Relay to ATM cut-overs for ADSL customers. Brandon trained new employees at Verizon to the EPG in ADSL testing and troubleshooting procedures and managed a “Tekwizard” database for technical information and troubleshooting techniques. Mr. Carroll majored in Information Technology at St. Leo University.

About the Technical Editor:

Jerold Swan, CCIE No. 17783, CCSP, is currently a senior network engineer for the Southern Ute Indian Tribe Growth Fund, where he works on routing/switching, VoIP, and security projects. Previously he was an instructor with Global Knowledge, where he taught CCNA and CCNP courses. He has also worked in networking in the service provider and higher education fields. He holds bachelor’s and master’s degrees in English from Stanford University. He lives with his wife and son in Durango, Colorado, and is involved in various outdoor sports and volunteer search and rescue.

More info:CCSP SND Quick Reference

Exam Description
The Securing Cisco Network Devices 642-552 SND is the exam associated with the Cisco Certified Security Professional, Cisco Firewall Specialist, Cisco IOS Security Specialist, Cisco IPS Specialist, Cisco Information Security Specialist and Cisco Network Admission Control Specialist certifications. Candidates can prepare for this exam by taking the Securing Cisco Network Devices v2.0 (SND) course. This exam tests a candidate’s knowledge of securing Cisco routers and switches and their associated networks. Topics covered include; Security threats facing modern network infrastructures, Securing Cisco routers, Implementing basic AAA, Using ACLs to mitigate router and network threats, Implementing secure management and reporting, Mitigating common Layer 2 attacks, and Implementing Cisco IOS Firewall features, Cisco IOS IPS features, and IPsec VPN features using Cisco Security Device Manager

Exam Topics
The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Describe the security threats facing modern network infrastructures

* Describe and mitigate the common threats to the physical installation
* Describe and list mitigation methods for common network attacks
* Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks
* Describe the main activities in each phase of a secure network lifecycle
* Explain how to meet the security needs of a typical enterprise with a comprehensive security policy
* Describe the Cisco Self Defending Network architecture

Secure Cisco routers

* Secure Cisco routers using the SDM Security Audit feature
* Use the One-Step Lockdown feature in SDM to secure a Cisco router
* Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements
* Secure administrative access to Cisco routers by configuring multiple privilege levels
* Secure administrative access to Cisco routers by configuring role based CLI
* Secure the Cisco IOS image and configuration file

Implement basic AAA using Cisco routers

* Explain the functions and importance of AAA
* Describe the features of TACACS+ and RADIUS AAA protocols
* Describe the methods of authentication that are used to provide access through a router (packet mode) and to provide access to the router (character mode)

Mitigate threats to Cisco routers and networks using ACLs

* Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets
* Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
* Configure IP ACLs to prevent IP address spoofing using CLI
* Discuss the caveats to be considered when building ACLs

Implement secure network management and reporting

* Describe the factors to be considered when planning for secure management and reporting of network devices
* Use CLI to configure SSH on Cisco routers to enable secured management access
* Use CLI to configure Cisco routers to send Syslog messages to a Syslog server
* Describe SNMPv3 and NTPv3

Mitigate common Layer 2 attacks

* Describe the common Layer 2 attacks and how to mitigate them (VLAN hopping, STP attacks, ARP spoofing, MAC spoofing, CAM overflow)
* Describe the function and benefit of the security features in Cisco Catalyst switches (IBNS, PVLAN, SPAN port)
* Describe common threats to WLANs
* Describe the security features of the 802.11 protocol

Implement the Cisco IOS firewall feature set using SDM

* Describe the operational strengths and weaknesses of the different firewall technologies
* Explain stateful firewall operations and the function of the state table
* Explain the types of NAT that can be implemented in a firewall
* Configure and verify basic and advanced firewall on a Cisco router using SDM

Implement the Cisco IOS IPS feature set using SDM

* Define network based vs. host based intrusion detection and prevention
* Explain IPS technologies, attack responses, and monitoring options
* Enable and verify Cisco IOS IPS operations using SDM

Implement IPsec VPN on Cisco routers using SDM

* Explain IKE protocol functionality and phases
* Describe the building blocks of IPsec and the security functions it provides
* Explain hash-based message authentication code (HMAC) operations
* Explain the different methods of encryption
* Explain the purpose of the Diffie-Hellman key agreement protocol
* Describe how IPsec establishes origin authentication
* Describe the PKI environment at a high level
* Describe the different types of IPsec VPN implementations
* Configure and verify an IPsec site-to-site VPN with pre-shared key authentication using SDM
* Explain Cisco Easy VPN Server and Cisco Easy VPN Remote
* Configure and verify remote access VPNs using the Cisco Easy VPN Server feature of Cisco SDM