CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Tebyan

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

  • Copyright

    About the Author

    About the Technical Reviewers

    Acknowledgments

    Icons Used in This Book

    Command Syntax Conventions

    Features of This Book

    Foreword

    Introduction: All About the Cisco Certified Security Professional Certification

    Exams Required for Certification

    Other Certifications

    CSI Exam Blueprint

    Recommended Training for CCSP

    This Book's Audience

    How to Use This Book to Pass the Exam

    Are Prerequisites Required to Pass the Exam?

    "I've Completed All Prerequisites for the CCSP Except Taking CSI 1.0Now What?"

    "I Have Not Taken All the PrerequisitesWill This Book Still Help Me to Pass?"

    Exam Registration

    Book Content Updates

    Part I. Cisco SAFE Overview

    Chapter 1. What Is SAFE?

    SAFE: A Security Blueprint for Enterprise Networks

    SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks

    SAFE VPN: IPSec Virtual Private Networks in Depth

    SAFE: Wireless LAN Security in DepthVersion 2

    SAFE: IP Telephony Security in Depth

    Additional SAFE White Papers

    Looking Toward the Future

    Chapter 2. SAFE Design Fundamentals

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Design Philosophy

    Security Threats

    Foundation Summary

    Q&A

    Chapter 3. SAFE Design Concepts

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Architecture Overview

    Examining SAFE Design Fundamentals

    Understanding SAFE Axioms

    Foundation Summary

    Q&A

    Chapter 4. Understanding SAFE SMR Network Modules

    "Do I Know This Already?" Quiz

    Foundation Topics

    SAFE Modules Overview

    Understanding the Campus Module

    Understanding the Corporate Internet Module

    Understanding the WAN Module

    Foundation Summary

    Q&A

    Part II. Understanding Security Risks and Mitigation Techniques

    Chapter 5. Defining a Security Policy

    "Do I Know This Already?" Quiz

    Foundation Topics

    The Need for Network Security

    Security Policy Characteristics, Goals, and Components

    The Security Wheel

    Foundation Summary

    Q&A

    References

    Chapter 6. Classifying Rudimentary Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Reconnaissance Attacks

    Denial of Service Attacks

    Unauthorized Access Attacks

    Application Layer Attacks

    Trust Exploitation Attacks

    Foundation Summary

    Q&A

    Chapter 7. Classifying Sophisticated Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    IP Spoofing

    Packet Sniffers

    Password Attacks

    Man-In-The-Middle Attacks

    Port Redirection

    Virus and Trojan-Horse Applications

    Foundation Summary

    Q&A

    Chapter 8. Mitigating Rudimentary Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Mitigating Reconnaissance Attacks

    Mitigating Denial of Service Attacks

    Protecting Against Unauthorized Access

    Mitigating Application Layer Attacks

    Guarding Against Trust Exploitation

    Foundation Summary

    Q&A

    Chapter 9. Mitigating Sophisticated Network Attacks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Mitigating IP Spoofing Attacks

    Guarding Against Packet Sniffers

    Mitigating Password Attacks

    Mitigating Man-In-The-Middle Attacks

    Mitigating Port Redirection Attacks

    Guarding Against Virus and Trojan-Horse Applications

    Foundation Summary

    Q&A

    Chapter 10. Network Management

    "Do I Know This Already?" Quiz

    Foundation Topics

    Network Management Overview

    Network Management Protocols

    Foundation Summary

    Q&A

    Part III. Cisco Security Portfolio

    Chapter 11. Cisco Perimeter Security Products

    "Do I Know This Already?" Quiz

    Foundation Topics

    Perimeter Security

    Cisco Secure Intrusion Detection System

    Host-Based IPS and the Cisco Security Agent

    Selecting the Right Product

    Foundation Summary

    Q&A

    Chapter 12. Cisco Network Core Security Products

    "Do I Know This Already?" Quiz

    Foundation Topics

    Secure Connectivity

    Identity ManagementCisco Secure Access Control Server

    Security Management

    Cisco AVVID

    Design Considerations

    Foundation Summary

    Q&A

    Part IV. Designing and Implementing SAFE Networks

    Chapter 13. Designing Small SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Small Network Design

    Corporate Internet Module in Small Networks

    Campus Module in Small Networks

    Branch Versus Headend/Standalone Considerations for Small Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 14. Implementing Small SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    General Implementation Recommendations

    Using the ISP Router in Small Networks

    Using the Cisco IOS Firewall Router in Small Networks

    Using the PIX Firewall in Small Networks

    Alternative Implementations

    Foundation Summary

    Q&A

    Chapter 15. Designing Medium-Sized SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Medium-Sized Network Design

    Corporate Internet Module in Medium-Sized Networks

    Campus Module in Medium-Sized Networks

    WAN Module in Medium-Sized Networks

    Branch Versus Headend/Standalone Considerations for Medium-Sized Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 16. Implementing Medium-Sized SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    General Implementation Recommendations

    Using the ISP Router in Medium-Sized Networks

    Using the Edge Router in Medium-Sized Networks

    Using the Cisco IOS Firewall Router in Medium-Sized Networks

    Using the PIX Firewall in Medium-Sized Networks

    Network Intrusion Detection System Overview

    Host-Based IPS Overview

    VPN 3000 Series Concentrator Overview

    Configuring the Layer 3 Switch

    Foundation Summary

    Q&A

    Chapter 17. Designing Remote SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Configuration Options for Remote-User Network Design

    Key Devices for Remote-User Networks

    Mitigating Threats in Remote-User Networks

    Design Guidelines for Remote-User Networks

    Foundation Summary

    Q&A

    Reference

    Chapter 18. Designing Enterprise SAFE Networks

    "Do I Know This Already?" Quiz

    Foundation Topics

    Components of SAFE Enterprise Network Design

    The Enterprise Campus Layer

    The Enterprise Edge Layer

    Foundation Summary

    Q&A

    Chapter 19. SAFE IP Telephony Design

    "Do I Know This Already?" Quiz

    Foundation Topics

    Examining SAFE IP Telephony Design Fundamentals

    Understanding SAFE IP Telephony Axioms

    Understanding SAFE IP Telephony Network Designs

    Foundation Summary

    Q&A

    Chapter 20. SAFE Wireless LAN Design

    "Do I Know This Already?" Quiz

    Foundation Topics

    Basic Wireless Concepts

    Cisco WLAN Portfolio

    SAFE WLAN Axioms

    WLAN Design Approach

    Large-Enterprise WLAN Design

    Medium WLAN Design

    Small WLAN Design

    Remote WLAN Design

    Foundation Summary

    Q&A

    References

    Part V. Scenarios

    Chapter 21. Scenarios for Final Preparation

    Scenario 21-1

    Scenario 21-2

    Scenario 21-3

    Scenario 21-4

    Scenario 21-5

    Scenario 21-6

    Scenario 21-7

    Scenario 21-8

    Scenario 21-9

    Scenario 21-10

    Answers to Scenario 21-1

    Answers to Scenario 21-2

    Answers to Scenario 21-3

    Answers to Scenario 21-4

    Answers to Scenario 21-6

    Answers to Scenario 21-7

    Answers to Scenario 21-8

    Answers to Scenario 21-8

    Answers to Scenario 21-9

    Answers to Scenario 21-10

    Part VI. Appendixes

    Appendix A. Answers to the "Do I Know This Already?" Quizzes and Q&A Sections

    Chapter 2

    Chapter 3

    Chapter 4

    Chapter 5

    Chapter 6

    Chapter 7

    Chapter 8

    Chapter 9

    Chapter 10

    Chapter 11

    Chapter 12

    Chapter 13

    Chapter 14

    Chapter 15

    Chapter 16

    Chapter 17

    Chapter 18

    Chapter 19

    Q&A

    Chapter 20

    Appendix B. General Configuration Guidelines for Cisco Router and Switch Security

    Routers

    CatOS Switches

    GLOSSARY

    Index

    •
    توضیحات
    افزودن یادداشت جدید











  • The Enterprise Campus Layer


    The enterprise campus is the heart of the overall blueprint and is shown in Figure 18-3. The Enterprise Campus module contains the following components:

    • Management module

    • Building module

    • Building Distribution module

    • Core module

    • Server module

    • Edge Distribution module


    Figure 18-3. SAFE Enterprise Campus

    [View full size image]

    Each of these modules, in turn, provides specific functionality and security within the overall SAFE Enterprise blueprint and is discussed in greater detail in the following sections.

    The Management Module


    As its name implies, the Management module is designed to provide secure management of all devices and hosts within the larger blueprint design. All logging and reporting information flow from the devices in the other modules to the management hosts, while software updates, configurations, and other similar content flow to these devices from the management hosts.

    The enterprise Management module has two network segments. These segments are separated by a Cisco IOS firewall that acts as both a firewall and a VPN termination point. The segment outside the firewall connects to all the devices that require management. Inside the firewall are the management hosts. Each host runs a copy of host intrusion prevention software to protect the host against attack from the network and from malicious activity that may possibly be done by a user on the host locally. In addition to the management hosts, this segment contains the Cisco IOS routers that are functioning in the role of terminal servers for access to other network device console ports. The external interface of the firewall provides for limited Internet access and for access to secure, in-band management traffic and select IPSec-protected traffic from various hosts.

    The management network utilizes an out-of-band network for secure access to devices. By using such a network, the administrator is assured of a secure connection to network devices and servers. Additionally, for systems that cannot be accessed through the use of the out-of-band network, management connections are established using encrypted, secure connections such as IPSec, SSH, or SSL.

    Because the Management module provides administrative access to nearly all other hosts within the network, it is an attractive target for an attacker. In addition to access to other hosts, this module contains configuration information and software loads that may be of interest to an attacker. To mitigate threats to this module, configure access control on the router/firewall that provides in-band connectivity to the rest of the network. Host intrusion prevention systems are deployed on all hosts in this module, along with a network intrusion detection system (IDS). Logging is carefully monitored and analyzed to identify incoming attacks.

    Mitigating Threats in the Management Module

    Table 18-2 shows the expected threats and mitigation techniques for the Management module.

    Table 18-2. Mitigating Threats in the Management Module

    Threat

    Threat Mitigation

    Unauthorized access

    Filtering at the firewall controls traffic in both directions.

    Man-in-the-middle attacks

    Traffic isolation in an out-of-band network (or secured through the use of IPSec) mitigates man-in-the-middle attacks.

    Network reconnaissance

    Management traffic is isolated to the out-of-band network or secured through encryption, reducing the risk of information being gathered through interception.

    Password attacks

    The access-control server allows for strong two-factor authentication across the network.

    IP spoofing

    The firewall prevents IP spoofing in either direction.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Trust exploitation

    Private VLANs prevent compromised devices from masquerading as management hosts.

    Design Guidelines for the Management Module

    Table 18-3 describes the devices in the Management module and the role each device plays.

    Table 18-3. Key Devices in Management Module

    Key Device

    Functions

    Cisco IOS router/firewall

    Provides encrypted network access to the end devices. Also filters traffic inbound to the Management module.

    One-time password (OTP) Server

    Authorizes OTP information relayed from the access-control server.

    Access-control server

    Provides one-time, two-factor authentication services to the network devices.

    Syslog hosts

    Aggregate log information for the firewall and the NIDS devices.

    Management host(s)

    Provides for configuration, software, and content changes on network devices, along with IPS on other network-management hosts.

    NIDS Director

    Provides alarm aggregation and analysis for all NIDS appliances throughout the Campus and Corporate Internet modules.

    Layer 2 switches

    Include support for private VLANs.

    NIDS appliance

    Provides deep packet inspection of traffic within the module.

    Terminal server

    Provides access to the console port of other network devices.

    Network-monitoring host

    Provides SNMP management and monitoring of network devices.

    The next sections describe the most common key devices in more detail.

    Cisco IOS Router/Firewall

    The primary role of the Cisco IOS router/firewall in the Management module is to filter traffic from the rest of the enterprise blueprint modules. The Cisco IOS router/firewall allows for syslog information back to the syslog management hosts, and Telnet, SNMP, and SSH if these protocols are initiated from the inside of the Management module.

    Layer 2 Switches

    Layer 2 switches provide end-user systems within the Management module. Private VLANs are implemented on these switches to help reduce the risk of trust-exploitation attacks.

    NIDS Appliance

    Intrusion detection within the Management module is provided by a single NIDS appliance. Both the management and monitoring interfaces of the NIDS appliance are attached to the Layer 2 switch directly behind the router/firewall protecting the management hosts. This enables the NIDS appliance to monitor the traffic coming into and going out of the Management module. The monitoring port is configured to mirror all network traffic from all VLANs that require monitoring. This appliance provides detection and analysis of attacks that originate from within the Campus module and for external attacks that get past the firewall. These attacks could result from the compromise of a workstation with an unauthorized dial-in modem, attacks from disgruntled employees or viruses and worms, or attacks from an internal workstation that has been compromised by an outside user.

    Terminal Server

    The terminal servers are Cisco IOS routers that use reverse Telnet to provide access to the console of other network devices throughout the blueprint. This provides for secure, out-of-band communication with routers, firewalls, switches, and other network devices in the design. Additionally, access to the console port provides for access to the ROM monitor mode of these devices, in case a problem arises that requires "near-physical" access.

    Management Hosts

    The network intrusion detection appliances and the host IDS installed on the corporate servers are managed through the IDS management host listed in Table 4-1. This host provides for alarm aggregation and analysis for all IDS devices throughout the Campus module and the Corporate Internet module.

    Other management hosts in the enterprise Management module include the following:

    • A syslog host for the aggregation of firewall, router, and network IDS logs.

    • Alarm aggregation and NIDs configuration, provided by the IDS Director. Additionally, this host provides for configuration and monitoring of host-based IPS deployed throughout the blueprint.

    • An access-control server for authentication services to network devices such as network access servers.

    • OTP server for authorization of one-time password authentication relayed from the access-control server.

    • A sysadmin host for configuration, software, and content changes on network devices.

    • The capture of SNMP traps and the monitoring of the health of network devices throughout the blueprint, provided by the SNMP management and monitoring host.


    Design Alternative for the Management Module

    Where complete out-of-band management is not possible, in-band management is required. WHEN in-band management is the only solution, it is necessary to use IPSec, SSH, SSL, or any other encrypted and authenticated transport. In these cases, additional security measures should be carried out on the end devices and through the use of passwords, strong community strings, cryptographic keys, and access lists to control communications to the management services. As an alternative to the Cisco IOS router/firewall at the edge of the Management module, you can use a dedicated firewall.

    Building Module


    The Building module is defined as the portion of the network blueprint that contains the end-user systems; telephones, printers, and other network connected devices; and the Layer 2 access devices associated with those network-connected devices. The primary goal of the Building module is to provide end users with access to services.

    Mitigating Threats in the Building Module

    Table 18-4 shows the expected threats and mitigation techniques for the Building module.

    Table 18-4. Mitigating Threats in the Building Module

    Threat

    Threat Mitigation

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Virus and Trojan horse applications

    Host-based virus scanning and the implementation of host-based IPS mitigate most viruses and Trojan horse applications.

    Design Guidelines for the Building Module

    End-user systems represent the largest percentage of network-connected devices in any given network, and applying a consistent network security policy on these devices is a daunting challenge. These devices typically are connected to Layer 2 access switches, which have little, if any, capability of Layer 3 access control. These Layer 2 switches should meet the security guidelines outlined in the switch security axiom discussed in Chapter 3, "SAFE Design Concepts." In addition, the end-user systems should have, at the minimum, host-based antivirus-scanning software deployed and, if necessary, a host-based IPS.

    Table 18-5 describes Building module devices and the role each device plays.

    Table 18-5. Key Devices in Building Module

    Key Device

    Functions

    Layer 2 switches

    Provide for Layer 2 connectivity to end-user systems and IP telephones.

    IP phones

    Provide IP telephony services to end users.

    User workstations

    Provide data services to users.

    Building Distribution Module


    The Building Distribution module provides distribution services to the switches in the Building module. These services include but are not limited to packet routing, quality of service (QoS), and access control. The switches in this module should conform to the security guidelines described in the "Switches Are Targets" section of Chapter 3. This module provides the first line of defense against internally originated attacks.

    Mitigating Threats in the Building Distribution Module

    Table 18-6 shows the expected threats and mitigation techniques for the Building Distribution module.

    Table 18-6. Mitigating Threats in the Building Distribution Module

    Threat

    Threat Mitigation

    Unauthorized access

    Layer 3 filtering of specific subnets limits the attacks against Server module resources.

    IP spoofing

    Spoofing attempts are prevented through the implementation of RFC 2827 filtering.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Design Guidelines for the Building Distribution Module

    The switches are chosen so that they provide wire rate filtering of traffic for access control and the use of Layer 3 switching. This access control can prevent unwanted access to sensitive data by unauthorized individuals and can provide antispoofing capabilities within the network infrastructure. Additionally, the Building Distribution module provides for isolation of VoIP traffic by defining dedicated voice VLANs that route voice traffic to the CallManager. This prevents sniffing of voice communications and provides effective application of appropriate QoS to ensure smooth voice communication.

    The key device in the Building Distribution module is the Layer 3 switch. Layer 3 switches provide for Layer 2 switch aggregation before the core, and also services such as filtering, routing QoS, CAR, and VLAN definition.

    Design Alternatives for the Building Distribution Module Designs

    The Building Distribution module can be combined with the Core module described in the next section to produce a "collapsed core" design. This can be done based on the overall size of the network being considered.

    Core Module


    The primary purpose of the Core module is to route and switch traffic as quickly as possible from one network to another. No traffic filtering is done within this module. To protect the switches, follow the guidelines described in the "Switches Are Targets" section of Chapter 3. There are no alternative designs to the Core module in the SAFE blueprint.

    The key device in the Core module is the Layer 3 switch, which routes and switches traffic from one network module to another. The primary threat in the Core module is the possibility of packet sniffing. However, this threat is mitigated through the use of a switched infrastructure.

    Server Module


    The Server module provides application services to end users and other systems within the blueprint. Because of the nature of the Server module responsibilities, it often gets overlooked in terms of security. However, the servers within this module represent some of the most valuable targets to an attacker.

    Mitigating Threats in the Server Module

    Table 18-7 shows the expected threats and mitigation techniques for the Server module.

    Table 18-7. Threats Mitigated in Server Module

    Threat

    Threat Mitigation

    Unauthorized access

    This is mitigated through the use of access-control measures and host-based IPS.

    Application layer attacks

    This is mitigated by keeping up-to-date with the latest security patches for each operating system, application, and device, and by using host-based IPS.

    IP spoofing

    Spoofing attempts are prevented by implementing RFC 2827 filtering.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Trust exploitation

    Use explicit trust arrangements and private VLANs to prevent hosts on the same subnet from communicating unless this is necessary.

    Port redirection

    Host-based IPS prevents installation port redirection software agents.

    Design Guidelines for the Server Module

    The systems within this module might have access to multiple VLANs and might contain valuable information such as account names and passwords. Access control to this module might not be as granular in other modules because the nature of some of the applications found here. Because of this, NIDS, host-based IPS, private VLANs, and good system administration practices should be used in conjunction with access control. The NIDS should focus on attack-sensitive traffic, including but not limited to SMTP, Telnet, FTP, and WWW. The primary benefit of using an integrated NIDS inside the module switching fabric is the capability to see traffic across all VLANs within the module.

    Table 18-8 outlines the key devices used in the Server module and the functions of each.

    Table 18-8. Key Devices in Server Module

    Key Device

    Functions

    Layer 3 switches

    Provide Layer 3 services such as filters, QoS, VLANs, and private VLANs to the servers. Also provide for traffic inspection through the use of integrated NIDS.

    CallManager

    Provides IP telephony services and call routing.

    Corporate and departmental servers

    Provide services such as SMTP, WWW, POP, file and print services, and DNS to corporate users.

    Design Alternatives for the Server Module

    You can collapse the Server module into the Core module, if necessary. Additionally, you can install more than one IDS blade in the module switches to help scale the IDS traffic inspection. Finally, if necessary, you can isolate servers within the module through the use of a stateful firewall.

    Edge Distribution Module


    The Edge Distribution module aggregates connectivity from the various modules in the enterprise edge layer and routes this traffic into the core. Additionally, this module provides for filtering capabilities of this traffic. The module that is closest in function to the Edge Distribution module is the Building Distribution module, discussed earlier.

    Mitigating Threats in the Edge Distribution Module

    Table 18-9 shows the expected threats and mitigation techniques for the Edge Distribution module.

    Table 18-9. Threats Mitigated in the Edge Distribution Module

    Threat

    Threat Mitigation

    Unauthorized access

    Control over which subnets can reach areas within the campus is achieved through traffic filtering.

    IP spoofing

    Locally initiated spoofing attacks are limited by RFC 2827.

    Network reconnaissance

    Traffic filters limit nonessential traffic from entering the campus.

    Packet sniffers

    The switched infrastructure limits the risks of sniffing.

    Design Guidelines for the Edge Distribution Module

    Layer 3 switches in the Edge Distribution module provide for traffic aggregation before the enterprise edge layer and also advanced services. Layer 3 switching for high performance, along with access control for filtering traffic, provides for a last line of defense against attacks aimed at the Campus module from the enterprise edge. Some attacks mitigated here include IP spoofing and route injection.

    Design Alternative for the Edge Distribution Module

    As with the Server and Building Distribution modules, you can collapse the Edge Distribution module into the Core module, if necessary. You can place NIDS in this module (as was done in the Server module), if desired, by using line cards in the switches.


    • / 290