Documentos de Académico
Documentos de Profesional
Documentos de Cultura
SecurityCurriculum CourseOutline
10/13/2009
SecurityCurriculumCourseOutline
IINSCourseOutline
Overview
Implementing Cisco IOS Network Security (IINS) v1.0 is an instructor-led course presented by Cisco training partners to their end-user customers. This five-day course focuses on the necessity of a comprehensive security policy and how it affects the posture of the network. Learners will be able to perform basic tasks to secure a small branch type office network using Cisco IOS security features available through web-based GUIs (Cisco Router and Security Device Manager [SDM]) and the command-line interface (CLI) on the Cisco routers and switches.
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Develop a comprehensive network security policy to counter threats against information security Configure routers on the network perimeter with Cisco IOS Software security features Configure firewall features including ACLs and Cisco IOS zone-based firewalls to perform basic security operations on a network Configure site-to-site VPNs using Cisco IOS features Configure IPS on Cisco network routers Configure LAN devices to control access, resist attacks, shield other network devices and systems, and protect the integrity and confidentiality of network traffic
Introduction to Network Security Principles Perimeter Security Network Security Using Cisco IOS Firewalls Site-to-Site VPNs Network Security Using Cisco IOS IPS LAN, SAN, Voice, and Endpoint Security Overview
Describe how sophisticated attack tools and open networks generate an increased need for network security and dynamic security policies Describe the three primary objectives of security Describe the different classifications of data that are used by the private sector and the public sector Describe the three primary types of security controls Describe some of the factors that are involved in responding to a security breach Identify key laws and codes of ethics that are binding to INFOSEC professionals
The Need for Network Security Network Security Objectives Data Classification Security Controls Response to a Security Breach Laws and Ethics
Describe network adversaries, motivations, and classes of attack Describe how hackers work so that you have a better appreciation of the threats they pose Describe the concept of defense in depth Describe how attackers use IP spoofing to launch various types of attacks Describe several attack methods that attackers use to compromise confidentiality Describe several attack methods that attackers use to compromise integrity Describe several attack methods that attackers use to compromise availability Describe some best practices that can help defend your network against hackers
SecurityCurriculumCourseOutline
Adversaries, Motivations, and Classes of Attack How Hackers Think The Principles of Defense in Depth IP Spoofing Attacks Confidentiality Attacks Integrity Attacks Availability Attacks Best Practices to Defeat Network Attacks
The lesson includes this activity: Lab 1-1: Embedding a Secret Message Using Steganography
Describe the SDLC and how you use it to design a Secure Network Lifecycle management process Identify key operations security principles Explain various network security testing techniques and tools Explain the principles of disaster recovery and business continuity planning and give examples of how they are practiced
Secure Network Lifecycle Management Principles of Operations Security Network Security Testing Disaster Recovery and Business Continuity Planning
Lab 1-2: Scanning a Computer System Using Testing Tools Lab 1-3: Scanning a Network Using Testing Tools
Describe the essential functions and goals of a security policy and how to use them to create a security policy Identify commonly used policy documents and standards, and explain the differences between these standards and procedures
Course Administration Guide 5
Identify the various roles that are played within an enterprise for the development and maintenance of a security policy Describe the role that risk management plays in the development of a security policy Describe the system-level security principles that should be considered throughout the lifecycle of a secure network Describe how training and other awareness techniques can help to increase the effectiveness of a security policy
Security Policy Overview Policies, Standards, and Procedures Roles and Responsibilities Risk Management Principles of Secure Network Design Security Awareness
Describe how changing threats and challenges demand a new approach to network security Describe the components of the Cisco Self-Defending Network strategy Describe the positioning and benefits of the Cisco integrated security portfolio
Changing Threats and Challenges Building a Cisco Self-Defending Network Cisco Integrated Security Portfolio
SecurityCurriculumCourseOutline
Describe the security features of the Cisco IOS Software on Cisco routers Describe the security features of the Cisco Integrated Services Routers Configure passwords and login failure rates using the CLI to secure administrative access to Cisco routers Configure multiple privilege levels using the CLI to secure administrative access to Cisco routers Configure role-based CLI access to create views Configure the Cisco IOS resilient configuration feature using the CLI to secure the Cisco IOS image and configuration file Configure virtual login connection security using the CLI Configure a banner message using the CLI to secure administrative access to Cisco routers
Cisco IOS Security Features Introducing the Cisco Integrated Services Router Family Configuring Secure Administrative Access Setting Multiple Privilege Levels Configuring Role-Based CLI Access Securing the Cisco IOS Image and Configuration Files Configuring Enhanced Support for Virtual Logins Configuring Banner Messages
Lesson 2: Introducing Cisco SDM This lesson describes the features and wizards of Cisco SDM, and describes how to launch and navigate Cisco SDM. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the key features, concepts, and purpose of Cisco SDM Set up a router to run Cisco SDM and Cisco SDM Express Launch Cisco SDM Express to configure a new router Launch Cisco SDM
Course Administration Guide 7
Navigate Cisco SDM Describe the common wizards available in Cisco SDM
Cisco SDM Overview Supporting Cisco SDM and Cisco SDM Express Launching Cisco SDM Express Launching Cisco SDM Navigating the Cisco SDM Interface Cisco SDM Wizards
Lesson 3: Configuring AAA on a Cisco Router Using the Local Database This lesson defines how to configure a Cisco router to perform authentication, authorization, and accounting (AAA) authentication with a local database using Cisco SDM. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functions and importance of AAA Describe the different ways to implement AAA services on Cisco routers Describe the steps to authenticate user access to a Cisco router using a local database Configure AAA using Cisco SDM to support using the local database Troubleshoot AAA on a Cisco router using the debug aaa command
AAA Overview Introduction to AAA for Cisco Routers Using Local Services to Authenticate Router Access Configuring Local Database Authentication Using AAA Troubleshooting AAA on Cisco Routers
Lab 2-2: Configuring AAA on Cisco Routers to Use the Local Database
Lesson 4: Configuring AAA on a Cisco Router to Use Cisco Secure ACS This lesson describes the operation of external AAA sources such as RADIUS and TACACS+ servers and defines how to configure a Cisco router to use Cisco Secure Access Control Server (ACS) to perform AAA. Upon completing this lesson, the learner will be able to meet these objectives:
List the features and benefits of Cisco Secure ACS products and describe their function in a network security solution Describe and compare the TACACS+ and RADIUS protocols Install Cisco Secure ACS for Windows Configure the Cisco Secure ACS server
SecurityCurriculumCourseOutline
Configure Cisco Routers to use TACACS+ as a AAA protocol using the CLI and Cisco SDM Describe troubleshooting TACACS+ using debug commands from the CLI
Cisco Secure ACS Overview TACACS+ and RADIUS Protocols Installing Cisco Secure ACS for Windows Configuring the Server Configuring TACACS+ Support on a Cisco Router Troubleshooting TACACS+
Lab 2-3: Configuring AAA on Cisco Routers to Use Cisco Secure ACS
Lesson 5: Implementing Secure Management and Reporting This lesson defines how to securely implement the management and reporting features of syslog, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and Network Time Protocol (NTP). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the factors you must consider when planning the secure management and reporting configuration of network devices Describe the architecture of secure management and reporting Describe the key role that syslog plays in network security Use Cisco SDM to monitor log messages Describe the security features of SNMPv3 Configure an SSH daemon for secure management and reporting Enable time features with Cisco SDM
Planning Considerations for Secure Management and Reporting Secure Management and Reporting Architecture Using Syslog Logging for Network Security Using Logs to Monitor Network Security Using SNMP Configuring an SSH Daemon for Secure Management and Reporting Enabling Time Features
Lesson 6: Locking Down the Router This lesson defines how to examine router configurations with the Security Audit feature of Cisco SDM and make the router and network more secure by using the one-step lockdown feature in Cisco SDM or the command auto secure. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the router services and interfaces that are vulnerable to network attacks Explain the vulnerabilities posed by commonly configured router management services Use the Cisco SDM Security Audit feature to determine and to fix router security vulnerabilities Use the Cisco SDM one-step lockdown feature or the CLI auto secure command to secure a router Explain the limitations of using the Cisco SDM one-step lockdown feature or the CLI auto secure command
Vulnerable Router Services and Interfaces Management Service Vulnerabilities Performing a Security Audit Locking Down a Cisco Router Limitations and Cautions
Lab 2-5: Using Cisco SDM One-Step Lockdown and Security Audit
10
SecurityCurriculumCourseOutline
Describe the role of firewalls in securing networks Describe the role of firewalls in a layered defense strategy Describe how a static packet filter allows or blocks data packets as they pass through a network interface Describe how application layer or proxy firewalls control or monitor inbound and outbound traffic Describe how dynamic or stateful inspection packet filtering improves network security and performance Describe additional types of firewalls, including application inspection firewalls and transparent firewalls Describe the features of the Cisco IOS Firewall, Cisco PIX 500 Series Security Appliances, and Cisco ASA 5500 Series Adaptive Security Appliances Develop an effective firewall policy that is based on firewall best practices
Firewall Fundamentals Firewalls in a Layered Defense Strategy Static Packet Filtering Firewalls Application Layer Gateways Dynamic or Stateful Packet Filtering Firewalls Other Types of Firewalls Cisco Family of Firewalls Developing an Effective Firewall Policy
Lesson 2: Creating Static Packet Filters Using ACLs This lesson defines how to create static packet filters using ACLs. Upon completing this lesson, the learner will be able to meet these objectives:
Explain how ACLs are used to control access in networks Define wildcard masks and explain how they are used by ACLs Configure and apply ACLs to router interfaces using the CLI Explain the caveats you must consider when creating ACLs
11
Configure standard and extended ACLs using Cisco SDM Configure ACLs to protect common network services
ACL Fundamentals ACL Wildcard Masking Using ACLs to Control Traffic ACL Considerations Configuring ACLs Using SDM Using ACLs to Permit and Deny Network Services
Lesson 3: Configuring Cisco IOS Zone-Based Policy Firewall This lesson defines how to configure a Cisco IOS zone-based policy firewall on your network using the Cisco SDM wizard. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the principles of zone-based policy firewalls Configure a zone-based policy firewall using Cisco SDM Basic Firewall wizard Configure a zone-based policy firewall manually using Cisco SDM Verify the zone-based policy firewall configuration using Cisco SDM and the CLI
Zone-Based Policy Firewall Overview Configuring Zone-Based Policy Firewalls Using the Basic Firewall Wizard Manually Configuring Zone-Based Policy Firewalls Using Cisco SDM Monitoring a Zone-Based Policy Firewall
12
SecurityCurriculumCourseOutline
Define cryptology, cryptanalysis, and encryption, and explain the symbiotic relationship between cryptanalysis and encryption Explain the difference between, and the functionality of, symmetric and asymmetric encryption algorithms Describe the differences between block and stream ciphers Describe the basic forms of encryption, as well as their differences and their benefits Explain the importance and function of cryptographic hashes Explain the importance of key length, key creation, key distribution, key recovery, and key destruction Describe the basic functions, advantages, and disadvantages of SSL VPNs
Cryptology Overview Symmetric and Asymmetric Encryption Algorithms Block and Stream Ciphers Encryption Algorithm Selection Cryptographic Hashes Key Management Introducing SSL VPNs
Lesson 2: Examining Symmetric Encryption This lesson defines how to describe the methods, algorithms, and purposes of symmetric encryption. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the generic functionality of symmetric encryption algorithms Describe the features and functions of the DES algorithm Describe the features and functions of the 3DES algorithm Describe the features and functions of the AES algorithm Describe the features and functions of the SEAL algorithm Describe the features and functions of several algorithms written by Ron Rivest
13
Symmetric Encryption Overview DES Features and Functions 3DES Features and Functions AES Features and Functions SEAL Features and Functions Rivest Ciphers Features and Functions
Lesson 3: Examining Cryptographic Hashes and Digital Signatures This lesson describes the use and purpose of hashes and digital signatures in providing integrity and nonrepudiation. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the generic functionality of hash algorithms and the HMAC variant Describe the features and functions of the MD5 algorithm Describe the features and functions of the SHA-1 algorithm Explain the generic functionality of digital signatures Describe the features and functions of the DSS
Overview of Hash Algorithms and HMACs MD5 Features and Functions SHA-1 Features and Functions Overview of Digital Signatures DSS Features and Functions
Lesson 4: Examining Asymmetric Encryption and PKI This lesson describes the use and purpose of asymmetric encryption and public key infrastructure (PKI). Upon completing this lesson, the learner will be able to meet these objectives:
Explain the generic functionality of asymmetric encryption algorithms Describe the features and functions of the RSA algorithm Describe the features and functions of the DH key exchange algorithm Explain the principles behind a PKI Explain the PKI standards Explain the role of CAs and RAs in a PKI
SecurityCurriculumCourseOutline
DH Features and Functions PKI Definitions and Algorithms PKI Standards Certificate Authorities
Lesson 5: Examining IPsec Fundamentals This lesson describes the fundamental concepts, technologies, and terms that IP Security (IPsec) VPNs use. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the purpose and types of VPNs, contrast SSL with IPsec VPNs, and define where to use VPNs in a network List the Cisco VPN product line and describe the security features of these products Describe the IPsec protocol and its basic functions Describe the advantages of IPsec VPNs compared with other types of VPNs Describe the ESP protocols, the AH protocols, and the tunnel modes that IPsec uses List and describe the IKE protocols
VPN Overview Cisco VPN Product Family Introducing IPsec IPsec Advantages IPsec Protocol Framework IKE Protocol
Lesson 6: Building a Site-to-Site IPsec VPN This lesson describes how to configure a site-to-site IPsec VPN. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the five steps of IPsec operation Describe the procedure to configure IPsec Ensure that ACLs are compatible with IPsec Describe and configure the IKE parameters using the CLI Configure the IPsec transform sets using the CLI Configure the cryptographic ACL and other IPsec settings using the CLI Configure and apply a cryptographic map to an interface using the CLI Confirm the IPsec configuration
15
Site-to-Site IPsec VPN Operations Configuring IPsec Site-to-Site IPsec ConfigurationStep 1 Site-to-Site IPsec ConfigurationStep 2 Site-to-Site IPsec ConfigurationStep 3 Site-to-Site IPsec ConfigurationStep 4 Site-to-Site IPsec ConfigurationStep 5 Verifying the IPsec Configuration
Lesson 7: Configuring IPsec on a Site-to-Site VPN Using Cisco SDM This lesson defines how to configure a site-to-site IPsec VPN with preshared keys (PSKs) authentication using Cisco SDM. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to navigate the Cisco SDM site-to-site VPN Wizard interface Describe the components that you configure when you use the Cisco SDM site-to-site VPN wizard Configure the site-to-site VPN tunnel connections using the Cisco SDM wizards Complete the site-to-site VPN configuration using Cisco SDM and verify the VPN configuration
Introducing the Cisco SDM VPN Wizard Interface Site-to-Site VPN Components Using the Cisco SDM Wizards to Configure Site-to-Site VPNs Completing the Configuration
16
SecurityCurriculumCourseOutline
Describe the functions and operations of IDS and IPS systems Describe the types of IDS and IPS systems Describe IPS technologies, attack responses, and monitoring options such as syslog and SDEE Describe host and network-based IDS and IPS monitoring Explain the available Cisco IPS appliances Explain how IDS and IPS signatures are used to detect malicious network traffic and describe different types of signatures Describe signature micro-engines Describe the role of signature alarms in a Cisco IPS solution Describe IPS policies and best practices
Introducing IDS and IPS Types of IDS and IPS Systems Intrusion Prevention Technologies Host and Network IPS Introducing Cisco IPS Appliances Introducing Signatures Examining Signature Micro-Engines Introducing Signature Alarms IPS Best Practices
Lesson 2: Configuring Cisco IOS IPS Using Cisco SDM This lesson defines how to configure Cisco IOS IPS using Cisco SDM. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the IPS features of Cisco IOS Software Configure Cisco IOS IPS using Cisco SDM Configure IPS signatures using Cisco SDM Monitor a Cisco IOS IPS router using Cisco SDM and the CLI Verify Cisco IOS IPS operations
17
Cisco IOS IPS Features Configuring Cisco IOS IPS Using Cisco SDM Configuring IPS Signatures Monitoring IOS IPS Verifying IPS Operation
18
SecurityCurriculumCourseOutline
Describe what endpoint security is and the fundamental principles that are involved in host security Describe buffer overflows and the threat that they present Describe the features of IronPort products and how they enhance and complement endpoint security Describe the features of the Cisco NAC Appliance and how it enhances and complements endpoint security Describe the functions of Cisco Security Agent at a high level and describe how it provides endpoint security Provide a list of basic host security principles
What Is Endpoint Security? Buffer Overflows IronPort Cisco NAC Products Cisco Security Agent Endpoint Security Best Practices
Lesson 2: Examining SAN Security This lesson defines how to describe the risks and countermeasures for storage area networks (SANs) security. Upon completing this lesson, the learner will be able to meet these objectives:
Describe a SAN and its benefits Describe the basic principles of SANs Explain various security strategies that can be used to compartmentalize data for security purposes
19
Lesson 3: Examining Voice Security This lesson describes the risks and countermeasures to IP telephony. Upon completing this lesson, the learner will be able to meet these objectives:
Describe VoIP fundamentals Describe security threats to VoIP networks Define SPIT and describe how it poses a security threat against voice-enabled networks Explain how fraud can cost VoIP customers considerable sums of money Describe various SIP vulnerabilities Describe how to prevent hacking on VoIP networks
VoIP Fundamentals Voice Security Threats Spam over IP Telephony Fraud SIP Vulnerabilities Defending Against VoIP Hacking
Lesson 4: Mitigating Layer 2 Attacks This lesson defines how to mitigate Layer 2 attacks against network topologies and protocols. Upon completing this lesson, the learner will be able to meet these objectives:
Explain how basic switch operations makes networks vulnerable to attacks at Layer 2 Configure Cisco switches to mitigate VLAN attacks Explain how to prevent STP manipulation Describe how an attacker can flood a switch by launching a CAM table overflow attack Describe how a MAC spoofing attack can be launched and mitigated Describe and configure port security as a key step in defending networks from Layer 2 attacks Describe some of the additional features available in Cisco switch security including SPAN, RSPAN, and storm control Describe Layer 2 best practices and explain how they mitigate attacks on specific areas of Layer 2 hardware and software components
20
SecurityCurriculumCourseOutline
Basic Switch Operation Mitigating VLAN Attacks Preventing STP Manipulation CAM Table Overflow Attacks MAC Address Spoofing Attacks Using Port Security Additional Switch Security Features Layer 2 Best Practices
21
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Implement Layer 2 security features on a network using Cisco IOS commands Implement Cisco Network Foundation Protection on Cisco IOS routers Design, install, configure, and troubleshoot site-to-site VPNs using Cisco Integrated Services routers Design, install, configure, and troubleshoot remote-access communications using Cisco IOS security features Install, configure, and troubleshoot URL filtering, NAT and PAT, Cisco IOS Classic Firewall, Cisco IOS Zone-Based Policy Firewall, and Cisco IOS IPS on a Cisco Integrated Services router
22
SecurityCurriculumCourseOutline
Course Introduction Network Platform Security with Switches Network Platform Security with Routers Secure Site-to-Site Communications Secure Remote Access Communications Threat Control and Containment
This lesson describes how to implement some of the advanced security features of Cisco IOS switches. Upon completing this lesson, the learner will be able to meet these objectives:
Describe and configure the different types of ACLs available on switches Explain how to use PVLANs to partition the Layer 2 broadcast domain of a VLAN into subdomains to improve scalability and security Mitigate DHCP attacks using the Cisco DHCP snooping feature Mitigate ARP spoofing using DAI Configure IP Source Guard to provide source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host Describe Layer 2 best practices
Examining Switch ACLs Understanding PVLANs Mitigating DHCP Server Attacks Mitigating ARP Spoofing Using DAI Examining IP Source Guard Layer 2 Best Practices
23
This lesson describes the Cisco Identity Based Networking Services (IBNS) model and explains how IEEE 802.1X helps to control network access. Upon completing this lesson, the learner will be able to meet these objectives:
Explain how Cisco IBNS improves the security of physical and logical access to LANs with the capabilities defined in 802.1X Describe the 802.1X standard and 802.1X components Examine Cisco Secure Services Client Version 5.0 and its enterprise management tools Explain the processes used in 802.1X Explain the different EAP types that are available for an 802.1X implementation Explain how various logs, such as ACS logs and Cisco Security MARS logs, can be used to examine 802.1X events
Cisco IBNS Overview 802.1X Components Cisco Secure Services Client Version 5.0 802.1X Operations EAP Types Reporting and Monitoring Cisco IBNS
This lesson describes how to configure basic IEEE 802.1X port-based authentication using Cisco Secure Access Control Server (ACS) and a Cisco Catalyst 2960 Series Switch from the command-line interface (CLI). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functions and features of Cisco Secure ACS for Windows Server Configure simple 802.1X authentication using the Windows supplicant Explain the different 802.1X host modes Configure 802.1X timers Use show and debug commands to verify and test 802.1X operation
Cisco Secure ACS for Windows Overview Configuring 802.1X Authentication 802.1X Host Modes Configuring 802.1X Timers Verify 802.1X Operation
24
SecurityCurriculumCourseOutline
This lesson describes how to configure advanced 802.1X port-based authentication and authorization on a Cisco Catalyst 2960 Series Switch using the command-line interface (CLI). Upon completing this lesson, the learner will be able to meet these objectives:
Describe methods you can use to support devices that do not support 802.1X Configure guest VLANs to support hosts that do not have a supplicant Configure restricted VLANs to support hosts that have a supplicant but fail to authenticate Configure MAC authentication bypass for hosts that have known MAC addresses but do not have an 802.1X supplicant Configure inaccessible authentication bypass to support an unavailable RADIUS server Explain how to configure web authentication Configure 802.1X dynamic VLAN assignment Use show commands to verify the MAC authentication bypass and inaccessible authentication bypass operation Explain several special situations that can occur with 802.1X deployments
Authenticating Without 802.1X Guest VLANs Restricted VLANs MAC Authentication Bypass Inaccessible Authentication Bypass Web Authentication Proxy 802.1X Dynamic VLAN Assignments Testing and Verifying 802.1X Special Situations with 802.1X
Lab 1-3: Configure Advanced 802.1X Authentication Lab 1-4: Configure 802.1X VLAN Assignments
Module 2: Network Platform Security with Routers Upon completing this module, the learner will be able to implement Cisco Network Foundation Protection on Cisco IOS routers.
Lesson 1: Examining the Cisco Network Foundation Protection Strategy
This lesson describes the Cisco Network Foundation Protection strategy. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco Network Foundation Protection in general Describe the features and benefits of Cisco Network Foundation Protection Describe the Cisco AutoSecure feature of Cisco routers
Course Administration Guide 25
Cisco Network Foundation Protection Overview Cisco Network Foundation Protection Services and Benefits Cisco AutoSecure Supported Platforms
This lesson describes tools that are used to secure the control plane of a Cisco router. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the control plane of a router Describe the basic function and benefits of CPPr Explain the benefit of routing protocol authentication and how to configure routers Describe CPU and memory threshold notifications
The Control Plane Control Plane Protection Routing Protocol Protection CPU and Memory Thresholding
This lesson describes how to protect the management plane of Cisco devices. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the management plane and configure common secure management protocols Configure HTTPS Describe and configure the Role-Based CLI Access feature Describe and configure the Cisco MPP feature Describe and configure SNMPv3
The Management Plane Secure Management Services Role-Based Access Control Cisco IOS MPP SNMP v3 Architecture
26
SecurityCurriculumCourseOutline
This lesson describes tools that are used to protect the data plane of a Cisco router. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the data plane, data plane attacks, and the effects these attacks have on network devices Explain NetFlow and how to configure it Describe and configure uRPF Describe and configure Cisco IOS FPM
Module 3: Secure Site-to-Site Communications Upon completing this module, the learner will be able to design, install, configure, and troubleshoot site-to-site VPNs using Cisco Integrated Services Routers.
Lesson 1: Examining VPN and IPsec Fundamentals
This lesson describes basic characteristics and protocols used in IPsec configurations and describe the various types of VPNs available using Cisco IOS Software, including IPsec, Dynamic Multipoint Virtual Private Network (DMVPN), Group Encrypted Transport VPN (GET VPN), Cisco Easy VPN, and Cisco IOS Secure Sockets Layer (SSL) VPN. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the basic functionality and protocols involved with IPsec VPNs Describe different types of site-to-site VPNs, including fully-meshed, hub-and-spoke, IPsec, Cisco Easy VPN with VTI, GRE over IPsec, DMVPN, and GET VPN Describe Cisco Easy VPN and Cisco IOS SSL VPNs Explain the VPN design guide that is available in Cisco SDM Configure global VPN router settings in Cisco SDM
IPsec Overview Site-to-Site VPNs Cisco Easy VPN and Cisco IOS SSL VPNs VPN Design Guide Global VPN Settings
This lesson describes how to configure a Cisco IOS certificate authority (CA) and an IPsec siteto-site VPN using digital certificates. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco IOS PKI support Describe the use of CAs and RAs Describe how SCEP manages the certificate lifecycle Describe and configure the Cisco IOS CA Server Configure CA interoperability on a Cisco router using Cisco SDM Configure a PKI-based IPsec site-to-site VPN on a router using Cisco SDM Troubleshoot CA interoperability using the CLI Test and verify IPsec configurations using the CLI
Cisco IOS PKI Overview Certificate Authorities Examining SCEP Cisco IOS CA Server Configuring CA support Configuring a PKI-Based IPsec Site-to-Site VPN Testing and Verifying CA Support Testing and Verifying IPsec
This lesson describes how to configure Generic Routing Encapsulation (GRE)-over-IPsec tunnels. Upon completing this lesson, the learner will be able to meet these objectives:
Describe GRE tunnels Configure a GRE tunnel Configure a GRE tunnel with IPsec encryption using Cisco SDM and verify the resulting CLI configurations Generate mirror configurations Verify GRE-over-IPsec operations using the CLI
Examining GRE Tunnels Configuring a GRE Tunnel Configuring a GRE-Over-IPsec Tunnel Generate a Mirror Configuration
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
This lesson describes how to configure high-availability VPN technologies. Upon completing this lesson, the learner will be able to meet these objectives:
Describe high availability for IPsec VPNs Explain how to achieve high availability with IPsec VPNs using redundant peers and how to configure it Describe HSRP, the role it plays in high availability, and how to configure it Describe Cisco IOS stateful failover and how to configure it Explain how to back up WAN links using VPNs Describe the benefit of using static or dynamic VTI and how to configure VTIs for site-tosite IPsec VPNs
High Availability for Cisco IOS IPsec VPNs IPsec Backup Peer Hot Standby Router Protocol IPsec Stateful Failover Backing Up a WAN Connection with an IPsec VPN Static and Dynamic VTIs
This lesson describes how to configure a DMVPN. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the overall requirements, features, operation, and high availability design for DMVPN Describe how dynamic routing protocols operate over DMVPN Configure a DMVPN hub using the Cisco SDM DMVPN hub wizard Configure a DMVPN spoke using the Cisco SDM DMVPN spoke wizard Edit DMVPN settings in Cisco SDM Verify DMVPN connectivity
Dynamic Multipoint VPN Dynamic Routing Protocols over DMVPN Configuring a DMVPN Hub
Course Administration Guide 29
This lesson describes how to configure GET VPNs. Upon completing this lesson, the learner will be able to meet these objectives:
Describe problems that are encountered scaling tunnel-based VPNs Describe GET VPN Describe how dynamic routing protocols work over GET VPN Describe the security measures that are built into the GET VPN solution Describe GET VPN operations Configure the GET VPN key server Configure GET VPN group members Verify GET VPN settings and operation
VPN Limitations GET VPN Overview GET VPN Architecture GET VPN Security GET VPN Operations Configuring GET VPN Key Servers Configuring GET VPN Group Members Verifying GET VPN Settings
Module 4: Secure Remote Access Communications Upon completing this module, the learner will be able to design, install, configure, and troubleshoot remote-access communications using Cisco IOS security features.
Lesson 1: Implementing Cisco IOS Remote Access Using Cisco Easy VPN
This lesson describes how to configure Cisco Easy VPN for remote access. Upon completing this lesson, the learner will be able to meet these objectives:
30
SecurityCurriculumCourseOutline
Describe the role of each component of Cisco Easy VPN including Cisco Easy VPN Remote and Cisco Easy VPN Server Explain how to configure the Cisco VPN Client Explain how to configure a Cisco Easy VPN Remote using Cisco SDM Explain how to configure a Cisco Easy VPN Server using Cisco SDM Verify the Cisco Easy VPN configuration
Introduction to Cisco Easy VPN Configuring the Cisco VPN Client Configuring Cisco Easy VPN Remote Configuring Cisco Easy VPN Server Verify the Cisco Easy VPN Configuration
Lab 4-1: Configure Cisco Easy VPN Remote Lab 4-2: Configure Cisco Easy VPN Server
This lesson describes how to configure a Cisco IOS SSL VPN and verify its operation using Cisco Router and Security Device Manager (SDM). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco IOS SSL VPN feature, including clientless mode, thin-client mode, fulltunnel client mode, and Cisco Secure Desktop Describe the different client packages for the Cisco IOS SSL VPN Configure the prerequisites for Cisco IOS SSL VPN Configure Cisco IOS SSL VPN Edit Cisco IOS SSL VPN configurations Monitor and verify Cisco IOS SSL VPN
31
Overview of Cisco IOS SSL VPN Client Software Configuring Cisco IOS SSL VPN Prerequistes Cisco IOS SSL VPN Configuration Editing Cisco IOS SSL VPNs Verifying SSL VPN Functionality
Module 5: Threat Control and Containment Upon completing this module, the learner will be able to install, configure, and troubleshoot URL filtering, NAT and PAT, Cisco IOS Classic Firewall, Cisco IOS Zone-Based Policy Firewall, and Cisco IOS IPS on a Cisco Integrated Services Router.
Lesson 1: Configuring NAT and PAT
This lesson describes how to configure inside and outside static and dynamic NAT and PAT as well as port forwarding. Upon completing this lesson, the learner will be able to meet these objectives:
Describe static and dynamic NAT and PAT Configure PAT using the Cisco SDM NAT Basic wizard Configure NAT and PAT using the Cisco SDM NAT Advanced wizard Verify NAT and PAT configuration using the CLI Troubleshoot a NAT configuration to resolve issues
Network Address Translation Overview Configuring PAT Using the Basic NAT Wizard Configuring NAT and PAT Using the Advanced NAT Wizard Verifying NAT and PAT Troubleshooting NAT and PAT
This lesson describes how to configure a Cisco IOS Classic Firewall using Cisco SDM. Upon completing this lesson, the learner will be able to meet these objectives:
32
Describe the features and benefits of a Cisco IOS Classic Firewall Use the Cisco SDM Basic Firewall wizard to configure a Cisco IOS Classic Firewall Use the Cisco SDM Advanced Firewall wizard to configure a Cisco IOS Classic Firewall Edit a basic or advanced firewall configuration, including global settings
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
Cisco IOS Classic Firewall Overview Basic Firewall Wizard Advanced Firewall Wizard Editing Firewall Rules Verifying Firewall Configuration
This lesson describes how to configure a Cisco IOS Zone-Based Policy Firewall on a Cisco Integrated Services Router. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the general features of a Cisco IOS Zone-Based Policy Firewall Configure Cisco IOS Zone-Based Policy Firewall using the Cisco SDM Advanced Firewall wizard Edit the Cisco IOS Zone-Based Policy Firewall Create zone-based policies without the Cisco SDM wizard Verify the Cisco IOS Zone-Based Policy Firewall configuration using the CLI and Cisco SDM
Cisco IOS Zone-Based Policy Firewall Overview Advanced Firewall Wizard Editing Cisco IOS Zone-Based Policy Firewall Configuring Zone-Based Policies Verifying the Cisco IOS Zone-Based Policy Firewall Configuration
Lab 5-2: Configure Cisco IOS Zone-Based Policy Firewall with URL Filtering
This lesson describes how to configure a Cisco IOS IPS Software Version 5.x signature support, Risk Rating (Signature Event Action Processing [SEAP]), tuning, and custom signatures. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the features, functions, limitations, and applications of Cisco IOS IPS Describe the different IPS management products Describe SDF and built-in signature operation
Course Administration Guide 33
Migrate from Cisco IOS IPS Version 4.x to Cisco IOS IPS Version 5.x Configure Cisco IOS IPS using 5.x signatures Configure Auto Signature Update Configure SEAP, including Risk Ratings, Events Action Overrides, and Events Action Filters Perform a basic configuration of Cisco IOS IPS Tune more advanced signature settings Create custom signatures Use show, debug, and clear commands to test and verify Cisco IOS IPS configurations Explain various scenarios and deployment options
34
SecurityCurriculumCourseOutline
Cisco IOS IPS Overview IPS Management Products SDF and Built-In Signature Overview Migrating from Cisco IOS IPS Version 4 to Version 5 Configuring Cisco IOS IPS Using 5.x Signatures Auto Update Signature Event Action Processing Configuring, Disabling, and Excluding Signatures Signature Tuning Custom Signatures Verifying Cisco IOS IPS Configuration IPS Case Studies
35
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Explain how the Cisco IPS protects network devices from attacks Install and configure the basic settings on a Cisco IPS 4200 Series Sensor Use the Cisco IDM to configure built-in signatures to meet the requirements of a given security policy Configure some of the more advanced features of the Cisco IPS product line Initialize and install into your environment the rest of the Cisco IPS family of products Use the CLI and the Cisco IDM to obtain system information, and configure the Cisco IPS sensor to allow an SNMP NMS to monitor the Cisco IPS sensor
Course Introduction Intrusion Prevention Overview Installation of a Cisco IPS 4200 Series Sensor Cisco IPS Signatures Advanced Cisco IPS Configuration Additional Cisco IPS Devices Cisco IPS Sensor Maintenance
2009 Cisco Systems, Inc.
36
SecurityCurriculumCourseOutline
Explain the difference between intrusion detection and intrusion prevention Describe the similarities and differences among the various intrusion detection technologies Explain the terminology used in intrusion prevention and detection Explain the difference between promiscuous and inline intrusion protection Describe the new features included in the Cisco IPS Sensor Software Version 6.0
Intrusion Detection vs. Intrusion Prevention Intrusion Prevention Technologies Intrusion Prevention Terminology Promiscuous and Inline Modes Features of Cisco IPS Sensor Software Version 6.0
Explain the various models available in the Cisco family of IPS sensors Describe network IPS and list its features and limitations Describe host IPS and list its features and limitations Explain the considerations necessary for selection, placement, and deployment of a network IPS Describe the Cisco Self-Defending Network and how the Cisco IPS products fit in to that structure
Describe the Cisco IPS Sensor Software architecture List the Cisco IPS management products for single device management List the Cisco IPS management products that you can use for the enterprise
Cisco IPS Sensor Software Architecture Cisco IPS Element Management Products Cisco IPS Enterprise Management Products
Explain what an evasive technique is and provide examples of evasive techniques Explain how attackers use string match attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use fragmentation attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use session attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use insertion attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use evasion attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use TTL-based attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use encryption-based attacks to avoid detection by intrusion detection and intrusion prevention products Explain how attackers use resource exhaustion attacks to avoid detection by intrusion detection and intrusion prevention products
SecurityCurriculumCourseOutline
Session Attacks Insertion Attacks Evasion Attacks TTL-Based Attacks Encryption-Based Attacks Resource Exhaustion Attacks
Explain the CLI of the Cisco IPS sensor Gain management access and initialize a sensor Explain some of the administrative tasks that are done from the CLI Explain some of the additional commands that are available from the CLI
Introducing the CLI Initializing the Sensor Performing Administrative Tasks Additional Administrative Commands
Lesson 2: Using the Cisco IDM This lesson describes how to use the Cisco IPS Device Manager (IDM) to launch, navigate, manage, and monitor a Cisco IPS device. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the features, benefits, and system requirements of the Cisco IDM Log into and navigate the Cisco IDM Configure SSH Reboot and shutdown a Cisco IPS
Introducing the Cisco IDM Getting Started with the Cisco IDM How to Configure SSH How to Reboot and Shut Down the Sensor
Course Administration Guide 39
Lesson 3: Configuring Basic Sensor Settings This lesson describes how to use the Cisco IDM to configure basic sensor settings. Upon completing this lesson, the learner will be able to meet these objectives:
Configure hosts that are authorized to administer the sensor Configure the time settings of a Cisco IPS sensor Configure certificates of a Cisco IPS sensor Configure user accounts Describe the different roles that a sensor interface can play Configure the interfaces of a Cisco IPS sensor in promiscuous and inline mode Describe and configure software and hardware bypass Explain how to view events from the Cisco IDM
How to Configure Allowed Hosts How to Set the Time How to Configure Certificates How to Configure User Accounts Defining Interface Roles How to Configure the Interfaces How to Configure Software and Hardware Bypass Mode Viewing Events in the Cisco IDM
Lab 2-1: Install and Configure an IPS Sensor from the CLI Lab 2-2: Use the Cisco IDM to Perform a Basic Sensor Configuration
Describe the different types, features, and actions of signatures Locate information about specific signatures and describe the Cisco Intrusion Prevention Alert Center Enable, disable, and assign actions to signatures Configure additional settings for denying and blocking actions
40
SecurityCurriculumCourseOutline
Cisco IPS Signatures How to Locate Signature Information How to Configure Basic Signatures Special Considerations for Signature Actions
Lesson 2: Examining the Signature Engines This lesson describes the functions of signature engines and their parameters. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the different signature engines used by the sensor Describe the configuration parameters common to all signature engines Describe the ATOMIC signature engines Describe the FLOOD signature engines Describe the SERVICE signature engines, including the new TNS and SMB advanced signature engines Describe the STRING signature engines Describe the SWEEP signature engines Describe the TROJAN signature engines Describe the TRAFFIC signature engines Describe the AIC signature engines Describe the STATE signature engine Describe the META signature engine Describe the NORMALIZER engine
Introducing Cisco IPS Signature Engines Common Signature Engine Parameters ATOMIC Signature Engines FLOOD Signature Engines SERVICE Signature Engines STRING Signature Engines SWEEP Signature Engines TROJAN Signature Engines TRAFFIC Signature Engines AIC Signature Engines STATE Signature Engine META Signature Engine NORMALIZER Engine
Course Administration Guide 41
Lesson 3: Customizing Signatures This lesson describes how to use the Cisco IDM to tune and customize signatures to meet the requirements of a given security policy. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the need to tune signatures Tune and create signatures to accomplish noise reduction Tune and create signatures to accomplish false positive reduction Tune and create signatures to accomplish false negative reduction Tune and create signatures to focus a Cisco IPS sensor on the environment Describe examples of different signature tuning scenarios Design and create custom signatures Describe examples of creating custom signatures
Tuning Signatures Noise Reduction False Positive Reduction False Negative Reduction Focusing Cisco IPS Sensors Customizing Built-in Signatures How to Create Custom Signatures Custom Signature Scenarios
Lab 3-1: Working with Signatures and Alerts Lab 3-2: Customizing Signatures
Explain how to tune the sensor to avoid evasive techniques and provide network-specific intrusion prevention Explain the logging capabilities of the sensor, how to configure logging, and the performance ramifications of logging Describe the concept of IP fragment and TCP stream reassembly Define and configure event variables Explain and configure TVRs
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
Describe and configure event action overrides Describe and configure event action filters Describe the risk rating system and the values that it uses to calculate the risk rating number Introduce and configure the general settings for event action rules
Sensor Configuration IP Logging Reassembly Options How to Define Event Variables Target Value Rating Event Action Overrides Event Action Filters Risk Rating System General Settings of Event Action Rules
Lab 4-1: Tune a Cisco IPS Sensor Using the Cisco IDM
Lesson 2: Monitoring and Managing Alarms This lesson describes how to use additional monitoring tools to maximize alarm management efficiency. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the Cisco IEV, its features, benefits, and specifications Explain the installation procedure for Cisco IEV Add devices to the Cisco IEV Use Cisco IEV to view events Explain the Cisco Security Management Suite, its features, benefits, and specifications Explain the external product interface, its benefits, and specifications Explain how a Cisco Security Agent installation can be integrated into a Cisco IPS sensor installation using Cisco Security Monitor Explain the Cisco ICS
Cisco IEV Overview Installing Cisco IEV Configuring Cisco IEV Viewing Events Cisco Security Management Suite Overview
Course Administration Guide 43
External Product Interface Integrating Cisco Security Agent into an IPS Installation Cisco ICS
Lesson 3: Configuring a Virtual Sensor This lesson describes how to explain the virtual sensor, its settings, and advantages. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the principles behind virtual sensors Prepare for creating virtual sensors by creating inline pairs, signature polices, event action rules, and anomaly detection policies Create a virtual sensor by giving it a name and assigning interfaces
Virtual Sensor Overview Preparing for Virtual Sensors Creating Virtual Sensors
Lesson 4: Configuring Advanced Features This lesson describes how to explain and configure some of the new advanced features of the Cisco IPS Sensor Software. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the principles behind anomaly detection Explain the components used by anomaly detection Configure anomaly detection Monitor and troubleshoot problems with anomaly detection Explain the principles behind POSFP Explain the different methods available to identify operating systems Explain the available configuration options for POSFP Examine the results of POSFP
44
SecurityCurriculumCourseOutline
Configuring Anomaly Detection Monitoring Anomaly Detection POSFP Overview Operating System Identification Configuring POSFP Monitoring POSFP
Lesson 5: Configuring Blocking This lesson describes how to explain blocking concepts and use Cisco IDM to configure blocking for a given scenario. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the principles behind blocking Describe the things that should be taken into account before applying ACLs Explain how to configure a sensor to perform automatic blocking Explain how to configure a sensor to perform manual blocking Explain how to configure a master blocking scenario
Blocking Overview ACL Considerations How to Configure Automatic Blocking How to Configure Manual Blocking How to Configure a Master Blocking Scenario
Describe the Cisco Catalyst 6500 Series IDSM-2 Install the Cisco Catalyst 6500 Series IDSM-2 Configure the Cisco Catalyst 6500 Series IDSM-2 interfaces Monitor the Cisco Catalyst 6500 Series IDSM-2
Course Administration Guide 45
Cisco Catalyst 6500 Series IDSM-2 Overview Installing the Cisco Catalyst 6500 Series IDSM-2 Configuring Cisco Catalyst 6500 Series IDSM-2 Interfaces Monitoring the Cisco Catalyst 6500 Series IDSM-2 Maintaining the Cisco Catalyst 6500 Series IDSM-2
Lesson 2: Initializing the Cisco ASA AIP-SSM This lesson describes how to initialize a Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco ASA AIP-SSM Upload the IPS image to the Cisco ASA AIP-SSM Perform the initial configuration of the Cisco ASA AIP-SSM using Cisco ASDM Configure an IPS security policy using Cisco ASDM
Cisco ASA AIP-SSM Overview Loading the Cisco ASA AIP-SSM Initial Cisco ASA AIP-SSM Configuration Using Cisco ASDM Configuring an IPS Security Policy
Describe the Cisco IPS sensor licenses and how to install them Perform a Cisco IPS sensor upgrade or recovery Install service pack and signature updates Perform a password recovery on a Cisco IPS sensor Restore a Cisco IPS sensor to its default configuration
Understanding Cisco IPS Licensing How to Upgrade and Recover Sensor Images How to Install Service Packs and Signature Updates Password Recovery How to Restore a Cisco IPS Sensor
Lesson 2: Managing Cisco IPS Sensors This lesson describes how to use the CLI and the Cisco IDM to verify sensor configuration. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the various CLI commands used for sensor monitoring Describe the Cisco IDM as a tool to perform sensor monitoring Describe Cisco Security Manager as a tool to perform sensor monitoring Describe SNMP as a tool to perform sensor monitoring
Using the CLI to Monitor the Sensor Using the Cisco IDM to Monitor the Sensor Monitoring Using Cisco Security Manager Monitoring Using SNMP
47
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Explain the functions of the three types of firewalls used to secure computer networks Describe the technology and features of Cisco security appliances Given diagrams of networks protected by Cisco ASA and PIX security appliances, explain how each appliance protects network devices from attacks and why each is an appropriate choice for the example network
Introducing Cisco Security Appliance Technology and Features Introducing the Cisco ASA and PIX Security Appliance Families Getting Started with Cisco Security Appliances Configuring a Security Appliance Configuring Translations and Connection Limits Using ACLs and Content Filtering Configuring Object Grouping Switching and Routing on Cisco Security Appliances Configuring AAA for Cut-Through Proxy Configuring the Cisco Modular Policy Framework Configuring Advanced Protocol Handling Configuring Threat Detection Configuring Site-to-Site VPNs Using Pre-Shared Keys Configuring Security Appliance Remote-Access VPNs Configuring the Cisco ASA for SSL VPN Configuring Transparent Firewall Mode Configuring Security Contexts
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
Explain the functions of the three types of firewalls that are used to secure modern computer networks Discuss the technology and features of Cisco security appliances
There is no lab for this lesson. Lesson 2: Introducing the Cisco ASA and PIX Security Appliance Families This lesson introduces Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX 500 Series Security Appliances. Upon completing this lesson, the learner will be able to meet these objectives:
Identify the Cisco ASA and PIX security appliance models Explain the Cisco ASA security appliance licensing options
Models and Features of Cisco Security Appliances Cisco ASA Security Appliance Licensing
There is no lab for this lesson. Lesson 3: Getting Started with Cisco Security Appliances This lesson describes how to configure the security appliance for basic network connectivity. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the four access modes Describe the security appliance file management system Discuss security appliance security levels Describe Cisco ASDM requirements and capabilities Use the CLI to configure and verify basic network settings, and prepare the security appliance for configuration via Cisco ASDM
Course Administration Guide 49
User Interface File Management Security Appliance Security Levels Cisco ASDM Essentials and Operating Requirements Preparing to Use Cisco ASDM Navigating Cisco ASDM Windows
Lab 3-1: Prepare to Use Cisco ASDM to Configure the Security Appliance
Lesson 4: Configuring a Security Appliance This lesson describes how to configure a security appliance for basic network connectivity. Upon completing this lesson, the learner will be able to meet these objectives:
Configure a security appliance for basic network connectivity Verify the initial configuration Set the clock and synchronize the time on a security appliance Configure a security appliance to send syslog messages to a syslog server
Basic Security Appliance Configuration Examining Security Appliance Status Time Setting and NTP Support Syslog Configuration
Lesson 5: Configuring Translations and Connection Limits This lesson describes how to perform Network Address Translation (NAT) on a security appliance. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how the TCP and UDP protocols function within the security appliance Describe how static and dynamic translations function Configure dynamic address translation Configure static address translation Set connection limits
50
SecurityCurriculumCourseOutline
Transport Protocols Understanding NAT Understanding PAT Static Translations TCP SYN Cookies and Connection Limits Connections and Translations
Lesson 6: Using ACLs and Content Filtering This lesson describes how to configure security appliance access control. Upon completing this lesson, the learner will be able to meet these objectives:
Configure and explain the basic function of ACLs Configure and explain additional functions of ACLs Configure active code filtering (Microsoft ActiveX and Java applets) Configure the security appliance for URL filtering Use the Packet Tracer for troubleshooting
ACL Configuration Malicious Active Code Filtering URL Filtering Packet Tracer
Lesson 7: Configuring Object Grouping This lesson describes how to configure the object grouping feature of Cisco security appliances. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the object grouping feature of the security appliance and its advantages Configure object groups and use them in ACLs
51
Lesson 8: Switching and Routing on Cisco Security Appliances This lesson describes how to configure the switching and routing functionality that a security appliance provides. Upon completing this lesson, the learner will be able to meet these objectives:
Configure logical interfaces and VLANs Configure static routes and static route tracking Describe the dynamic routing capabilities of Cisco security appliances and configure passive RIP routing
There is no lab for this lesson. Lesson 9: Configuring AAA for Cut-Through Proxy This lesson describes how to define, configure, and monitor AAA in Cisco security appliances. Upon completing this lesson, the learner will be able to meet these objectives:
Define AAA functions Configure the local user database Install and configure Cisco Secure ACS Define and configure cut-through proxy authentication Define and configure user authorization using downloadable ACLs Define and configure the accounting component
Introduction to AAA Configuring the Local User Database Installation of Cisco Secure ACS for Windows 2000 Cut-Through Proxy Authentication Configuration Authentication Prompts and Timeouts Authorization Configuration Accounting Configuration
Lab 9-1: Configure AAA on the Security Appliance Using Cisco Secure ACS for Windows
52
SecurityCurriculumCourseOutline
Lesson 10: Configuring the Cisco Modular Policy Framework This lesson describes how to describe and configure a security appliance modular policy. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the Cisco Modular Policy Framework feature for security appliances Describe the functionality of class maps Describe the functionality of policy maps Describe the functionality of service policies Use Cisco ASDM to configure a service policy rule
Modular Policy Framework Overview Class Map Overview Policy Map Overview Configuring Modular Policies with Cisco ASDM Configuring a Policy for Management Traffic Displaying Modular Policy Framework Components
There is no lab for this lesson. Lesson 11: Configuring Advanced Protocol Handling This lesson describes how to configure security appliance advanced protocol handling. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the need for advanced protocol handling Describe how the security appliance implements inspection of common network applications Describe the issues with multimedia applications and how the security appliance supports multimedia call control and audio sessions
53
Lesson 12: Configuring Threat Detection This lesson describes how to use the threat detection capabilities of the security appliance to better defend the network. Upon completing this lesson, the learner will be able to meet these objectives:
Describe threat detection and threat statistics Configure basic threat detection Configure scanning threat detection Configure and view threat detection statistics
Threat Detection Overview Basic Threat Detection Scanning Threat Detection Configuring and Viewing Threat Detection Statistics
Lesson 13: Configuring Site-to-Site VPNs Using Pre-Shared Keys This lesson describes how to configure Cisco security appliances for VPN connectivity. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how security appliances enable a secure VPN Perform the tasks necessary to configure security appliance IPsec support Identify the commands to configure security appliance IPsec support Configure a VPN between security appliances
Secure VPNs How IPsec Works Preparing to Configure an IPsec VPN Configuring a Site-to-Site VPN Using Pre-Shared Keys Modifying the Site-to-Site VPN Configuration Test and Verify VPN Configuration
54
SecurityCurriculumCourseOutline
Lesson 14: Configuring Security Appliance Remote-Access VPNs This lesson describes how to configure security appliances for secure remote access. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco Easy VPN Describe the Cisco VPN Client Configure an IPsec Remote-Access VPN Configure users and groups
Introduction to Cisco Easy VPN Overview of Cisco VPN Client Configuring Remote-Access VPNs Configuring Users and Groups
Lab 14-1: Configure a Secure VPN Using IPsec Between a Security Appliance and a Cisco VPN Client
Lesson 15: Configuring the Cisco ASA Security Appliance for SSL VPN This lesson describes how to configure Cisco ASA security appliances to support the SSL VPN feature set. Upon completing this lesson, the learner will be able to meet these objectives:
Describe SSL VPN and its purpose Use the SSL VPN Wizard to configure a basic Clientless SSL VPN connection Verify SSL VPN operations
SSL VPN Overview Using the SSL VPN Wizard to Configure Clientless SSL VPN Verifying Clientless SSL VPN Operations
Lab 15-1: Configure the Security Appliance to Provide Secure Clientless SSL VPN Connectivity
Lesson 16: Configuring Transparent Firewall Mode This lesson describes how to configure Cisco security appliances to run in transparent firewall mode. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the purpose of transparent firewall mode Explain how data traverses a security appliance in transparent mode
55
Enable transparent firewall mode Monitor and maintain transparent firewall mode
Transparent Firewall Mode Overview Traversing a Security Appliance in Transparent Mode Configuring Transparent Firewall Mode Monitoring and Maintaining Transparent Firewall Mode
Lesson 17: Configuring Security Contexts This lesson describes how to configure the security appliance to support multiple contexts. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the purpose of security contexts Enable and disable multiple context mode Configure a security context Allocate resources to security contexts Manage a security context
Security Context Overview Enabling Multiple Context Mode Configuring Security Contexts Managing Security Contexts
There is no lab for this lesson. Lesson 18: Configuring Failover This lesson describes how to implement and configure failover in a network. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the difference between hardware and stateful failover Describe the difference between active/standby and active/active failover Define the security appliance failover hardware requirements Describe how active/standby failover works Explain the security appliance roles of primary, secondary, active, and standby Describe how active/active failover works Configure active/standby LAN-based failover
56
SecurityCurriculumCourseOutline
Configure active/active failover Enable the stateful failover option for maximum availability Describe and use remote command execution
Understanding Failover Configuring Redundant Interfaces Active/Standby LAN-Based Failover Configuration Active/Active Failover Configuration Remote Command Execution
Lab 18-1: Configure LAN-Based Active/Standby Failover Lab 18-2: Configure LAN-Based Active/Active Failover
Lesson 19: Managing the Security Appliance This lesson describes how to secure and upgrade system access to the security appliance and recover from problems. Upon completing this lesson, the learner will be able to meet these objectives:
Configure Telnet access to the security appliance Configure SSH access to the security appliance Configure command authorization Recover security appliance passwords using general password recovery procedures Use TFTP to install and upgrade the software image on the security appliance
Managing System Access Configuring Command Authorization Managing Configurations Managing Images and Activation Keys
57
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
58
Configure policy NAT based on traffic type Describe the Layer 7 Modular Policy Framework for the security appliance and how it is configured Describe the Layer 7 advanced protocol handling capabilities of Modular Policy Framework and how it is configured Identify the steps needed to configure the security appliance to segment traffic with VLANs Identify the steps need to configure the security appliance for dynamic routing Explain the components and functionality of IPsec, and explain what digital certificates are and how they are used Identify the steps needed to configure the security appliance to establish LAN-to-LAN tunnels with the digital certificate Identify the necessary steps to configure the IPsec VPN client using digital certificates Identify the necessary steps to configure the security appliance for remote access using digital certificates Explain the advanced remote access features of the security appliance Determine the necessary configuration for the ASA 5505 Adaptive Security Appliance to be a VPN hardware client Identify the steps to configure QoS for VPN traffic List the steps needed to configure the WebVPN functionality of the security appliance Identify the basic Clientless SSL VPN features of the security appliance Configure full network access SSL VPNs using the Cisco AnyConnect VPN Client List the features and functionality of the Cisco Secure Desktop Configure Cisco Secure Desktop and DAP for SSL VPN connections on the security appliance Identify and list the characteristics of the service modules for the security appliance Identify the steps needed to configure, inspect, and filter traffic with the Cisco CSC-SSM
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
Identify the steps needed to configure the security appliance to identify, alert, and defend against attacks
Advanced NAT Advanced Protocol Handling Dynamic Routing and Switching IPsec VPNs SSL VPNs Security Services Modules Appendix: Handling Multimedia Protocols Appendix: Using Cisco ASA Multicast Lab Guide
Describe how to configure ACLs for the security appliance Describe the function of NAT and how to implement basic NAT Describe NAT 0 function and the steps necessary to implement NAT 0 Describe policy NAT and the steps necessary to implement policy NAT Explain how to verify and troubleshoot NAT configuration and operation
ACLs NAT Translation Behavior NAT Exemption Policy NAT Verify and Troubleshoot
Course Administration Guide 59
Describe the Cisco Modular Policy Framework capabilities of the security appliance Configure a modular policy on the security appliance using Cisco ASDM Create a Layer 7 class map Create a regular expression class map Create a Layer 7 policy map Describe the commands used to verify a Cisco Modular Policy Framework configuration
Cisco Modular Policy Framework Overview Configuring the Cisco Modular Policy Framework Configuring a Layer 7 Class Map Configuring a Regular Expression Class Map Configuring a Layer 7 Policy Map Verifying the Cisco Modular Policy Framework Configuration
Lesson 2: Handling Advanced Protocols This lesson explains how to configure and troubleshoot inspection of several common network protocols. Upon completing this lesson, the learner will be able to meet these objectives:
60
Describe the protocol inspection capabilities of the Cisco ASA security appliance Explain how to configure FTP inspection Explain how to configure HTTP inspection Explain how to configure IM inspection Explain how to configure ESMTP inspection Explain how to configure DNS inspection Explain how to configure ICMP inspection Use show commands to verify that protocol inspection is configured Use debug commands to verify that protocol inspection is working properly
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
Protocol Inspection Overview FTP Inspection HTTP Inspection IM Inspection ESMTP Inspection DNS Inspection ICMP Inspection Protocol Inspection Verification
Describe the VLAN capabilities of the security appliance Explain the steps necessary to configure VLANs on the security appliance Explain the steps necessary to configure interfaces on the Cisco ASA 5505 Adaptive Security Appliance Use show commands to verify VLAN operations
Cisco ASA VLAN Operations VLAN Configuration VLAN Configuration on the Cisco ASA 5505 VLAN Verification
The lesson includes no activities. Lesson 2: Routing with Dynamic Protocols This lesson explains how to identify the steps needed to configure the security appliance for dynamic routing. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the differences between the dynamic and static routing capabilities of the security appliance Configure the security appliance for active RIP routing Configure the security appliance for OSPF routing
Course Administration Guide 61
Configure the security appliance for EIGRP routing Configure the security appliance for route redistribution Use show and debug commands to verify routing configuration and that the routing configuration is working properly
Dynamic and Static Routing RIP OSPF EIGRP Redistribution Verification and Troubleshooting
Module 4: IPsec VPNs Explain the IP Security (IPsec) virtual private network (VPN) features and capabilities of the security appliance. Lesson 1: Understanding IPsec and Digital Certificates This lesson defines how to explain the components and the functionality of IPsec and explains what digital certificates are and how they are used. Upon completing this lesson, the learner will be able to meet these objectives:
Describe IPsec and the components that define IPsec Describe how IPsec works Describe how digital certificates and Public-Key cryptography work Describe the scalability that is achieved by using certificates Describe the purpose of CRLs and the protocols used for CRLs Describe key pairs and trustpoints
What is IPsec? IPsec Operation Digital Certificates and Public-Key Cryptography Certificates and Scalability Certificate Enrollment Process Validating the Certificate Certificate Revocation Lists Security Appliance Certificate Enrollment Support
2009 Cisco Systems, Inc.
SecurityCurriculumCourseOutline
The lesson includes no activities. Lesson 2: Implementing Site-to-Site VPNs with Digital Certificates This lesson defines how to configure the security appliance to establish site-to-site tunnels using digital certificates. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the components of site-to-site VPNs Explain the steps necessary to configure the Cisco ASA security appliance to use digital certificates Define interesting traffic with ACLs List the steps needed to configure an ISAKMP policy for site-to-site VPNs List the steps necessary to define IPsec transform set Explain the steps needed to configure a site-to-site VPN using digital certificates Configure a crypto map for site-to-site VPNs Configure the Cisco ASA security appliance for hub-and-spoke site-to-site connections Configure site-to-site redundancy Use show commands to verify the configuration of site-to-site VPNs Use debug commands to verify that the configuration of site-to-site VPNs is working properly
Site-to-Site VPNs Configuring CA Certificates Site-to-Site IPsec Connection Profiles Modifying Certificate to Connection Mapping Hub and Spoke Site-to-Site Redundancy Verifying Site-to-Site VPNs Troubleshooting Site-to-Site VPNs
Lesson 3: Configuring the Cisco VPN Client This lesson defines how to configure the Cisco VPN Client by using digital certificates for authentication. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the key features and benefits of the Cisco VPN Client Describe the steps necessary to install the Cisco VPN Client
Course Administration Guide 63
Describe the steps needed to configure and install digital certificates on the Cisco VPN Client List the connection entry configuration options available on the Cisco VPN Client List the advanced configuration options available on the Cisco VPN Client Describe the setting and options that would verify and troubleshoot the Cisco VPN Client configuration
Cisco VPN Client Cisco VPN Client Installation Digital Certificates with Cisco VPN Client Connection Entry Advanced Options Verify and Troubleshoot Client Configuration
The lesson includes no activities. Lesson 4: Implementing Remote-Access VPNs with Digital Certificates This lesson defines how to configure the security appliance for remote access using digital certificates. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the components of remote-access VPNs Describe the general tasks for configuring a Cisco ASA security appliance to support Cisco Easy VPN Remote client access Configure the Cisco ASA security appliance to use digital certificates manually Define an address pool for remote-access VPN connections Explain the user policy inheritance that is determined by the Cisco ASA security appliance Configure an IPsec connection profile to support digital certificates Configure a certificate to connection policy to map the identity certificate to the proper connection profile Use Cisco ASDM graphs and show commands to verify the operation of remote-access VPNs Use logging and debug commands to troubleshoot remote-access VPNs
Remote-Access VPNs Configuring a Cisco ASA for Remote Access Installing Cisco ASA Certificates Defining a Remote-Access Address Pool User Policy Attribute Inheritance Configuring an IPsec Connection Profile
2009 Cisco Systems, Inc.
64
SecurityCurriculumCourseOutline
Configuring the Certificate to Connection Profile Policy Verifying Remote-Access VPNs Troubleshooting Remote-Access VPNs
Lesson 5: Configuring Advanced Remote-Access Features and Policy This lesson defines how to explain these remote-access features and configure the Cisco ASA security appliance to use them. Upon completing this lesson, the learner will be able to meet these objectives:
Use Cisco ASDM to configure advanced policy features of load balancing Use Cisco ASDM to configure reverse route injection for VPN connections Use Cisco ASDM to configure a backup server for the VPN connections Use Cisco ASDM to configure intra-interface VPN traffic forwarding on the Cisco ASA security appliance Use Cisco ASDM to configure NAT transparency for VPN connection behind a NAT device Use Cisco ASDM to configure IPsec over TCP for VPN connection behind a NAT device Use Cisco ASDM to configure certificate group mapping for IPsec connections using certificates Use Cisco ASDM to configure client updates for VPN software and hardware clients Use Cisco ASDM to configure the tunnel policy for personal firewalls and split tunneling
Load Balancing Reverse Route Injection Backup Servers Intra-Interface VPN Traffic NAT Transparency Client Update Split Tunneling Personal Firewalls
65
Lesson 6: Configuring the ASA 5505 as a Cisco Easy VPN Hardware Client This lesson defines how to configure security appliances for secure remote access. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco Easy VPN and its two components Describe how group policy is determined on the VPN hardware client Configure the ASA 5505 Adaptive Security Appliance as a Cisco Easy VPN Remote
Introduction to Cisco Easy VPN Cisco Easy VPN Server Policy Cisco Easy VPN Hardware Client
Lesson 7: Configuring QoS for IPsec VPNs This lesson defines how to identify the steps to configure QoS for VPN tunnel traffic. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the QoS features of the Cisco ASA 5500 Series Adaptive Security Appliance Configure QoS on the Cisco ASA 5500 Series Adaptive Security Appliance for VPN tunnel traffic Verify the QoS for VPN tunnel traffic configuration of the Cisco ASA 5500 Series Adaptive Security Appliance
QoS Overview Cisco ASA QoS Configuring QoS for VPNs Verifying QoS
66
SecurityCurriculumCourseOutline
Describe the characteristics of SSL Describe SSL VPN components Describe Cisco Secure Desktop
The lesson includes no activities. Lesson 2: Configuring Clientless SSL VPNs This lesson defines how to describe and configure a Cisco ASA security appliance for Clientless SSL VPN connections from remote users. Upon completing this lesson, the learner will be able to meet these objectives:
Configure Clientless SSL VPN Configure Clientless SSL VPNs to use port forwarding Configure additional features for Clientless SSL VPNs Configure smart tunnels for non-plug-in supported applications Use debug and show commands to verify Clientless SSL VPN configuration
Configuring Clientless SSL VPN Verifying Clientless SSL VPN Operation Configuring Port-Forwarding SSL VPN Verifying Port-Forwarding SSL VPN Configuring Additional SSL VPN Features Troubleshooting Clientless and Port-Forwarding SSL VPNs
67
Lesson 3: Configuring Full Network Access SSL VPNs This lesson defines how to describe and configure the Cisco ASA security appliance for Full Network Access SSL VPN using the Cisco AnyConnect VPN Client. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the features of the Cisco AnyConnect VPN Client Describe the different installation methods available for the Cisco AnyConnect VPN Client Configure DTLS for the Cisco AnyConnect VPN Client Configure the advanced features of the Cisco AnyConnect VPN Client Configure Certificate-Based Authentication for the Cisco AnyConnect VPN Client Verify Cisco AnyConnect VPN Client operation Troubleshoot Cisco AnyConnect VPN Client operation
The lesson includes these topics: Cisco Full Network Access SSL VPN Overview Configuring Cisco AnyConnect SSL VPN
Verifying Cisco AnyConnect VPN Operation Configuring Advanced Features for the Cisco AnyConnect VPN Client Configuring Certificate-Based Authentication for the Cisco AnyConnect SSL VPN Troubleshooting Cisco AnyConnect VPN Client Operation
Lesson 4: Cisco Secure Desktop This lesson defines how to describe the features available for Cisco Secure Desktop, how Cisco Secure Desktop interacts with other Cisco clients, and what steps are required to install the Cisco Secure Desktop image. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functionality of Cisco Secure Desktop Describe the interoperability of the Cisco AnyConnect VPN Client Install or upgrade the Cisco Secure Desktop image List the steps necessary to install Cisco Secure Desktop
Cisco Secure Desktop Overview Cisco Secure Desktop Interoperability Preparing the Cisco ASA for Cisco Secure Desktop
68
SecurityCurriculumCourseOutline
Lesson 5: Securing the Desktop with Cisco Secure Desktop and DAP This lesson defines how to configure Cisco Secure Desktop and configure Dynamic Access Policies (DAP) for SSL VPN client and clientless connections. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco Secure Desktop Workflow for SSL VPN client and clientless connections Configure Cisco Secure Desktop for SSL VPN client and clientless connections Configure Advanced Endpoint Assessment for SSL VPN client and clientless connections Configure DAP for SSL VPN client and clientless connections
Cisco Secure Desktop Workflow Prelogin Assessment Secure Session Cache Cleaner Host Emulation and Keystroke Logger Detection Host Scan Dynamic Access Policy DAP Testing
Identify the hardware characteristics of the Cisco SSM Explain the business needs for deploying a Cisco SSM List the security functions of the different types of application SSMs
69
The lesson includes no activities. Lesson 2: CSC-SSM: Getting Started This lesson defines how to describe how to configure the Cisco Content Security and Control Security Services Module (CSC-SSM). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the how to initialize the CSC-SSM Load the CSC-SSM with the new operating system from the CLI Initialize and activate the CSC-SSM from the CLI Configure the CSC-SSM to scan, using the CSC Setup Wizard from Cisco ASDM
CSC-SSM Overview CSC-SSM Software Loading Initial CLI Cisco CSC Configuration Initially Configuring the CSC-SSM with the Cisco ASDM CSC Setup Wizard
The lesson includes no activities. Lesson 3: AIP-SSM: Getting Started This lesson defines how to initialize a Cisco Adaptive Security Appliance Advanced Inspection and Prevent Security Services Module (AIP-SSM). Upon completing this lesson, the learner will be able to meet these objectives:
Explain how the Cisco SSM modules operate within the Cisco ASA security appliance Upload the Cisco IPS image to the AIP-SSM Perform the initial configuration of the AIP-SSM Configure a Cisco IPS security policy using Cisco ASDM
AIP-SSM Overview AIP-SSM Software Loading Initial Cisco IPS ASDM Configuration Configure a Cisco IPS Security Policy
70
SecurityCurriculumCourseOutline
Overview
Welcome to Implementing Cisco Security Monitoring, Analysis, and Response System (MARS) v3.0. Cisco Security MARS extends the portfolio of security management products for the Cisco Self-Defending Network initiative. Cisco Security MARS offers a family of highperformance, scalable appliances for threat management, monitoring, and mitigation, enabling customers to make more effective use of network and security devices. Cisco Security MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. The result is a system that helps customers to readily and accurately identify, manage, and eliminate network attacks and maintain network security compliance. The purpose of this Course Administration Guide is to provide Cisco Learning Partners with information so that they can better administer the course content and labs.
CourseObjectives
Upon completing this course, the learner will be able to meet these overall objectives:
Describe a Cisco Security MARS solution and its role in Cisco Threat-Defense System management Describe the software components of Cisco Security MARS architectural design Configure the network reporting devices to work with the Cisco Security MARS appliance Describe the key concepts involved in using network reporting and mitigation devices with the Cisco Security MARS appliance Use the Summary page to view the security status of your network Describe and configure a rule that detects interesting patterns of network activity and other anomalous network behavior
Course Administration Guide 71
Describe the process of generating queries and reports in a Cisco Security MARS appliance Describe the process of incident investigation on a Cisco Security MARS appliance Configure user-defined log parser templates on the Cisco Security MARS appliance Integrate Cisco Security Manager and Cisco Security MARS Perform system maintenance tasks on the Cisco Security MARS appliance Identify common issues about Cisco Security MARS Describe the features and functions of the Cisco Security MARS Global Controller Summarize the key functionalities of Cisco Security MARS technologies at work
72
SecurityCurriculumCourseOutline
Course Introduction
The Course Introduction provides learners with the course objectives and prerequisite learner skills and knowledge. The Course Introduction presents the course flow diagram and the icons that are used in the course illustrations and figures. This course component also describes the curriculum for this course, providing learners with the information that they need to make decisions regarding their specific learning path.
Overview: Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) v3.0 is an update to Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS) v2.0, an existing four-day instructor-led course on using Cisco Security MARS Software Versions 4.3.1 and 5.3.1. The lab setup and activities are based on the newer version of the virtual software VM-MARS 4.3.4 and VM-CSM 3.2. Upon completion of this course, the learner will have the skills and knowledge to implement the Cisco Security MARS solution into a network. Learners will learn Cisco Security MARS tasks such as quick install; adding security and network devices; creating rules, reports and queries; incident investigation; and performing system maintenance. Learners will install, configure, and administer Cisco Security MARS to protect a network. Learner Skills and Knowledge: Here are the required learner skills and knowledge: Cisco CCSP certified or equivalent knowledge Passage of the Securing Cisco IOS Networks (SECUR) exam (642-501), the Securing Networks with Cisco Routers and Switches (SNRS) exam (642-502), or both At least six months of practical experience configuring Cisco routers and security products Familiarity with implementing network security policies and these networking components and concepts:
Perimeter security system components: perimeter router, firewall, intrusion prevention system (IPS), virtual private network (VPN), and demilitarized zone (DMZ) host Servers: Cisco Security Manager; syslog; authentication, authorization, and accounting (AAA); Cisco Secure Access Control Server (Cisco Secure ACS); and FTP Protocols: syslog, Simple Network Management Protocol (SNMP), Secure Shell (SSH), FTP, and Telnet
73
Describe effective security monitoring and management concepts Describe Cisco Self-Defending Network Describe a Cisco Security MARS solution Provide an overview of Cisco Security MARS terminology Describe Cisco Security MARS technologies
Effective Security Monitoring and Management Cisco Self-Defending Network and the Role of Cisco Security MARS Cisco Security MARS Cisco Security MARS Terminology Cisco Security MARS Technologies Cisco Security MARS User Interface Cisco Security MARS Product Portfolio
Provide an overview of Cisco Security MARS software components. Describe STM process flow and the corresponding architectural components of Cisco Security MARS in detail.
Cisco Security MARS Software Components Cisco Security MARS Process Flow Details
74
SecurityCurriculumCourseOutline
Provide an overview of the initial Cisco Security MARS configuration Provide brief overviews of each of the six tasks involved in configuring the appliance Describe guidelines for deploying a Cisco Security MARS appliance
Initial Cisco Configuration Overview Scenario: Configuration Tasks Deployment Planning Guidelines
Pre-Lab Activity: Accessing the Remote Lab Lab 3: Accessing the Cisco Security MARS Appliance
Provide an overview of the reporting and mitigation devices that can be used with the Cisco Security MARS appliance Describe different methods of providing Cisco Security MARS with the data that is required to study the activities on the network Provide an overview of integrating Cisco Security MARS with third-party applications
Overview of Reporting and Mitigation Devices Scenario: Adding a Cisco Reporting Device and Enabling NetFlow Data-Enabling Features of Cisco Security MARS Integrating Cisco Security MARS with Third-Party Applications
Lab 4-1: Adding Reporting Devices and Enabling NetFlow Lab 4-2: Configuring the Syslog Forwarding Feature
75
Describe the Summary page on a the Cisco Security MARS appliance Describe the Dashboard tab on the Cisco Security MARS Summary page Describe the Network Status tab of the Cisco Security MARS Summary page Describe the My Reports tab of the Cisco Security MARS Summary page
Summary Page Overview Dashboard Network Status My Reports Scenario: Getting Information from the Summary Page
Provide an overview of rules in Cisco Security MARS Describe and configure system and user inspection rules Describe and configure drop rules Provide an overview of rule and report groups
Rules Overview Working with System and User Inspection Rules Working with Drop Rules Rule Groups Overview
Lab 6-1: Configuring Cisco Security MARS Event Types Lab 6-2: Configuring an Inspection Rule
76
SecurityCurriculumCourseOutline
Provide an overview of the Query page and demonstrate how to generate a query Provide an overview of the Reports page and demonstrate how to create scheduled report
Query Page Scenario: Configuring a Query Reports Page Scenario: Configuring a System Report
Provide an overview of incidents Describe the Incidents submenu and incident investigation process Describe the role of Cisco Security MARS in a network Describe false positive terminology and the key elements of the False Positives page Describe the Case Management feature of Cisco Security MARS Describe how to configure a case to track an incident Describe the prerequisites and the process of sending notifications Discuss the case study on preventing the W32 Blaster worm
Incidents Overview Incidents Scenario: Role of Cisco Security MARS in Your Network False Positives Case Management Scenario: Configuring a Case to Track an Incident Configuring Notifications Case Study: Preventing the W32 Blaster Worm
77
Describe user-defined log parser templates Describe how to configure a custom parser
Describe Cisco Security Manager and Cisco Security MARS integration Demonstrate how to add a Cisco Security Manager server to a Cisco Security MARS appliance and then invoke Cisco Security Manager Policy Table Lookup from Cisco Security MARS
Overview of Cisco Security Manager Policy Table Lookup Scenario: Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS
Reference
Describe the event, addressing, service, and user management tasks that can be performed in Cisco Security MARS Provide an overview of the Cisco Security MARS appliance system maintenance tasks Describe how Cisco Security MARS can discover the new signatures on IPS devices Describe the software upgrade process in Cisco Security MARS appliance Describe the caveats and process of migrating data from a 4.3.x to 5.3.x Cisco Security MARS appliance
2009 Cisco Systems, Inc.
78
SecurityCurriculumCourseOutline
Management Overview Overview of System Maintenance Tasks IPS Signature Dynamic Update Settings Upgrading the Cisco Security MARS Appliance Software Migrating Data from Cisco Security MARS 4.3.x to 5.3.x
Lab 11-1: Reviewing the CLI and Upgrading the Device Version Lab 11-2: Configuring IPS Auto Signature Download Lab 11-3: Configuring AAA RADIUS Authentication and Working with the Account Locking and Session Timeout Menu Lab 11-4: Retrieving Raw Messages
Describe common hardware issues with the Cisco Security MARS appliance Describes common configuration issues with the Cisco Security MARS appliance Discuss communications issues between a Global Controller and the Local Controllers it manages Describes the parameters to consider when sizing the Cisco Security MARS deployment Provide general recommendations for tuning Cisco Security MARS appliances Provide general recommendations for securing Cisco Security MARS appliances
Hardware Installation Issues Device Configuration Issues Global Controller-to-Local Controller Communications Sizing Cisco Security MARS Deployment Tuning Cisco Security MARS Securing Cisco Security MARS
79
Provide an overview of the Cisco Security MARS Global Controller and its functions and architecture Describe the procedure to set up and perform the initial configuration on the Cisco Security MARS Global Controller Describe the user interface and Summary page of the Cisco Security MARS Global Controller Describe incident investigation on the Cisco Security MARS Global Controller Describes the Query and Reports tab options of the Cisco Security MARS Global Controller Describe how to configure rules on the Cisco Security MARS Global Controller that are propagated down to the Cisco Security MARS Local Controller Describe the steps to configure the administration and management features of the Cisco Security MARS Global Controller Describe the system maintenance tasks for the Cisco Security MARS Global Controller
Cisco Security MARS Global Controller Overview Configuring the Cisco Security MARS Global Controller Summary Tab Incidents Tab Queries and Reports Rules Tab Management Tab System Maintenance Tab
Describe how the Cisco Security MARS appliance is providing STM functionality, given a scenario
80
SecurityCurriculumCourseOutline
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Given client network security requirements, explain how a Cisco NAC Appliance deployment scenario will meet or exceed network security requirements Configure the common elements of a Cisco NAC Appliance solution Configure the Cisco NAC Appliance in-band and out-of-band implementation options Implement a highly available Cisco NAC Appliance solution to mitigate network threats and facilitate network access for those users that meet corporate security requirements Maintain a highly available Cisco NAC Appliance deployment in medium and enterprise network environments
Course Introduction Cisco NAC Endpoint Security Solutions Cisco NAC Appliance Common Elements Configuration Cisco NAC Appliance Implementation Cisco NAC Appliance Implementation Options Cisco NAC Appliance Monitoring and Administration
Course Administration Guide 81
Describe the key factors that are causing changes to network security Describe the role of each of the three components of the Cisco host-protection strategy Describe the Cisco SDN strategy Describe Cisco NAC products
Changing Landscape of Security Cisco Host-Protection Strategy The Cisco SDN Initiative Cisco NAC Products
Lesson 2: Introducing Cisco NAC Appliance This lesson defines how to describe the Cisco NAC Appliance solution. Upon completing this lesson, the learner will be able to meet these objectives:
Summarize how the Cisco NAC Appliance solution controls and secures networks Describe the components of a Cisco NAC Appliance solution Describe the supported platforms for a Cisco NAC Appliance solution Explain how Cisco NAC Appliance enforces compliance for remote and local users Summarize how to configure a Cisco NAC Appliance solution Navigate through the Cisco NAC Appliance web-based GUI
Cisco NAC Appliance Solution Cisco NAC Appliance Components Cisco NAC Appliance Platforms Cisco NAC Appliance Local and Remote Compliance Scenarios Cisco NAC Appliance Configuration Overview Cisco NAC Appliance User Interface
82
SecurityCurriculumCourseOutline
Lesson 3: Introducing In-Band and Out-of-Band Deployment Options This lesson defines how to deploy Cisco NAC Appliance to protect against specified threats. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco NAS deployment options Describe the in-band and out-of-band deployment options Describe the key features of a Cisco NAC Appliance out-of-band deployment Describe the key features of a Cisco NAC Appliance in-band deployment Describe the Cisco NAS operating modes for an in-band and out-of-band deployment
Cisco NAS Deployment Options In-Band and Out-of-band Deployment Options Cisco NAC Appliance Out-of-Band Deployment Cisco NAC Appliance In-Band Deployment Cisco NAS Operating Modes
Describe user roles in Cisco NAC Appliance Describe how to manage user roles Explain traffic control policies for user roles Describe how to configure traffic control policies for a user role Describe how to create a local user account Describe how to configure user session timeouts for user roles Describe how to configure guest access for visitors or temporary users in a Cisco NAC Appliance network
What Is a User Role? Managing User Roles Defining Traffic Policies for User Roles Configuring Traffic Policies for User Roles
Course Administration Guide 83
Creating Local User Accounts Configuring User Session Timeouts Configuring Guest Access
Lesson 2: Configuring External Authentication This lesson defines how to configure external authentication for users in a network using the Cisco NAM. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure the Cisco NAM to use external authentication providers Describe how to map users to user roles when configuring external authentication Describe how to test user authentication for configured external authentication providers Describe how to configure RADIUS accounting for users in a Cisco NAC Appliance network
Configuring External Authentication Providers Mapping Users to User Roles Testing User Authentication Configuring RADIUS Accounting for Users
Lesson 3: Configuring DHCP on the Cisco NAS This lesson defines how to configure the Cisco NAS for a DHCP-enabled network. Upon completing this lesson, the learner will be able to meet these objectives:
Describe Cisco NAS modes of operation for a DHCP-enabled network Describe how to enable the Cisco NAS DHCP module Describe how to configure the Cisco NAS to provide DHCP services Describe how to manage generated subnets on the Cisco NAS Describe how to configure the Cisco NAS to provide reserved IP addresses Describe how to configure user-specified DHCP options on the Cisco NAS
Cisco NAS DHCP Modes Enabling the DHCP Module Configuring IP Ranges Working with Subnets Reserving IP Addresses Configuring User-Specified DHCP Options
2009 Cisco Systems, Inc.
84
SecurityCurriculumCourseOutline
Describe the Cisco NAC Appliance in-band process flow Describe central and edge in-band deployment configurations for Cisco NAC Appliance Describe how to configure the Cisco NAS for in-band deployment Describe how to add the Cisco NAS to the Cisco NAM managed domain for in-band deployment Describe how to use the Cisco NAM to configure the trusted and untrusted interfaces of the Cisco NAS Describe how to add managed subnets on the Cisco NAS Describe how to configure Cisco NAS VLAN settings
In-Band Process Flow In-Band Deployment Configurations Configuring the Cisco NAS for In-Band Deployment Adding the Cisco NAS to the Managed Domain Configuring the Cisco NAS Interfaces Adding Managed Subnets Configuring Cisco NAS VLAN Settings
Lesson 2: Implementing the Microsoft Windows SSO Feature on the Cisco NAC Appliance This lesson defines how to configure the Cisco NAC Appliance Server (Cisco NAS) to support the NAC Appliance Microsoft Windows single sign-on (SSO) with Active Directory feature for client and server machines to meet customer remote access requirements. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how Cisco NAC Appliance uses Windows SSO to ensure increased security Summarize the process used by Microsoft Windows to exchange Kerberos tickets with the Cisco NAS Describe how a Cisco NAS communicates with a Microsoft Windows Active Directory server Describe the steps that are used to configure Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active Directory Server
Course Administration Guide 85
Cisco NAC Appliance SSO for Microsoft Windows Kerberos Ticket Exchange Communicating Between Cisco NAS and a Microsoft Windows Active Directory Server Configuring Active Directory SSO for the Cisco NAM, Cisco NAS, and Microsoft Windows Active Directory Server
Configuring the Microsoft Windows Active Directory SSO Feature on the Cisco NAC Appliance
Lesson 3: Implementing the Cisco VPN SSO Feature on the Cisco NAC Appliance This lesson defines how to use the Cisco NAC Appliance web-based administration console to configure the Cisco NAS to support Cisco VPN SSO devices. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco NAC Appliance VPN SSO support for Cisco VPN concentrators and Cisco Adaptive Security Appliances (ASAs) Explain how the SSO improves the use of VPN services with the Cisco NAC Appliance solution Describe how to configure the Cisco NAC Appliance for Cisco VPN SSO device integration
Introducing Cisco NAC Appliance VPN SSO Introducing VPN SSO Support Configuring Cisco NAC Appliance for VPN Concentrator or ASA Integration
Configuring the Cisco VPN SSO Feature on the Cisco NAC Appliance
Lesson 4: Implementing Cisco NAC Appliance Out-of-Band Deployment This lesson defines how to deploy a Cisco NAC Appliance out-of-band solution for VLANbased quarantine. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco NAC Appliance out-of-band process flow Describe the considerations for implementing the Cisco NAC Appliance out-of-band for central- and edge-deployment scenarios Describe how to add an out-of-band Cisco NAS to the Cisco NAM Describe how to implement the Cisco NAC Appliance out-of-band deployment for the different Cisco NAS operating modes
Out-of-Band Process Flow Out-of-Band Deployment Considerations Adding an Out-of-Band Cisco NAS to the Cisco NAM Implementing Cisco NAS Out-of-Band Operating Modes
Adding an Out-of-Band Virtual Gateway Cisco NAS to an HA Cisco NAC Appliance Deployment
Note
For the purposes of learning continuity, this lesson activity can be completed after the lab activity Configuring an HA In-Band VPN Cisco NAC Appliance Solution.
Lesson 5: Managing Switches This lesson defines how to configure the Cisco NAM to manage switches for out-of-band deployment scenarios. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to implement switch management for Cisco NAC Appliance out-of-band deployment Describe how to set up switches so that they can be used with Cisco NAC Appliance outof-band deployment Describe how to configure group profiles on the Cisco NAM for out-of-band deployment Describe how to configure switch profiles on the Cisco NAM for out-of-band deployment Describe how to configure port profiles on the Cisco NAM for out-of-band deployment Describe how to configure the SNMP receiver on the Cisco NAM for out-of-band deployment Describe how to add switches to the Cisco NAM managed domain for out-of-band deployment Describe how to configure switch ports to use the Cisco NAM port profiles for out-of-band deployment Describe how to manage the switch configuration settings for out-of-band deployment
Implementing Switch Management Configuring the Network for Out-of-Band Deployment Configuring Group Profiles Configuring Switch Profiles Configuring Port Profiles Configuring the SNMP Receiver Adding Switches to the Managed Domain Configuring Switch Ports to Use Port Profiles
Course Administration Guide 87
Configuring SNMP, Switch, and Port Profiles for an Out-of-Band Cisco NAC Appliance Deployment
Note
For the purposes of learning continuity, this lesson activity can be completed after the activities to configure Cisco NAM and Cisco NAS high availability.
Describe how to implement Cisco NAC Appliance to protect a network Describe how to use the Device Management menu options to configure the general setup options Explain how user pages are configured in Cisco NAC Appliance Describe how to use the Cisco NAM to manage certified devices in the network
Implementing Cisco NAC Appliance Introducing the General Setup Tab Introducing User Pages Managing Certified Devices
Lesson 2: Implementing Network Scanning This lesson defines how to configure the Cisco NAC Appliance network scanner to use Nessus plug-ins to check for security vulnerabilities. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the steps that are needed to configure the Cisco NAC Appliance network scanner to use Nessus plug-ins Describe how to configure the quarantine role Describe how to implement Nessus plug-ins into the Cisco NAM repository Describe how to test a network scanning configuration Describe how to customize the User Agreement page Describe how to view scan reports
88
SecurityCurriculumCourseOutline
Introducing Network Scanning Configuring the Quarantine Role Implementing Nessus Plug-Ins Testing a Scanning Configuration Customizing the User Agreement Page Viewing Scan Reports
Lesson 3: Configuring the Cisco NAM to Implement the Cisco NAA on User Devices This lesson defines how to configure the Cisco NAM to implement Cisco NAA on client machines in a network. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the steps that are used to configure the Cisco NAM to implement the Cisco NAA on client machines Describe how to retrieve updates from the Cisco NAC Appliance update server Describe how to ensure that the Cisco NAA is installed on user devices Describe how to configure the Cisco NAA temporary role on the Cisco NAM Explain Cisco NAA system requirements Describe how to create a check Describe how to create an antivirus rule and a normal rule Describe how to create an antivirus requirement and a custom requirement Describe how to map requirements to rules and roles
Configuring the Cisco NAM to Implement the Cisco NAA Retrieving Updates Requiring the Use of the Cisco NAA Configuring the Cisco NAA Temporary Role Introducing Cisco NAA Checks, Rules, and Requirements Creating a Check Creating Rules Creating Requirements Mapping Requirements to Rules and Roles
89
Lesson 4: Configuring Cisco NAM High Availability This lesson defines how to configure a high-availability pair of Cisco NAMs. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure high availability between two Cisco NAMs Describe how to establish a serial connection between two Cisco NAMs Describe how to configure a primary Cisco NAM for high availability Describe how to configure a secondary Cisco NAM for high availability
Introducing High Availability for Cisco NAMs Establishing a Serial Connection Between Cisco NAMs Configuring the Primary Cisco NAM Configuring the Secondary Cisco NAM
Lesson 5: Configuring Cisco NAS High Availability This lesson defines how to configure a high-availability pair of Cisco NASs. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how to configure high availability between two Cisco NASs Describe how to configure the primary Cisco NAS for high availability Describe how to configure the secondary Cisco NAS for high availability Describe how to test the Cisco NAS high-availability configuration Describe how to configure DHCP failover
Introducing High Availability for Cisco NASs Configuring the Primary Cisco NAS Configuring the Secondary Cisco NAS Testing the Cisco NAS High-Availability Configuration Configure DHCP Failover
90
SecurityCurriculumCourseOutline
Describe how to monitor Cisco NAC Appliance activities Describe how to use the Online Users page to monitor online users Describe how to use the web-based administrative console to monitor event logging
Introducing Cisco NAC Appliance Monitoring Monitoring Online Users Monitoring Event Logs
91
Lesson 2: Administering the Cisco NAM This lesson defines how to manage a Cisco NAC Appliance deployment. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the components of the Cisco NAM administration module Describe how to manage administrator groups Describe how to manage users with administrator privileges Describe how to manage user passwords Describe how to administer the Cisco NAM system time settings Describe how to configure SSL certificate management using the administrator console of the Cisco NAM Describe how to manage Cisco NAC Appliance software upgrades and licenses Describe the steps used to maintain a Cisco NAM configuration
Defining the Cisco NAM Administration Module Managing Administrator Groups Managing Administrator Users Managing User Passwords Administering the System Time Managing SSL Certificates Managing the Cisco NAC Appliance Software Protecting Your Cisco NAM Configuration
92
SecurityCurriculumCourseOutline