CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Tebyan

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

  • Copyright

    About the Author

    About the Technical Reviewers

    Acknowledgments

    Icons Used in This Book

    Command Syntax Conventions

    Features of This Book

    Foreword

    Introduction: All About the Cisco Certified Security Professional Certification

    Exams Required for Certification

    Other Certifications

    CSI Exam Blueprint

    Recommended Training for CCSP

    This Book's Audience

    How to Use This Book to Pass the Exam

    Are Prerequisites Required to Pass the Exam?

    "I've Completed All Prerequisites for the CCSP Except Taking CSI 1.0Now What?"

    "I Have Not Taken All the PrerequisitesWill This Book Still Help Me to Pass?"

    Exam Registration

    Book Content Updates

    Part I. Cisco SAFE Overview

    Chapter 1. What Is SAFE?

    SAFE: A Security Blueprint for Enterprise Networks

    SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

    SAFE VPN: IPSec Virtual Private Networks in Depth

    SAFE: Wireless LAN Security in DepthVersion 2

    SAFE: IP Telephony Security in Depth

    Additional SAFE White Papers

    Looking Toward the Future

    Chapter 2. SAFE Design Fundamentals

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Design Philosophy

    Security Threats

    Foundation Summary

    Q&A

    Chapter 3. SAFE Design Concepts

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Architecture Overview

    Examining SAFE Design Fundamentals

    Understanding SAFE Axioms

    Foundation Summary

    Q&A

    Chapter 4. Understanding SAFE SMR Network Modules

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Modules Overview

    Understanding the Campus Module

    Understanding the Corporate Internet Module

    Understanding the WAN Module

    Foundation Summary

    Q&A

    Part II. Understanding Security Risks and Mitigation Techniques

    Chapter 5. Defining a Security Policy

    "Do I Know This Already?" Quiz

    Foundation Topics

    The Need for Network Security

    Security Policy Characteristics, Goals, and Components

    The Security Wheel

    Foundation Summary

    Q&A

    References

    Chapter 6. Classifying Rudimentary Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Reconnaissance Attacks

    Denial of Service Attacks

    Unauthorized Access Attacks

    Application Layer Attacks

    Trust Exploitation Attacks

    Foundation Summary

    Q&A

    Chapter 7. Classifying Sophisticated Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    IP Spoofing

    Packet Sniffers

    Password Attacks

    Man-In-The-Middle Attacks

    Port Redirection

    Virus and Trojan-Horse Applications

    Foundation Summary

    Q&A

    Chapter 8. Mitigating Rudimentary Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Mitigating Reconnaissance Attacks

    Mitigating Denial of Service Attacks

    Protecting Against Unauthorized Access

    Mitigating Application Layer Attacks

    Guarding Against Trust Exploitation

    Foundation Summary

    Q&A

    Chapter 9. Mitigating Sophisticated Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Mitigating IP Spoofing Attacks

    Guarding Against Packet Sniffers

    Mitigating Password Attacks

    Mitigating Man-In-The-Middle Attacks

    Mitigating Port Redirection Attacks

    Guarding Against Virus and Trojan-Horse Applications

    Foundation Summary

    Q&A

    Chapter 10. Network Management

    "Do I Know This Already?" Quiz

    Foundation Topics

    Network Management Overview

    Network Management Protocols

    Foundation Summary

    Q&A

    Part III. Cisco Security Portfolio

    Chapter 11. Cisco Perimeter Security Products

    "Do I Know This Already?" Quiz

    Foundation Topics

    Perimeter Security

    Cisco Secure Intrusion Detection System

    Host-Based IPS and the Cisco Security Agent

    Selecting the Right Product

    Foundation Summary

    Q&A

    Chapter 12. Cisco Network Core Security Products

    "Do I Know This Already?" Quiz

    Foundation Topics

    Secure Connectivity

    Identity ManagementCisco Secure Access Control Server

    Security Management

    Cisco AVVID

    Design Considerations

    Foundation Summary

    Q&A

    Part IV. Designing and Implementing SAFE Networks

    Chapter 13. Designing Small SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Small Network Design

    Corporate Internet Module in Small Networks

    Campus Module in Small Networks

    Branch Versus Headend/Standalone Considerations for Small Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 14. Implementing Small SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    General Implementation Recommendations

    Using the ISP Router in Small Networks

    Using the Cisco IOS Firewall Router in Small Networks

    Using the PIX Firewall in Small Networks

    Alternative Implementations

    Foundation Summary

    Q&A

    Chapter 15. Designing Medium-Sized SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Medium-Sized Network Design

    Corporate Internet Module in Medium-Sized Networks

    Campus Module in Medium-Sized Networks

    WAN Module in Medium-Sized Networks

    Branch Versus Headend/Standalone Considerations for Medium-Sized Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 16. Implementing Medium-Sized SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    General Implementation Recommendations

    Using the ISP Router in Medium-Sized Networks

    Using the Edge Router in Medium-Sized Networks

    Using the Cisco IOS Firewall Router in Medium-Sized Networks

    Using the PIX Firewall in Medium-Sized Networks

    Network Intrusion Detection System Overview

    Host-Based IPS Overview

    VPN 3000 Series Concentrator Overview

    Configuring the Layer 3 Switch

    Foundation Summary

    Q&A

    Chapter 17. Designing Remote SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Configuration Options for Remote-User Network Design

    Key Devices for Remote-User Networks

    Mitigating Threats in Remote-User Networks

    Design Guidelines for Remote-User Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 18. Designing Enterprise SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Enterprise Network Design

    The Enterprise Campus Layer

    The Enterprise Edge Layer

    Foundation Summary

    Q&A

    Chapter 19. SAFE IP Telephony Design

    "Do I Know This Already?" Quiz

    Foundation Topics

    Examining SAFE IP Telephony Design Fundamentals

    Understanding SAFE IP Telephony Axioms

    Understanding SAFE IP Telephony Network Designs

    Foundation Summary

    Q&A

    Chapter 20. SAFE Wireless LAN Design

    "Do I Know This Already?" Quiz

    Foundation Topics

    Basic Wireless Concepts

    Cisco WLAN Portfolio

    SAFE WLAN Axioms

    WLAN Design Approach

    Large-Enterprise WLAN Design

    Medium WLAN Design

    Small WLAN Design

    Remote WLAN Design

    Foundation Summary

    Q&A

    References

    Part V. Scenarios

    Chapter 21. Scenarios for Final Preparation

    Scenario 21-1

    Scenario 21-2

    Scenario 21-3

    Scenario 21-4

    Scenario 21-5

    Scenario 21-6

    Scenario 21-7

    Scenario 21-8

    Scenario 21-9

    Scenario 21-10

    Answers to Scenario 21-1

    Answers to Scenario 21-2

    Answers to Scenario 21-3

    Answers to Scenario 21-4

    Answers to Scenario 21-6

    Answers to Scenario 21-7

    Answers to Scenario 21-8

    Answers to Scenario 21-8

    Answers to Scenario 21-9

    Answers to Scenario 21-10

    Part VI. Appendixes

    Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

    Chapter 2

    Chapter 3

    Chapter 4

    Chapter 5

    Chapter 6

    Chapter 7

    Chapter 8

    Chapter 9

    Chapter 10

    Chapter 11

    Chapter 12

    Chapter 13

    Chapter 14

    Chapter 15

    Chapter 16

    Chapter 17

    Chapter 18

    Chapter 19

    Q&A

    Chapter 20

    Appendix B. General Configuration Guidelines for Cisco Router and Switch Security

    Routers

    CatOS Switches

    GLOSSARY

    Index

    •
    توضیحات
    افزودن یادداشت جدید











  • Corporate Internet Module in Small Networks


    The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity.

    Several key devices make up the Corporate Internet module. These devices are described in Table 13-2.

    Table 13-2. Corporate Internet Module Devices

    Device

    Description

    Mail server

    Acts as a relay between the Internet and the intranet mail servers and scans for mail-based attacks

    DNS server

    Serves as the authoritative external DNS server and relays internal requests to the Internet

    Web/file server

    Provides public information about the organization

    Firewall or Cisco IOS Firewall router

    Provides network-level protection of resources, stateful filtering of traffic, and VPN termination for remote sites and users

    Layer 2 switch

    Ensures that data from managed devices can only cross directly to the Cisco IOS Firewall and provides private VLAN support

    As shown in Figure 13-2, either a Cisco IOS Firewall router or a PIX Firewall is used within the Corporate Internet module. The particular choice of hardware platform depends on the specific network requirements and any associated design criteria. Design considerations are discussed in subsequent sections of this chapter.

    Figure 13-2. Small Network Corporate Internet Module

    Mitigating Threats in the Corporate Internet Module


    The most likely point of attack within the Corporate Internet module is on the public services segment. Positioned on this segment are the publicly addressed servers. Table 13-3 shows the anticipated threats and mitigation actions expected on this segment.

    Table 13-3. Corporate Internet Module Threats and Threat Mitigation

    Threat

    Threat Mitigation

    Application layer attacks

    Mitigated through host-based IPSs on the public servers

    DoS

    Limited through the use of CAR[*] at ISP edge and TCP setup controls at firewall

    IP spoofing

    Mitigated through RFC 2827 and RFC 1918 filtering at ISP edge and local firewall

    Network reconnaissance

    Mitigated through host-based IPS detecting reconnaissance and by the use of protocol filtering to limit visibility

    Packet sniffers

    Mitigated through use of a switched infrastructure and host-based IPS to limit exposure

    Password attacks

    Mitigated by limiting the services available to brute force; operating system and IDS can detect the threat

    Port redirection

    Mitigated through restrictive filtering and host-based IPS to limit attack

    Trust exploitation

    Mitigated through restrictive trust model and private VLANs to limit trust-based attacks

    Unauthorized access

    Mitigated through filtering at the firewall

    Virus and Trojan-horse attacks

    Mitigated through virus scanning at the host level

    [*] CAR = committed access rate


    Figure 13-3 displays the threat-mitigation roles of each of the devices found within the Corporate Internet module.

    Figure 13-3. Small Network Corporate Internet Module Threat-Mitigation Roles

    [View full size image]

    Design Guidelines for the Corporate Internet Module


    The small network model represents a scaled-down security-centric network design with all the security and VPN functionality that is found within a single device. As described earlier and shown in Figure 13-2, two options are available within this design model:

    • Cisco IOS router

    • Firewall


    The first option uses a Cisco IOS router with firewall and VPN functionality. This option provides the greatest flexibility within the small network design because the router is capable of supporting not only the firewall and VPN functionality but also the advanced features now offered to Cisco IOS routers, such as QoS and multiprotocol support.

    The second option available in the small network design is to use a dedicated firewall, but because most firewalls are Ethernet-only devices, deployment issues might arise if a WAN termination is required for the ISP circuit. If WAN connectivity is required, a router must be used in the design. However, using a dedicated firewall does have the advantage of easier configuration of security services, and a dedicated firewall can provide improved performance when performing firewall functions.

    Whichever option is finally chosen, stateful firewall inspection is used to examine traffic in all directions, to ensure that only legitimate traffic crosses the firewall.

    Filtering and Access Control

    Even before any traffic reaches the firewall, it is ideal to implement some form of security filtering on the perimeter traffic flow. Table 13-4 shows the filter parameters that can be applied to perimeter traffic flow.

    Table 13-4. Perimeter Traffic Flow Filtering

    Filter Location

    Flow

    Filter Description

    Mitigation

    ISP router

    Egress

    ISP rate limits nonessential traffic that exceeds a predefined threshold

    DDoS

    ISP router

    Egress

    RFC 1918 and RFC 2827 filtering

    IP spoofing

    Router or firewall

    Ingress

    RFC 1918 and RFC 2827 filtering

    IP spoofingverifies ISP filtering

    Router or firewall

    Ingress

    VPN- and firewall-specific traffic

    Unauthorized access

    The stateful firewall also provides connection-state enforcement and detailed filtering for sessions initiated through the firewall. Additionally, the advance features within the software protect against TCP synchronization (TCP SYN) attacks on the publicly facing servers by controlling the limits on half-open sessions that are transiting the firewall.

    With reference to the public services segment, the filtering of traffic should control not only the flow of traffic destined to specific addresses and ports on the public services segment but also the flow of traffic from the segment. This additional level of filtering prevents an attacker who may have compromised one of the public servers from using that server as a platform to launch further attacks on the network.

    For example, if an intruder has managed to circumvent the firewall and host-based IPS security features on a public-facing DNS server, that server should be permitted only to reply to requests, not to originate requests. This prevents an intruder from using this compromised platform to launch additional attacks.

    Finally, the use of private VLANs on the demilitarized zone (DMZ) switch prevents a compromised server from being used to attack other servers on the same segment. The implementation of private VLANs is especially important because this type of vulnerability is not detectable by the firewall.

    Intrusion Detection

    Every server on the public services segment should be configured with host-based IPS software, which allows for the monitoring of rogue activity at the operating system level. host-based IPS can also be configured to monitor certain common server applications. Additionally, all public service applications, such as the web, mail, and DNS services, should be hardened as much as possible so that unnecessary responses cannot be used to assist an intruder in network reconnaissance.

    The advanced software features found in Cisco PIX Firewalls and Cisco IOS Firewall routers provide some limited NIDS functionality. They can normally drop many types of attacks without the use of an IDS management station, but obviously dropped events are not reported. However, because these devices are not specifically designed for intrusion detection, it is possible that a degradation in performance of the device might occur. If performance degradation does occur, the drop in performance is normally acceptable when compared to the benefits gained from an increase in attack visibility.

    VPN Connectivity

    The firewall or Cisco IOS Firewall router provides VPN connectivity for the small network design. Authentication of remote sites and remote users can be accomplished by using preshared keys or the use of an access control server located in the Campus module.

    Design Alternatives for the Corporate Internet Module


    Usual deviations from these design guidelines normally include the breaking out of the functional components in the network from a single device to individual, specific devices or an increase in network capacity. When these functions are broken out, the design begins to take on the look of the medium-sized network design, which is discussed in Chapter 16, "Implementing Medium-Sized SAFE Networks." Before you decide that you have to adopt the complete design for a medium-sized network, however, it may be worth considering the placement of a Cisco VPN 3000 Series Concentrator or router on the DMZ to offload processing of VPN traffic. The addition of this device also increases the manageability of VPN connectivity.


    • / 290