You are previewing CCNA Security (210-260) Portable Command Guide, Second Edition.
O'Reilly logo
CCNA Security (210-260) Portable Command Guide, Second Edition

Book Description

Preparing for the latest CCNA Security exam? Here are all  the CCNA Security (210-260) commands you need in one condensed, portable resource. Filled with valuable, easy-to-access information, the CCNA Security Portable Command Guide, is portable enough for you to use whether you’re in the server room or the equipment closet.

Completely updated to reflect the new CCNA Security 210-260 exam, this quick reference summarizes relevant Cisco IOS® Software commands, keywords, command arguments, and associated prompts, and offers tips and examples for applying these commands to real-world security challenges. Configuration examples, throughout, provide an even deeper understanding of how to use IOS to protect networks.

Topics covered include

  • Networking security fundamentals: concepts, policies, strategy

  •  Protecting network infrastructure: network foundations, security management planes/access; data planes (Catalyst switches and IPv6)

  •  Threat control/containment: protecting endpoints and content; configuring ACLs, zone-based firewalls, and Cisco IOS IPS

  •  Secure connectivity: VPNs, cryptology, asymmetric encryption, PKI, IPsec VPNs, and site-to-site VPN configuration

  •  ASA network security: ASA/ASDM concepts; configuring ASA basic settings, advanced settings, and VPNs

  •  Access all CCNA Security commands: use as a quick, offline resource for research and solutions

  • Logical how-to topic groupings provide one-stop research

  • Great for review before CCNA Security certification exams

  • Compact size makes it easy to carry with you, wherever you go

  •  “Create Your Own Journal” section with blank, lined pages allows you to personalize the book for your needs

  •  “What Do You Want to Do?” chart inside the front cover helps you to quickly reference specific tasks

  • Table of Contents

    1. About This E-Book
    2. Title Page
    3. Copyright Page
    4. About the Author
    5. About the Technical Reviewers
    6. Dedications
    7. Acknowledgments
    8. Contents at a Glance
    9. Reader Services
    10. Table of Contents
    11. Command Syntax Conventions
    12. Introduction
      1. Networking Devices Used in the Preparation of This Book
      2. Who Should Read This Book
      3. Organization of This Book
    13. Part I: Networking Security Fundamentals
      1. Chapter 1. Networking Security Concepts
        1. Basic Security Concepts
          1. Security Terminology
          2. Confidentiality, Integrity, and Availability (CIA)
          3. Data Classification Criteria
          4. Data Classification Levels
          5. Classification Roles
        2. Threat Classification
          1. Trends in Information Security Threats
          2. Preventive, Detective, and Corrective Controls
          3. Risk Avoidance, Transfer, and Retention
        3. Drivers for Network Security
          1. Evolution of Threats
          2. Data Loss and Exfiltration
          3. Tracking Threats
        4. Malware
          1. Anatomy of a Worm
          2. Mitigating Malware and Worms
        5. Threats in Borderless Networks
          1. Hacker Titles
          2. Thinking Like a Hacker
          3. Reconnaissance Attacks
          4. Access Attacks
          5. Password Cracking
          6. Denial-of-Service Attacks
          7. Distributed Denial-of-Service Attacks
          8. Tools Used by Attackers
        6. Principles of Secure Network Design
          1. Defense in Depth
      2. Chapter 2. Implementing Security Policies
        1. Managing Risk
          1. Quantitative Risk Analysis Formula
          2. Quantitative Risk Analysis Example
          3. Regulatory Compliance
        2. Security Policy
          1. Standards, Guidelines, and Procedures
          2. Security Policy Audience Responsibilities
          3. Security Awareness
        3. Secure Network Lifecycle Management
          1. Models and Frameworks
          2. Assessing and Monitoring the Network Security Posture
          3. Testing the Security Architecture
        4. Incident Response
          1. Incident Response Phases
          2. Computer Crime Investigation
          3. Collection of Evidence and Forensics
          4. Law Enforcement and Liability
          5. Ethics
        5. Disaster-Recovery and Business-Continuity Planning
      3. Chapter 3. Building a Security Strategy
        1. Cisco Borderless Network Architecture
          1. Borderless Security Products
        2. Cisco SecureX Architecture and Context-Aware Security
          1. Cisco TrustSec
          2. TrustSec Confidentiality
          3. Cisco AnyConnect
          4. Cisco Talos
        3. Threat Control and Containment
        4. Cloud Security and Data-Loss Prevention
        5. Secure Connectivity Through VPNs
        6. Security Management
    14. Part II: Protecting the Network Infrastructure
      1. Chapter 4. Network Foundation Protection
        1. Threats Against the Network Infrastructure
        2. Cisco Network Foundation Protection Framework
        3. Control Plane Security
          1. Control Plane Policing
        4. Management Plane Security
          1. Role-Based Access Control
          2. Secure Management and Reporting
          3. Data Plane Security
          4. ACLs
          5. Antispoofing
          6. Layer 2 Data Plane Protection
      2. Chapter 5. Securing the Management Plane
        1. Planning a Secure Management and Reporting Strategy
        2. Securing the Management Plane
          1. Securing Passwords
          2. Securing the Console Line and Disabling the Auxiliary Line
          3. Securing VTY Access with SSH
          4. Securing VTY Access with SSH Example
          5. Securing Configuration and IOS Files
          6. Restoring Bootset Files
        3. Implementing Role-Based Access Control on Cisco Routers
          1. Configuring Privilege Levels
          2. Configuring Privilege Levels Example
          3. Configuring RBAC
          4. Configuring RBAC via the CLI Example
          5. Configuring Superviews
          6. Configuring a Superview Example
        4. Network Monitoring
          1. Configuring a Network Time Protocol Master Clock
          2. Configuring an NTP Client
          3. Configuring an NTP Master and Client Example
          4. Configuring Syslog
          5. Configuring Syslog Example
          6. Configuring SNMPv3
          7. Configuring SNMPv3 Example
      3. Chapter 6. Securing Management Access with AAA
        1. Authenticating Administrative Access
          1. Local Authentication
          2. Server-Based Authentication
          3. Authentication, Authorization, and Accounting Framework
        2. Local AAA Authentication
          1. Configuring Local AAA Authentication Example
        3. Server-Based AAA Authentication
          1. TACACS+ Versus RADIUS
          2. Configuring Server-Based AAA Authentication
          3. Configuring Server-Based AAA Authentication Example
        4. AAA Authorization
          1. Configuring AAA Authorization Example
        5. AAA Accounting
          1. Configuring AAA Accounting Example
        6. 802.1X Port-Based Authentication
          1. Configuring 802.1X Port-Based Authentication
          2. Configuring 802.1X Port-Based Authentication Example
      4. Chapter 7. Securing the Data Plane on Catalyst Switches
        1. Common Threats to the Switching Infrastructure
          1. Layer 2 Attacks
          2. Layer 2 Security Guidelines
        2. MAC Address Attacks
          1. Configuring Port Security
          2. Fine-Tuning Port Security
          3. Configuring Optional Port Security Settings
          4. Configuring Port Security Example
        3. VLAN Hopping Attacks
          1. Mitigating VLAN Attacks
          2. Mitigating VLAN Attacks Example
        4. DHCP Attacks
          1. Mitigating DHCP Attacks
          2. Mitigating DHCP Attacks Example
        5. ARP Attacks
          1. Mitigating ARP Attacks
          2. Mitigating ARP Attacks Example
        6. Address Spoofing Attacks
          1. Mitigating Address Spoofing Attacks
          2. Mitigating Address Spoofing Attacks Example
        7. Spanning Tree Protocol Attacks
          1. STP Stability Mechanisms
          2. Configuring STP Stability Mechanisms
          3. Configuring STP Stability Mechanisms Example
        8. LAN Storm Attacks
          1. Configuring Storm Control
          2. Configuring Storm Control Example
        9. Advanced Layer 2 Security Features
          1. ACLs and Private VLANs
          2. Secure the Switch Management Plane
      5. Chapter 8. Securing the Data Plane in IPv6 Environments
        1. Overview of IPv6
          1. Comparison Between IPv4 and IPv6
          2. The IPv6 Header
          3. ICMPv6
          4. Stateless Autoconfiguration
          5. IPv4-to-IPv6 Transition Solutions
          6. IPv6 Routing Solutions
        2. IPv6 Threats
          1. IPv6 Vulnerabilities
        3. IPv6 Security Strategy
          1. Configuring Ingress Filtering
          2. Secure Transition Mechanisms
          3. Future Security Enhancements
    15. Part III: Threat Control and Containment
      1. Chapter 9. Endpoint and Content Protection
        1. Protecting Endpoints
          1. Endpoint Security
          2. Data Loss Prevention
          3. Endpoint Posture Assessment
        2. Cisco Advanced Malware Protection (AMP)
          1. Cisco AMP Elements
          2. Cisco AMP for Endpoint
          3. Cisco AMP for Endpoint Products
        3. Content Security
          1. Email Threats
          2. Cisco Email Security Appliance (ESA)
          3. Cisco Email Security Virtual Appliance (ESAV)
          4. Cisco Web Security Appliance (WSA)
          5. Cisco Web Security Virtual Appliance (WSAV)
          6. Cisco Cloud Web Security (CWS)
      2. Chapter 10. Configuring ACLs for Threat Mitigation
        1. Access Control List
          1. Mitigating Threats Using ACLs
          2. ACL Design Guidelines
          3. ACL Operation
        2. Configuring ACLs
          1. ACL Configuration Guidelines
          2. Filtering with Numbered Extended ACLs
          3. Configuring a Numbered Extended ACL Example
          4. Filtering with Named Extended ACLs
          5. Configuring a Named Extended ACL Example
        3. Mitigating Attacks with ACLs
          1. Antispoofing ACLs Example
          2. Permitting Necessary Traffic through a Firewall Example
          3. Mitigating ICMP Abuse Example
        4. Enhancing ACL Protection with Object Groups
          1. Network Object Groups
          2. Service Object Groups
          3. Using Object Groups in Extended ACLs
          4. Configuring Object Groups in ACLs Example
        5. ACLs in IPv6
          1. Mitigating IPv6 Attacks Using ACLs
          2. IPv6 ACLs Implicit Entries
          3. Filtering with IPv6 ACLs
          4. Configuring an IPv6 ACL Example
      3. Chapter 11. Configuring Zone-Based Firewalls
        1. Firewall Fundamentals
          1. Types of Firewalls
        2. Firewall Design
          1. Security Architectures
          2. Firewall Policies
          3. Firewall Rule Design Guidelines
          4. Cisco IOS Firewall Evolution
        3. Cisco IOS Zone-Based Policy Firewall
          1. Cisco Common Classification Policy Language
          2. ZPF Design Considerations
          3. Default Policies, Traffic Flows, and Zone Interaction
          4. Configuring an IOS ZPF
          5. Configuring an IOS ZPF Example
      4. Chapter 12. Configuring Cisco IOS IPS
        1. IDS and IPS Fundamentals
          1. Types of IPS Sensors
          2. Types of Signatures
          3. Types of Alarms
        2. Intrusion Prevention Technologies
          1. IPS Attack Responses
          2. IPS Anti-Evasion Techniques
          3. Managing Signatures
          4. Cisco IOS IPS Signature Files
          5. Implementing Alarms in Signatures
          6. IOS IPS Severity Levels
          7. Event Monitoring and Management
          8. IPS Recommended Practices
        3. Configuring IOS IPS
          1. Creating an IOS IPS Rule and Specifying the IPS Signature File Location
          2. Tuning Signatures per Category
          3. Configuring IOS IPS Example
    16. Part IV: Secure Connectivity
      1. Chapter 13. VPNs and Cryptology
        1. Virtual Private Networks
          1. VPN Deployment Modes
        2. Cryptology = Cryptography + Cryptanalysis
          1. Historical Cryptographic Ciphers
          2. Modern Substitution Ciphers
          3. Encryption Algorithms
          4. Cryptanalysis
        3. Cryptographic Processes in VPNs
          1. Classes of Encryption Algorithms
          2. Symmetric Encryption Algorithms
          3. Asymmetric Encryption Algorithm
          4. Choosing an Encryption Algorithm
          5. Choosing an Adequate Keyspace
        4. Cryptographic Hashes
          1. Well-Known Hashing Algorithms
          2. Hash-Based Message Authentication Codes
        5. Digital Signatures
      2. Chapter 14. Asymmetric Encryption and PKI
        1. Asymmetric Encryption
          1. Public Key Confidentiality and Authentication
          2. RSA Functions
        2. Public Key Infrastructure
          1. PKI Terminology
          2. PKI Standards
          3. PKI Topologies
          4. PKI Characteristics
      3. Chapter 15. IPsec VPNs
        1. IPsec Protocol
          1. IPsec Protocol Framework
          2. Encapsulating IPsec Packets
          3. Transport Versus Tunnel Mode
          4. Confidentiality Using Encryption Algorithms
          5. Data Integrity Using Hashing Algorithms
          6. Peer Authentication Methods
          7. Key Exchange Algorithms
          8. NSA Suite B Standard
        2. Internet Key Exchange
          1. IKE Negotiation Phases
          2. IKEv1 Phase 1 (Main Mode and Aggressive Mode)
          3. IKEv1 Phase 2 (Quick Mode)
          4. IKEv2 Phase 1 and 2
          5. IKEv1 Versus IKEv2
        3. IPv6 VPNs
      4. Chapter 16. Configuring Site-to-Site VPNs
        1. Site-to-Site IPsec VPNs
          1. IPsec VPN Negotiation Steps
          2. Planning an IPsec VPN
          3. Cipher Suite Options
        2. Configuring IOS Site-to-Site VPNs
          1. Verifying the VPN Tunnel
          2. Configuring a Site-to-Site IPsec VPN
    17. Part V: Securing the Network Using the ASA
      1. Chapter 17. Introduction to the ASA
        1. Adaptive Security Appliance
          1. ASA Models
          2. Routed and Transparent Firewall Modes
          3. ASA Licensing
        2. Basic ASA Configuration
          1. ASA 5505 Front and Back Panel
          2. ASA Security Levels
          3. ASA 5505 Port Configuration
          4. ASA 5505 Deployment Scenarios
          5. ASA 5505 Configuration Options
      2. Chapter 18. Introduction to ASDM
        1. Adaptive Security Device Manager
          1. Accessing ASDM
          2. Factory Default Settings
          3. Resetting the ASA 5505 to Factory Default Settings
          4. Erasing the Factory Default Settings
          5. Setup Initialization Wizard
        2. Installing and Running ASDM
          1. Running ASDM
        3. ASDM Wizards
          1. The Startup Wizard
          2. VPN Wizards
          3. Advanced Wizards
      3. Chapter 19. Configuring Cisco ASA Basic Settings
        1. ASA Command-Line Interface
          1. Differences Between IOS and ASA OS
        2. Configuring Basic Settings
          1. Configuring Basic Management Settings
          2. Enabling the Master Passphrase
        3. Configuring Interfaces
          1. Configuring the Inside and Outside SVIs
          2. Assigning Layer 2 Ports to VLANs
          3. Configuring a Third SVI
        4. Configuring the Management Plane
          1. Enabling Telnet, SSH, and HTTPS Access
          2. Configuring Time Services
        5. Configuring the Control Plane
          1. Configuring a Default Route
        6. Basic Settings Example
          1. Configuring Basic Settings Example Using the CLI
          2. Configuring Basic Settings Example Using ASDM
          3. Configuring Interfaces Using ASDM
          4. Configuring the System Time Using ASDM
          5. Configuring Static Routing Using ASDM
          6. Configuring Device Management Access Using ASDM
      4. Chapter 20. Configuring Cisco ASA Advanced Settings
        1. ASA DHCP Services
          1. DHCP Client
          2. DHCP Server Services
          3. Configuring DHCP Server Example Using the CLI
          4. Configuring DHCP Server Example Using ASDM
        2. ASA Objects and Object Groups
          1. Network and Service Objects
          2. Network, Protocol, ICMP, and Service Object Groups
          3. Configuring Objects and Object Groups Example Using ASDM
        3. ASA ACLs
          1. ACL Syntax
          2. Configuring ACLs Example Using the CLI
          3. Configuring ACLs with Object Groups Example Using the CLI
          4. Configuring ACLs with Object Groups Example Using ASDM
        4. ASA NAT Services
          1. Auto-NAT
          2. Dynamic NAT, Dynamic PAT, and Static NAT
          3. Configuring Dynamic and Static NAT Example Using the CLI
          4. Configuring Dynamic NAT Example Using ASDM
          5. Configuring Dynamic PAT Example Using ASDM
          6. Configuring Static NAT Example Using ASDM
        5. AAA Access Control
          1. Local AAA Authentication
          2. Server-Based AAA Authentication
          3. Configuring AAA Server-Based Authentication Example Using the CLI
          4. Configuring AAA Server-Based Authentication Example Using ASDM
        6. Modular Policy Framework Service Policies
          1. Class Maps, Policy Maps, and Service Policies
          2. Default Global Policies
          3. Configure Service Policy Example Using ASDM
      5. Chapter 21. Configuring Cisco ASA VPNs
        1. Remote-Access VPNs
          1. Types of Remote-Access VPNs
        2. ASA SSL VPN
          1. Client-Based SSL VPN Example Using ASDM
          2. Clientless SSL VPN Example Using ASDM
        3. ASA Site-to-Site IPsec VPN
          1. ISR IPsec VPN Configuration
          2. ASA Initial Configuration
          3. ASA VPN Configuration Using ASDM
    18. Appendix A. Create Your Own Journal Here
    19. Index
    20. Code Snippets