Introduction xxi Assessment Test xxxi Chapter 1 Understanding Security Fundamentals 1 Goals of Security 2 Confidentiality 2 Integrity 3 Availability 3 Guiding Principles 3 Common Security Terms 6 Risk Management Process 7 Network Topologies 15 CAN 15 WAN 16 Data Center 16 SOHO 17 Virtual 17 Common Network Security Zones 17 DMZ 17 Intranet and Extranet 18 Public and Private 18 VLAN 18 Summary 19 Exam Essentials 19 Review Questions 20 Chapter 2 Understanding Security Threats 25 Common Network Attacks 26 Motivations 26 Classifying Attack Vectors 27 Spoofing 28 Password Attacks 29 Reconnaissance Attacks 30 Buffer Overflow 34 DoS 34 DDoS 36 Man-in-the-Middle Attack 37 ARP Poisoning 37 Social Engineering 38 Phishing/Pharming 38 Prevention 38 Malware 39 Data Loss and Exfiltration 39 Summary 40 Exam Essentials 40 Review Questions 42 Chapter 3 Understanding Cryptography 45 Symmetric and Asymmetric Encryption 46 Ciphers 46 Algorithms 48 Hashing Algorithms 53 MD5 54 SHA-1 54 SHA-2 54 HMAC 55 Digital Signatures 55 Key Exchange 57 Application: SSH 57 Public Key Infrastructure 57 Public and Private Keys 58 Certificates 60 Certificate Authorities 61 PKI Standards 63 PKI Topologies 64 Certificates in the ASA 65 Cryptanalysis 67 Summary 68 Exam Essentials 68 Review Questions 69 Chapter 4 Securing the Routing Process 73 Securing Router Access 74 Configuring SSH Access 74 Configuring Privilege Levels in IOS 76 Configuring IOS Role-Based CLI 77 Implementing Cisco IOS Resilient Configuration 79 Implementing OSPF Routing Update Authentication 80 Implementing OSPF Routing Update Authentication 80 Implementing EIGRP Routing Update Authentication 82 Securing the Control Plane 82 Control Plane Policing 83 Summary 84 Exam Essentials 85 Review Questions 86 Chapter 5 Understanding Layer 2 Attacks 91 Understanding STP Attacks 92 Understanding ARP Attacks 93 Understanding MAC Attacks 95 Understanding CAM Overflows 96 Understanding CDP/LLDP Reconnaissance 97 Understanding VLAN Hopping 98 Switch Spoofing 98 Double Tagging 99 Understanding DHCP Spoofing 99 Summary 101 Exam Essentials 101 Review Questions 102 Chapter 6 Preventing Layer 2 Attacks 107 Configuring DHCP Snooping 108 Configuring Dynamic ARP Inspection 110 Configuring Port Security 112 Configuring STP Security Features 114 BPDU Guard 114 Root Guard 115 Loop Guard 115 Disabling DTP 116 Verifying Mitigations 116 DHCP Snooping 116 DAI 117 Port Security 118 STP Features 118 DTP 120 Summary 120 Exam Essentials 121 Review Questions 122 Chapter 7 VLAN Security 127 Native VLANs 128 Mitigation 128 PVLANs 128 PVLAN Edge 131 PVLAN Proxy Attack 132 ACLs on Switches 133 Port ACLs 133 VLAN ACLs 133 Summary 134 Exam Essentials 134 Review Questions 136 Chapter 8 Securing Management Traffic 141 In-Band and Out-of-Band Management 142 AUX Port 142 VTY Ports 143 HTTPS Connection 144 SNMP 144 Console Port 145 Securing Network Management 146 SSH 146 HTTPS 146 ACLs 146 Banner Messages 147 Securing Access through SNMP v3 149 Securing NTP 150 Using SCP for File Transfer 151 Summary 151 Exam Essentials 152 Review Questions 153 Chapter 9 Understanding 802.1x and AAA 157 802.1x Components 158 RADIUS and TACACS+ Technologies 159 Configuring Administrative Access with TACACS+ 160 Local AAA Authentication and Accounting 160 SSH Using AAA 161 Understanding Authentication and Authorization Using ACS and ISE 161 Understanding the Integration of Active Directory with AAA 162 TACACS+ on IOS 162 Verify Router Connectivity to TACACS+ 164 Summary 164 Exam Essentials 165 Review Questions 166 Chapter 10 Securing a BYOD Initiative 171 The BYOD Architecture Framework 172 Cisco ISE 172 Cisco TrustSec 174 The Function of Mobile Device Management 177 Integration with ISE Authorization Policies 177 Summary 178 Exam Essentials 179 Review Questions 180 Chapter 11 Understanding VPNs 185 Understanding IPsec 186 Security Services 186 Protocols 189 Delivery Modes 192 IPsec with IPV6 194 Understanding Advanced VPN Concepts 195 Hairpinning 195 Split Tunneling 196 Always-on VPN 197 NAT Traversal 198 Summary 199 Exam Essentials 199 Review Questions 200 Chapter 12 Configuring VPNs 203 Configuring Remote Access VPNs 204 Basic Clientless SSL VPN Using ASDM 204 Verify a Clientless Connection 207 Basic AnyConnect SSL VPN Using ASDM 207 Verify an AnyConnect Connection 209 Endpoint Posture Assessment 209 Configuring Site-to-Site VPNs 209 Implement an IPsec Site-to-Site VPN with Preshared Key Authentication 209 Verify an IPsec Site-to-Site VPN 212 Summary 212 Exam Essentials 213 Review Questions 214 Chapter 13 Understanding Firewalls 219 Understanding Firewall Technologies 220 Packet Filtering 220 Proxy Firewalls 220 Application Firewall 221 Personal Firewall 221 Stateful vs. Stateless Firewalls 222 Operations 222 State Table 223 Summary 224 Exam Essentials 224 Review Questions 225 Chapter 14 Configuring NAT and Zone-Based Firewalls 229 Implementing NAT on ASA 9.x 230 Static 231 Dynamic 232 PAT 233 Policy NAT 233 Verifying NAT Operations 235 Configuring Zone-Based Firewalls 236 Class Maps 237 Default Policies 237 Configuring Zone-to-Zone Access 239 Summary 240 Exam Essentials 240 Review Questions 241 Chapter 15 Configuring the Firewall on an ASA 245 Understanding Firewall Services 246 Understanding Modes of Deployment 247 Routed Firewall 247 Transparent Firewall 247 Understanding Methods of Implementing High Availability 247 Active/Standby Failover 248 Active/Active Failover 248 Clustering 249 Understanding Security Contexts 249 Configuring ASA Management Access 250 Initial Configuration 250 Configuring Cisco ASA Interface Security Levels 251 Security Levels 251 Configuring Security Access Policies 253 Interface Access Rules 253 Object Groups 254 Configuring Default Cisco Modular Policy Framework (MPF) 256 Summary 257 Exam Essentials 257 Review Questions 259 Chapter 16 Intrusion Prevention 263 IPS Terminology 264 Threat 264 Risk 264 Vulnerability 265 Exploit 265 Zero-Day Threat 265 Actions 265 Network-Based IPS vs. Host-Based IPS 266 Host-Based IPS 266 Network-Based IPS 266 Promiscuous Mode 266 Detection Methods 267 Evasion Techniques 267 Packet Fragmentation 267 Injection Attacks 270 Alternate String Expressions 271 Introducing Cisco FireSIGHT 271 Capabilities 271 Protections 272 Understanding Modes of Deployment 273 Inline 275 Positioning of the IPS within the Network 275 Outside 275 DMZ 276 Inside 277 Understanding False Positives, False Negatives, True Positives, and True Negatives 277 Summary 278 Exam Essentials 278 Review Questions 280 Chapter 17 Content and Endpoint Security 285 Mitigating Email Threats 286 Spam Filtering 286 Context-Based Filtering 287 Anti-malware Filtering 287 DLP 287 Blacklisting 288 Email Encryption 288 Cisco Email Security Appliance 288 Putting the Pieces Together 290 Mitigating Web-Based Threats 292 Understanding Web Proxies 292 Cisco Web Security Appliance 293 Mitigating Endpoint Threats 294 Cisco Identity Services Engine (ISE) 294 Antivirus/Anti-malware 294 Personal Firewall 294 Hardware/Software Encryption of Local Data 294 HIPS 295 Summary 295 Exam Essentials 295 Review Questions 296 Appendix Answers to Review Questions 301 Chapter 1: Understanding Security Fundamentals 302 Chapter 2: Understanding Security Threats 304 Chapter 3: Understanding Cryptography 305 Chapter 4: Securing the Routing Process 307 Chapter 5: Understanding Layer 2 Attacks 309 Chapter 6: Preventing Layer 2 Attacks 311 Chapter 7: VLAN Security 312 Chapter 8: Securing Management Traffic 314 Chapter 9: Understanding 802.1x and AAA 316 Chapter 10: Securing a BYOD Initiative 317 Chapter 11: Understanding VPNs 319 Chapter 12: Configuring VPNs 321 Chapter 13: Understanding Firewalls 322 Chapter 14: Configuring NAT and Zone-Based Firew.