CCNP Security Secure 642-637 Official Cert Guide is a comprehensive self-study tool for preparing for the Secure exam. This book teaches you how to secure Cisco IOS Software router and switch-based networks and provide security services based on Cisco IOS Software. Complete coverage of all exam topics as posted on the exam topic blueprint ensures you will arrive at a thorough understanding of what you need to master to succeed on the exam. The book follows a logical organization of the Secure exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. This book helps you organize your exam preparation through the use of the consistent features, including:
· Pre-chapter quiz - These quizzes allow you to assess your knowledge of the chapter content and decide how much time to spend on any given section.
· Foundation Topics - These sections make up the majority of the page count, explaining concepts, configurations, with emphasis on the theory and concepts, and with linking the theory to the meaning of the configuration commands.
· Key Topics - Inside the Foundation Topics sections, every figure, table, or list that should absolutely be understood and remembered for the exam is noted with the words "Key Topic" in the margin. This tool allows you to quickly review the most important details in each chapter.
· Exam Preparation - This ending section of each chapter includes additional features for review and study, all designed to help you remember the details as well as to get more depth. You will be instructed to review key topics from the chapter, complete tables and lists from memory, and define key terms.
· Final Preparation Chapter-This final chapter details a set of tools and a study plan to help you complete your exam preparation.
Product Description
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.
CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. "Do I Know This Already?" quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
Master CCNP Security SECURE 642-637 exam topics
Assess your knowledge with chapter-opening quizzes
Review key concepts with exam preparation tasks
Practice with realistic exam questions on the CD-ROM
CCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:
Network security threats and foundation protection
Switched data plane security
802.1X and identity-based networking services
Cisco IOS routed data plane security
Cisco IOS control plane security
Cisco IOS management plane security
NAT
Zone-based firewalls
IOS intrusion prevention system
Cisco IOS site-to-site security solutions
IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
SSL VPNs and EZVPN
CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
The print edition of the CCNP Security SECURE 642-637 Official Cert Guide contains a free, complete practice exam.
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Microsoft SQL Server Compact 4.0;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
Also available from Cisco Press for Cisco CCNP Security study is the CCNP Security SECURE 642-637 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson IT Certification Practice Test.
This integrated learning package:
Allows you to focus on individual topic areas or take complete, timed exams
Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
Provides unique sets of exam-realistic practice questions
Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Introduction xxxiii
Part I Network Security Technologies Overview
Chapter 1 Network Security Fundamentals 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Defining Network Security 7
Building Secure Networks 7
Cisco SAFE 9
SCF Basics 9
SAFE/SCF Architecture Principles 12
SAFE/SCF Network Foundation Protection (NFP) 14
SAFE/SCF Design Blueprints 14
SAFE Usage 15
Exam Preparation 17
Chapter 2 Network Security Threats 21
“Do I Know This Already?” Quiz 21
Foundation Topics 24
Vulnerabilities 24
Self-Imposed Network Vulnerabilities 24
Intruder Motivations 29
Lack of Understanding of Computers or Networks 30
Intruding for Curiosity 30
Intruding for Fun and Pride 30
Intruding for Revenge 30
Intruding for Profit 31
Intruding for Political Purposes 31
Types of Network Attacks 31
Reconnaissance Attacks 32
Access Attacks 33
DoS Attacks 35
Exam Preparation 36
Chapter 3 Network Foundation Protection (NFP) Overview 39
“Do I Know This Already?” Quiz 39
Foundation Topics 42
Overview of Device Functionality Planes 42
Control Plane 43
Data Plane 44
Management Plane 45
Identifying Network Foundation Protection Deployment Models 45
Identifying Network Foundation Protection Feature Availability 48
Cisco Catalyst Switches 48
Cisco Integrated Services Routers (ISR) 49
Cisco Supporting Management Components 50
Exam Preparation 53
Part II Cisco IOS Foundation Security Solutions
Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57 “Do I Know This Already?” Quiz 57
Foundation Topics 60
Switched Data Plane Attack Types 60
VLAN Hopping Attacks 60
CAM Flooding Attacks 61
MAC Address Spoofing 63
Spanning Tree Protocol (STP) Spoofing Attacks 63
DHCP Starvation Attacks 66
DHCP Server Spoofing 67
ARP Spoofing 67
Switched Data Plane Security Technologies 67
Port Configuration 67
Port Security 71
Root Guard, BPDU Guard, and PortFast 74
DHCP Snooping 75
Dynamic ARP Inspection (DAI) 77
IP Source Guard 79
Private VLANs (PVLAN) 80
Exam Preparation 84
Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94
IBNS and 802.1x Enhancements and Features 94
802.1x Components 96
802.1x Interworking 97
Extensible Authentication Protocol (EAP) 97
EAP over LAN (EAPOL) 98
EAP Message Exchange 99
Port States 100
Port Authentication Host Modes 101
EAP Type Selection 102
EAP—Message Digest Algorithm 5 102
Protected EAP w/MS-CHAPv2 102
Cisco Lightweight EAP 103
EAP—Transport Layer Security 104
EAP—Tunneled Transport Layer Security 104
EAP—Flexible Authentication via Secure Tunneling 105
Exam Preparation 106
Chapter 6 Implementing and Configuring Basic 802.1X 109
“Do I Know This Already?” Quiz 109
Foundation Topics 112
Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112
Gathering Input Parameters 113
Deployment Tasks 113
Deployment Choices 114
General Deployment Guidelines 114
Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115
Configuration Choices 115
Configuration Scenario 115
Verify Basic 802.1X Functionality 121
Configure and Verify Cisco ACS for EAP-FAST 121
Configuration Choices 122
Configuration Scenario 122
Configure the Cisco Secure Services Client 802.1X Supplicant 128
Task 1: Create the CSSC Configuration Profile 128
Task 2: Create a Wired Network Profile 128
Tasks 3 and 4: (Optional) Tune 802.1X Timers and
Authentication Mode 130
Task 5: Configure the Inner and Outer EAP Mode for the Connection 131
Task 6: Choose the Login Credentials to Be Used for Authentication 132
Task 7: Create the CSSC Installation Package 133
Network Login 134
Verify and Troubleshoot 802.1 X Operations 134
Troubleshooting Flow 134
Successful Authentication 135
Verify Connection Status 135
Verify Authentication on AAA Server 135
Verify Guest/Restricted VLAN Assignment 135
802.1X Readiness Check 135
Unresponsive Supplicant 135
Failed Authentication: RADIUS Configuration Issues 135
Failed Authentication: Bad Credentials 135
Exam Preparation 136
Chapter 7 Implementing and Configuring Advanced 802.1X 139
“Do I Know This Already?” Quiz 139
Foundation Topics 143
Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143
Gathering Input Parameters 143
Deployment Tasks 144
Deployment Choices 144
Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145
EAP-TLS with 802.1X Configuration Tasks 145
Configuration Scenario 146
Configuration Choices 146
Task 1: Configure RADIUS Server 147
Task 2: Install Identity and Certificate Authority Certificates on All Clients 147
Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147
Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149
Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151
Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152
Implementation Guidelines 153
Feature Support 153
Verifying EAP-TLS Configuration 153
Deploying User and Machine Authentication 153
Configuring User and Machine Authentication Tasks 154
Configuration Scenario 154
Task 1: Install Identity and Certificate Authority Certificates on All
CCNP Security Secure 642-637 Official Cert Guide is a comprehensive self-study tool for preparing for the Secure exam. This book teaches you how to secure Cisco IOS Software router and switch-based networks and provide security services based on Cisco IOS Software. Complete coverage of all exam topics as posted on the exam topic blueprint ensures you will arrive at a thorough understanding of what you need to master to succeed on the exam. The book follows a logical organization of the Secure exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. This book helps you organize your exam preparation through the use of the consistent features, including:
· Pre-chapter quiz - These quizzes allow you to assess your knowledge of the chapter content and decide how much time to spend on any given section.
· Foundation Topics - These sections make up the majority of the page count, explaining concepts, configurations, with emphasis on the theory and concepts, and with linking the theory to the meaning of the configuration commands.
· Key Topics - Inside the Foundation Topics sections, every figure, table, or list that should absolutely be understood and remembered for the exam is noted with the words "Key Topic" in the margin. This tool allows you to quickly review the most important details in each chapter.
· Exam Preparation - This ending section of each chapter includes additional features for review and study, all designed to help you remember the details as well as to get more depth. You will be instructed to review key topics from the chapter, complete tables and lists from memory, and define key terms.
· Final Preparation Chapter - This final chapter details a set of tools and a study plan to help you complete your exam preparation.
· Pre-chapter quiz - These quizzes allow you to assess your knowledge of the chapter content and decide how much time to spend on any given section.
· Foundation Topics - These sections make up the majority of the page count, explaining concepts, configurations, with emphasis on the theory and concepts, and with linking the theory to the meaning of the configuration commands.
· Key Topics - Inside the Foundation Topics sections, every figure, table, or list that should absolutely be understood and remembered for the exam is noted with the words "Key Topic" in the margin. This tool allows you to quickly review the most important details in each chapter.
· Exam Preparation - This ending section of each chapter includes additional features for review and study, all designed to help you remember the details as well as to get more depth. You will be instructed to review key topics from the chapter, complete tables and lists from memory, and define key terms.
· Final Preparation Chapter-This final chapter details a set of tools and a study plan to help you complete your exam preparation.
Product Description
Trust the best selling Official Cert Guide series from Cisco Press to help you learn, prepare, and practice for exam success. They are built with the objective of providing assessment, review, and practice to help ensure you are fully prepared for your certification exam.
CCNP Security SECURE 642-637 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. "Do I Know This Already?" quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.
Master CCNP Security SECURE 642-637 exam topics
Assess your knowledge with chapter-opening quizzes
Review key concepts with exam preparation tasks
Practice with realistic exam questions on the CD-ROM
CCNP Security SECURE 642-637 Official Cert Guide focuses specifically on the objectives for the CCNP Security SECURE exam. Senior networking consultants Sean Wilkins and Trey Smith share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
The companion CD-ROM contains a powerful Pearson IT Certification Practice Test engine that enables you to focus on individual topic areas or take a complete, timed exam. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
The official study guide helps you master all the topics on the CCNP Security SECURE exam, including:
Network security threats and foundation protection
Switched data plane security
802.1X and identity-based networking services
Cisco IOS routed data plane security
Cisco IOS control plane security
Cisco IOS management plane security
NAT
Zone-based firewalls
IOS intrusion prevention system
Cisco IOS site-to-site security solutions
IPsec VPNs, dynamic multipoint VPNs, and GET VPNs
SSL VPNs and EZVPN
CCNP Security SECURE 642-637 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
The print edition of the CCNP Security SECURE 642-637 Official Cert Guide contains a free, complete practice exam.
Pearson IT Certification Practice Test minimum system requirements:
Windows XP (SP3), Windows Vista (SP2), or Windows 7;
Microsoft .NET Framework 4.0 Client;
Microsoft SQL Server Compact 4.0;
Pentium class 1GHz processor (or equivalent);
512 MB RAM;
650 MB disc space plus 50 MB for each downloaded practice exam
Also available from Cisco Press for Cisco CCNP Security study is the CCNP Security SECURE 642-637 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson IT Certification Practice Test.
This integrated learning package:
Allows you to focus on individual topic areas or take complete, timed exams
Includes direct links from each question to detailed tutorials to help you understand the concepts behind the questions
Provides unique sets of exam-realistic practice questions
Tracks your performance and provides feedback on a module-by-module basis, laying out a complete assessment of your knowledge to help you focus your study where it is needed most
Introduction xxxiii
Part I Network Security Technologies Overview
Chapter 1 Network Security Fundamentals 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Defining Network Security 7
Building Secure Networks 7
Cisco SAFE 9
SCF Basics 9
SAFE/SCF Architecture Principles 12
SAFE/SCF Network Foundation Protection (NFP) 14
SAFE/SCF Design Blueprints 14
SAFE Usage 15
Exam Preparation 17
Chapter 2 Network Security Threats 21
“Do I Know This Already?” Quiz 21
Foundation Topics 24
Vulnerabilities 24
Self-Imposed Network Vulnerabilities 24
Intruder Motivations 29
Lack of Understanding of Computers or Networks 30
Intruding for Curiosity 30
Intruding for Fun and Pride 30
Intruding for Revenge 30
Intruding for Profit 31
Intruding for Political Purposes 31
Types of Network Attacks 31
Reconnaissance Attacks 32
Access Attacks 33
DoS Attacks 35
Exam Preparation 36
Chapter 3 Network Foundation Protection (NFP) Overview 39
“Do I Know This Already?” Quiz 39
Foundation Topics 42
Overview of Device Functionality Planes 42
Control Plane 43
Data Plane 44
Management Plane 45
Identifying Network Foundation Protection Deployment Models 45
Identifying Network Foundation Protection Feature Availability 48
Cisco Catalyst Switches 48
Cisco Integrated Services Routers (ISR) 49
Cisco Supporting Management Components 50
Exam Preparation 53
Part II Cisco IOS Foundation Security Solutions
Chapter 4 Configuring and Implementing Switched Data Plane Security Solutions 57 “Do I Know This Already?” Quiz 57
Foundation Topics 60
Switched Data Plane Attack Types 60
VLAN Hopping Attacks 60
CAM Flooding Attacks 61
MAC Address Spoofing 63
Spanning Tree Protocol (STP) Spoofing Attacks 63
DHCP Starvation Attacks 66
DHCP Server Spoofing 67
ARP Spoofing 67
Switched Data Plane Security Technologies 67
Port Configuration 67
Port Security 71
Root Guard, BPDU Guard, and PortFast 74
DHCP Snooping 75
Dynamic ARP Inspection (DAI) 77
IP Source Guard 79
Private VLANs (PVLAN) 80
Exam Preparation 84
Chapter 5 802.1X and Cisco Identity-Based Networking Services (IBNS) 91
“Do I Know This Already?” Quiz 91
Foundation Topics 94
Identity-Based Networking Services (IBNS) and IEEE 802.1x Overview 94
IBNS and 802.1x Enhancements and Features 94
802.1x Components 96
802.1x Interworking 97
Extensible Authentication Protocol (EAP) 97
EAP over LAN (EAPOL) 98
EAP Message Exchange 99
Port States 100
Port Authentication Host Modes 101
EAP Type Selection 102
EAP—Message Digest Algorithm 5 102
Protected EAP w/MS-CHAPv2 102
Cisco Lightweight EAP 103
EAP—Transport Layer Security 104
EAP—Tunneled Transport Layer Security 104
EAP—Flexible Authentication via Secure Tunneling 105
Exam Preparation 106
Chapter 6 Implementing and Configuring Basic 802.1X 109
“Do I Know This Already?” Quiz 109
Foundation Topics 112
Plan Basic 802.1X Deployment on Cisco Catalyst IOS Software 112
Gathering Input Parameters 113
Deployment Tasks 113
Deployment Choices 114
General Deployment Guidelines 114
Configure and Verify Cisco Catalyst IOS Software 802.1X Authenticator 115
Configuration Choices 115
Configuration Scenario 115
Verify Basic 802.1X Functionality 121
Configure and Verify Cisco ACS for EAP-FAST 121
Configuration Choices 122
Configuration Scenario 122
Configure the Cisco Secure Services Client 802.1X Supplicant 128
Task 1: Create the CSSC Configuration Profile 128
Task 2: Create a Wired Network Profile 128
Tasks 3 and 4: (Optional) Tune 802.1X Timers and
Authentication Mode 130
Task 5: Configure the Inner and Outer EAP Mode for the Connection 131
Task 6: Choose the Login Credentials to Be Used for Authentication 132
Task 7: Create the CSSC Installation Package 133
Network Login 134
Verify and Troubleshoot 802.1 X Operations 134
Troubleshooting Flow 134
Successful Authentication 135
Verify Connection Status 135
Verify Authentication on AAA Server 135
Verify Guest/Restricted VLAN Assignment 135
802.1X Readiness Check 135
Unresponsive Supplicant 135
Failed Authentication: RADIUS Configuration Issues 135
Failed Authentication: Bad Credentials 135
Exam Preparation 136
Chapter 7 Implementing and Configuring Advanced 802.1X 139
“Do I Know This Already?” Quiz 139
Foundation Topics 143
Plan the Deployment of Cisco Advanced 802.1X Authentication Features 143
Gathering Input Parameters 143
Deployment Tasks 144
Deployment Choices 144
Configure and Verify EAP-TLS Authentication on Cisco IOS Components and Cisco Secure ACS 145
EAP-TLS with 802.1X Configuration Tasks 145
Configuration Scenario 146
Configuration Choices 146
Task 1: Configure RADIUS Server 147
Task 2: Install Identity and Certificate Authority Certificates on All Clients 147
Task 3: Configure an Identity Certificate on the Cisco Secure ACS Server 147
Task 4: Configure Support of EAP-TLS on the Cisco Secure ACS Server 149
Task 5: (Optional) Configure EAP-TLS Support Using the Microsoft Windows Native Supplicant 151
Task 6: (Optional) Configure EAP-TLS Support Using the Cisco Secure Services Client (CSSC) Supplicant 152
Implementation Guidelines 153
Feature Support 153
Verifying EAP-TLS Configuration 153
Deploying User and Machine Authentication 153
Configuring User and Machine Authentication Tasks 154
Configuration Scenario 154
Task 1: Install Identity and Certificate Authority Certificates on All
CCNP Security Secure 642-637 Official Cert Guide is a comprehensive self-study tool for preparing for the Secure exam. This book teaches you how to secure Cisco IOS Software router and switch-based networks and provide security services based on Cisco IOS Software. Complete coverage of all exam topics as posted on the exam topic blueprint ensures you will arrive at a thorough understanding of what you need to master to succeed on the exam. The book follows a logical organization of the Secure exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. This book helps you organize your exam preparation through the use of the consistent features, including:
· Pre-chapter quiz - These quizzes allow you to assess your knowledge of the chapter content and decide how much time to spend on any given section.
· Foundation Topics - These sections make up the majority of the page count, explaining concepts, configurations, with emphasis on the theory and concepts, and with linking the theory to the meaning of the configuration commands.
· Key Topics - Inside the Foundation Topics sections, every figure, table, or list that should absolutely be understood and remembered for the exam is noted with the words "Key Topic" in the margin. This tool allows you to quickly review the most important details in each chapter.
· Exam Preparation - This ending section of each chapter includes additional features for review and study, all designed to help you remember the details as well as to get more depth. You will be instructed to review key topics from the chapter, complete tables and lists from memory, and define key terms.
· Final Preparation Chapter - This final chapter details a set of tools and a study plan to help you complete your exam preparation.