Introduction xxv Part I Fundamentals of Network Security Chapter 1 Networking Security Concepts "Do I Know This Already?" Quiz 5 Foundation Topics 8 Understanding Network and Information Security Basics 8 Network Security Objectives 8 Confidentiality, Integrity, and Availability 8 Cost-Benefit Analysis of Security 9 Classifying Assets 10 Classifying Vulnerabilities 11 Classifying Countermeasures 12 What Do We Do with the Risk? 12 Recognizing Current Network Threats 13 Potential Attackers 13 Attack Methods 14 Attack Vectors 15 Man-in-the-Middle Attacks 15 Other Miscellaneous Attack Methods 16 Applying Fundamental Security Principles to Network Design 17 Guidelines 17 How It All Fits Together 19 Exam Preparation Tasks 20 Review All the Key Topics 20 Complete the Tables and Lists from Memory 20 Define Key Terms 20 Chapter 2 Understanding Security Policies Using a Lifecycle Approach "Do I Know This Already?" Quiz 23 Foundation Topics 25 Risk Analysis and Management 25 Secure Network Lifecycle 25 Risk Analysis Methods 25 Security Posture Assessment 26 An Approach to Risk Management 27 Regulatory Compliance Affecting Risk 28 Security Policies 28 Who, What, and Why 28 Specific Types of Policies 29 Standards, Procedures, and Guidelines 30 Testing the Security Architecture 31 Responding to an Incident on the Network 32 Collecting Evidence 32 Reasons for Not Being an Attacker 32 Liability 33 Disaster Recovery and Business Continuity Planning 33 Exam Preparation Tasks 34 Review All the Key Topics 34 Complete the Tables and Lists from Memory 34 Define Key Terms 34 Chapter 3 Building a Security Strategy "Do I Know This Already?" Quiz 37 Foundation Topics 40 Securing Borderless Networks 40 The Changing Nature of Networks 40 Logical Boundaries 40 SecureX and Context-Aware Security 42 Controlling and Containing Data Loss 42 An Ounce of Prevention 42 Secure Connectivity Using VPNs 43 Secure Management 43 Exam Preparation Tasks 44 Review All the Key Topics 44 Complete the Tables and Lists from Memory 44 Define Key Terms 44 Part II Protecting the Network Infrastructure Chapter 4 Network Foundation Protection "Do I Know This Already?" Quiz 49 Foundation Topics 52 Using Network Foundation Protection to Secure Networks 52 The Importance of the Network Infrastructure 52 The Network Foundation Protection (NFP) Framework 52 Interdependence 53 Implementing NFP 53 Understanding the Management Plane 55 First Things First 55 Best Practices for Securing the Management Plane 55 Understanding the Control Plane 56 Best Practices for Securing the Control Plane 56 Understanding the Data Plane 57 Best Practices for Protecting the Data Plane 59 Additional Data Plane Protection Mechanisms 59 Exam Preparation Tasks 60 Review All the Key Topics 60 Complete the Tables and Lists from Memory 60 Define Key Terms 60 Chapter 5 Using Cisco Configuration Professional to Protect the Network Infrastructure "Do I Know This Already?" Quiz 63 Foundation Topics 65 Introducing Cisco Configuration Professional 65 Understanding CCP Features and the GUI 65 The Menu Bar 66 The Toolbar 67 Left Navigation Pane 68 Content Pane 69 Status Bar 69 Setting Up New Devices 69 CCP Building Blocks 70 Communities 70 Templates 74 User Profiles 78 CCP Audit Features 81 One-Step Lockdown 84 A Few Highlights 84 Exam Preparation Tasks 88 Review All the Key Topics 88 Complete the Tables and Lists from Memory 88 Define Key Terms 88 Command Reference to Check Your Memory 89 Chapter 6 Securing the Management Plane on Cisco IOS Devices "Do I Know This Already?" Quiz 91 Foundation Topics 94 Securing Management Traffic 94 What Is Management Traffic and the Management Plane? 94 Beyond the Blue Rollover Cable 94 Management Plane Best Practices 95 Password Recommendations 97 Using AAA to Verify Users 97 AAA Components 98 Options for Storing Usernames, Passwords, and Access Rules 98 Authorizing VPN Users 99 Router Access Authentication 100 The AAA Method List 101 Role-Based Access Control 102 Custom Privilege Levels 103 Limiting the Administrator by Assigning a View 103 Encrypted Management Protocols 103 Using Logging Files 104 Understanding NTP 105 Protecting Cisco IOS Files 106 Implement Security Measures to Protect the Management Plane 106 Implementing Strong Passwords 106 User Authentication with AAA 108 Using the CLI to Troubleshoot AAA for Cisco Routers 113 RBAC Privilege Level/Parser View 118 Implementing Parser Views 120 SSH and HTTPS 122 Implementing Logging Features 125 Configuring Syslog Support 125 SNMP Features 128 Configuring NTP 131 Securing the Cisco IOS Image and Configuration Files 133 Exam Preparation Tasks 134 Review All the Key Topics 134 Complete the Tables and Lists from Memory 135 Define Key Terms 135 Command Reference to Check Your Memory 135 Chapter 7 Implementing AAA Using IOS and the ACS Server "Do I Know This Already?" Quiz 137 Foundation Topics 140 Cisco Secure ACS, RADIUS, and TACACS 140 Why Use Cisco ACS? 140 What Platform Does ACS Run On? 141 What Is ISE? 141 Protocols Used Between the ACS and the Router 141 Protocol Choices Between the ACS Server and the Client (the Router) 142 Configuring Routers to Interoperate with an ACS Server 143 Configuring the ACS Server to Interoperate with a Router 154 Verifying and Troubleshooting Router-to-ACS Server Interactions 164 Exam Preparation Tasks 171 Review All the Key Topics 171 Complete the Tables and Lists from Memory 171 Define Key Terms 171 Command Reference to Check Your Memory 172 Chapter 8 Securing Layer 2 Technologies "Do I Know This Already?" Quiz 175 Foundation Topics 178 VLAN and Trunking Fundamentals 178 What Is a VLAN? 178 Trunking with 802.1Q 180 Following the Frame, Step by Step 181 The Native VLAN on a Trunk 181 So, What Do You Want to Be? (Says the Port) 182 Inter-VLAN Routing 182 The Challenge of Using Physical Interfaces Only 182 Using Virtual "Sub" Interfaces 182 Spanning-Tree Fundamentals 183 Loops in Networks Are Usually Bad 184 The Life of a Loop 184 The Solution to the Layer 2 Loop 184 STP Is Wary of New Ports 187 Improving the Time Until Forwarding 187 Common Layer 2 Threats and How to Mitigate Them 188 Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too 188 Layer 2 Best Practices 189 Do Not Allow Negotiations 190 Layer 2 Security Toolkit 190 Specific Layer 2 Mitigation for CCNA Security 191 BPDU Guard 191 Root Guard 192 Port Security 192 Exam Preparation Tasks 195 Review All the Key Topics 195 Complete the Tables and Lists from Memory 195 Review the Port Security Video Included with This Book 196 Define Key Terms 196 Command Reference to Check Your Memory 196 Chapter 9 Securing the Data Plane in IPv6 "Do I Know This Already?" Quiz 199 Foundation Topics 202 Understanding and Configuring IPv6 202 Why IPv6? 202 The Format of an IPv6 Address 203 Understanding the Shortcuts 205 Did We Get an Extra Address? 205 IPv6 Address Types 206 Configuring IPv6 Routing 208 Moving to IPv6 210 Developing a Security Plan for IPv6 210 Best Practices Common to Both IPv4 and IPv6 210 Threats Common to Both IPv4 and IPv6 212 The Focus on IPv6 Security 213 New Potential Risks with IPv6 213 IPv6 Best Practices 214 Exam Preparation Tasks 216 Review All the Key Topics 216 Complete the Tables and Lists from Memory 216 Define Key Terms 217 Command Reference to Check Your Memory 217 Part III Mitigating and Controlling Threats Chapter 10 Planning a Threat Control Strategy "Do I Know This Already?" Quiz 221 Foundation Topics 224 Designing Threat Mitigation and Containment 224 The Opportunity for the Attacker Is Real 224 Many Potential Risks 224 The Biggest Risk of All 224 Where Do We Go from Here? 225 Securing a Network via Hardware/Software/Services 226 Switches 227 Routers 228 ASA Firewall 230 Other Systems and Services 231 Exam Preparation Tasks 232 Review All the Key Topics 232 Complete the Tables and Lists from Memory 232 Define Key Terms 232 Chapter 11 Using Access Control Lists for Threat Mitigation "Do I Know This Already?" Quiz 235 Foundation Topics 238 Access Control List Fundamentals and Benefits 238 Access Lists Aren''t Just for Breakfast Anymore 238 Stopping Malicious Traffic with an Access List 239 What Can We Protect Against? 240 The Log.