A B C D E F G H I J K L M N O P Q R S T U V W X-Y Z
3DES encryption algorithm, 16, 79
31 Days Before Your CCNA Routing and Switching Exam, 153
authentication process, 61
authentication servers, 62
authenticators, 62
end-to-end message exchange, 62
AAA
accounting
start-stop records, 54
stop-only records, 54
ACS, 49
authentication
server-based AAA, 45-46, 51-53
authorization, server-based AAA, 53-54
deploying, 51
troubleshooting, 58
access
attacks, 5
baiting, 8
buffer overflow attacks, 6
defenses, 8
DHCP spoofing, 6
IP spoofing, 6
MAC spoofing, 6
malvertising, 8
man-in-the-middle attacks, 6
password attacks, 6
pharming, 7
phishing, 7
port redirection, 6
pretexting, 7
smishing, 8
something for something, 8
spam, 8
spear phishing, 7
tailgating, 8
trust exploitation, 6
vishing, 8
whaling, 7
control, data loss/exfiltration, 9
device access
IOS authorization with privilege levels, 137-138
IOS file authenticity, 140-142
IOS resilient configuration, 139-140
privilege levels, 138
accounting, server-based AAA, 54-55
ACL (Access Control Lists)
crypto ACL
configuring, 118
IOS CLI-based site-to-site IPsec VPN, 117-118
firewalls
stateful firewalls, 187
IOS CLI-based site-to-site IPsec VPN, 115
verifying, 178
ACS (Access Control Servers), 49
active/active failover model (ASA high availability), 223
active/standby failover model (ASA high availability), 223
ActiveX, AnyConnect SSL VPN, 106
addressing schemes skills practice, 282
advertising and malvertising, 8
adware, 9
AES encryption algorithm, 16, 79
Aggressive mode (IKEv1), 83
AH (Authentication Header)
transport mode, 79
tunnel mode, 79
alerts, IDS/IPS, 255
Always-on VPN, 134
AMP (Advanced Malware Protection), 278-279
ESA, 264
file reputation, 264
file retrospection, 265
file sandboxing, 265
IPS, 256
amplification attacks, 7
anomaly detection (IDS), 247
antimalware
ESA, 264
file reputation, 264
file retrospection, 265
file sandboxing, 265
endpoint security, 275, 278-279
ESA, 264
antiphishing defenses, 8
anti-replay protection, IPsec, 76
antispyware, endpoint security, 275-277
antivirus software, 8
McAfee Antivirus, 266
Sophos Antivirus, 266
AnyConnect Secure Mobility Client
AnyConnect SSL VPN, 100
split tunneling, 132
Standalone mode, 100
WebLaunch mode, 100
AnyConnect SSL VPN
authentication, 100
client IP address assignments, 100
configuring
ActiveX, 106
client configuration, 106
Java detection, 106
platform detection, 106
topology sample, 99
troubleshooting connections, 111
verifying configurations, 108-109
application inspection firewalls, 186
ASA (Adaptive Security Appliance), 219
Always-on VPN, 134
AnyConnect SSL VPN, 99
client authentication, 100
client IP address assignments, 100
server authentication, 100
AVC services, 221
Client U-turns, 132
clientless SSL VPN
verifying configurations, 95-96
console ports, 221
contexts, 225
deploying, 222
DHCP server/client integration, 222
features of, 221
FirePOWER, 222
FirePOWER NGIPS, 189
high availability
active/active failover model, 223
active/standby failover model, 223
clustering, 223
Host Scan and VPN endpoint posture assessments, 135
identity firewalls, 222
IP routing, 222
lock slots, 221
management ports, 221
process of, 192
network data ports, 221
power cord sockets, 221
reset buttons, 221
services of, 222
site-to-site IPsec VPN, 122
split tunneling, 132
stateful packet inspection, 221
status LED, 220
USB ports, 221
ASA Firewall
ASDM access rules, 233
FirePOWER, 228
Global configuration mode, 229
interfaces
ASDM DMZ configuration, 231
DMZ configuration, 231
security levels, 230
traffic flows, 231
objects/object groups, 235-240
Privileged EXEC mode, 229
ROM monitor mode, 229
specific configuration mode, 229
User EXEC mode, 229
ASAv (Adaptive Security Virtual Appliance), 221
ASDM (Adaptive Security Device Manager)
ASDM site-to-site VPN wizard, 123
NAT
dynamic NAT configuration, 198-200
dynamic PAT configuration, 201-202
policy NAT configuration, 203-206
static NAT configuration, 196-197
assets, defining, 2
assigning views (CLI) to users, 139
attachments (email), data loss/exfiltration, 9
authentication
802.1X, 61
authentication process, 61
authentication servers, 62
authenticators, 62
end-to-end message exchange, 62
AnyConnect SSL VPN, 100
clientless SSL VPN, 89
ECDSA signatures, IPsec, 80
ESP, 78
hashing
Cisco products, 14
IPsec
ECDSA signatures, 80
HMAC, 80
PSK, 80
RSA encrypted nonces, 80
RSA signatures, 80
keyed hashes (MAC), 143
NTP, 43
origin authentication, IPsec, 76, 80
OSPF
PKI CA, 27
PSK, IPsec, 80
routing protocols, 143
OSPF MD5 authentication, 144-146
OSPF SHA authentication, 146-147
RSA
encrypted nonces, 80
signatures, IPsec, 80
server-based AAA, 45-46, 51-53
SHA authentication, OSPF, 146-147
two-factor authentication, 8
authentication servers (802.1X authentication), 62
authenticators (802.1X authentication), 62
authNoPriv mode (SNMPv3), 40
authorization
IOS, privilege levels, 137-138
authPriv mode (SNMPv3), 40
Auto NAT (NAT tables), 194
availability, CIA Triad, 1
AVC (Application Visibility and Control)
ASA and, 221
Cisco CWS, 274
baiting, 8
bidirectional NAT, 193
blacklisting (IPS), 256
block actions, IDS/IPS, 255
bookmarks, clientless SSL VPN configuration, 90-94
botnets, 6
Branch/SOHO topologies, 29
buffer overflow attacks, 6
BYOD (Bring Your Own Device)
collaboration, 68
MDM, 69
cloud-based deployments, 70
onboarding new devices, 72
on-premises deployments, 70
mobile device security, 67
mobility, 67
network intelligence, 68
C3PL (Cisco Common Classification Policy Language), 211
service policies, 213
ZPF configuration, 210, 216-218
policy maps, 215
CA (Certificate Authorities), 21-22
certificates
authentication, 27
enrollment process, 27
retrieving, 26
CRL, 27
cross-certified CA topologies, 24
enrollment, 27
hierarchical CA topologies, 23
OCSP, 28
revocation, 27
SCEP, 27
cabling skills practice, 283
CAM table overflow attacks, 157
CAN (Campus-Area Networks), 28
CCNA Routing and Switching 200-120 Official Cert Guide Library, 153
CCNA Security 210-260 Official Cert Guide, 153
CCNA Security Skills Practice
addressing schemes, 282
cabling, 283
clientless SSL VPN configuration, 286, 293
HQ-ASA configuration, 285, 291-293
HQ_SW configuration, 284-285, 290-291
ISP configuration, 283
R1_BRANCH configuration, 283-284, 289-290
site-to-site IPsec VPN configuration, 286-288, 294-295
topologies, 281
zone-based policy firewall configuration, 288-289, 295-297
CDP (Cisco Discovery Protocol) reconnaissance, 157
CEF (Cisco Express Forwarding)
CEF-exception subinterface (CPPr), 151
FIB tables, 149
certificates, PKI, 22
certification (exams), 299
options of, 302
U.S. government recognition, 301
validation period, 301
change management and social engineering (access attacks), 8
Cisco CWS (Cloud Web Security), 272-274
Cisco WSA (Web Security Appliance), 269-272
class maps
CSPL, ZPF configuration, 212-215
MPF, 241
CLI (Command Line Interface)
authorization
superviews, 138
IOS CLI-based site-to-site IPsec VPN, 114
Client U-turns, 132
clientless SSL VPN, 86
configuring, 87
interface configuration, 88
URL configuration, 88
user authentication, 89
user group policy configuration, 90
SSL/TLS encapsulation, 85
verifying configurations, 95-96
clients, AnyConnect SSL VPN
authentication, 100
configuration, 106
IP address assignments, 100
cloud-computing
storage devices, data loss/exfiltration, 9
topologies, 31
clustering (ASA high availability), 223
collaboration, BYOD deployments, 68
common threats
data loss/exfiltration, 9
network attacks
DDoS attacks, 6
DoS attacks, 6
reconnaissance attacks, 5
community ports (PVLAN), 172
confidentiality
CIA Triad, 1
cryptography and, 11
configuring
access security (management plane), 36-37
ACL
crypto ACL, 118
AnyConnect SSL VPN
client configuration, 106
clientless SSL VPN, 87
interface configuration, 88
URL configuration, 88
user authentication, 89
user group policy configuration, 90
CPPr, 151
crypto ACL, 118
DAI, 163
DHCP snooping, 161
dynamic PAT, 201
HQ-ASA skills practice, 285, 291-293
HQ_SW skills practice, 284-285, 290-291
IOS resilient configuration, 139-140
IPSG, 165
ISAKMP policies, IOS CLI-based site-to-site IPsec VPN, 116
MAC PACL, 176
NAT
dynamic PAT, 201
port security, 166
PSK, IOS CLI-based site-to-site IPsec VPN, 117
PVLAN, 173
PVLAN Edge, 174
R1_BRANCH skills practice, 283-284, 289-290
site-to-site IPsec VPN
ASA site-to-site IPsec VPN, 123-125
IOS CLI-based site-to-site IPsec VPN, 115-119
skills practice, 286-288, 294-295
split tunneling, 133
SSH/HTTPS (management plane), 38
Syslog (management plane), 38-39
VLAN
PVLAN, 173
PVLAN Edge, 174
zone-based policy firewall skills practice, 288-289, 295-297
policy maps, 215
console ports, ASA, 221
content filtering, ESA, 266
control plane
CoPP, 150
CPPr, 151
defining, 149
CoPP (Control Plane Policing), 150-151
countermeasures, defining, 2
CPPr (Control Plane Protection), 151
CRL (Certificate Revocation Lists), PKI, 27
cross-certified CA PKI topologies, 24
crypto ACL
configuring, 118
IOS CLI-based site-to-site IPsec VPN, 117-118
crypto maps
IOS CLI-based site-to-site IPsec VPN, 118-119
viewing, 120
cryptography
CIA Triad, 11
confidentiality and, 11
data integrity and, 11
encryption
hashing
SHA-2, 13
key exchange/management, 11
Suite B cryptographic standard, 81
CSD (Cisco Secure Desktop) and VPN endpoint posture assessments, 135
DAI (Dynamic ARP Inspection)
configuring, 163
verifying, 164
DAP (Dynamic Access Policies) and VPN, 135
data center topologies, 31
data encryption, endpoint security, 279
data integrity
CIA Triad, 1
cryptography and, 11
data loss/exfiltration, 9
data packets, filtering, 183-185
data plane, 149
data ports (network), ASA, 221
DDoS attacks, 6
deploying
ASA, 222
DES encryption algorithm, 16, 79
detection technologies
alerts, 255
anomaly-based IDS, 253
anomaly-based IPS, 253
blocks, 255
drops, 255
monitors, 255
policy-based IDS, 253
policy-based IPS, 253
profile-based IDS, 253
profile-based IPS, 253
reputation-based IDS, 254
resets, 255
shuns, 255
trigger actions, 255
device access
IOS
authorization, privilege levels, 137-138
resilient configuration, 139-140
DH encryption algorithm, 17
DH (Diffie-Hellman) key agreements, 81-83
DHCP (Dynamic Host Configuration Protocol)
ASA and, 222
discs (hard copy storage) and data loss/exfiltration, 9
DLP (Data Loss Prevention), ESA, 264-266
DMZ (Demilitarized Zones)
ASA Firewall, ASDM DMZ interface configuration, 231
DMZ-private policies, ZPF, 210
servers, IPS, 250
drop actions, IDS/IPS, 255
DSA encryption algorithm, 17
DSS encryption algorithm, 17
dynamic NAT, 193
verifying, 200
dynamic PAT (NAT Overload), 193
configuring, 201
verifying, 202
ECDH key agreements, 81
ECDSA signatures, IPsec authentication, 80
ElGamal encryption algorithm, 17
elliptical curve techniques, 17
attachments, data loss/exfiltration, 9
ESA
antimalware protection, 264
antivirus protection, 264
spam filtering, 263
malware, 259
phishing attacks, 259
viruses, 259
encapsulation, ESP, 78
encryption
cryptography and, 15
endpoint security, 279
IPsec, 79
overview of, 15
endpoint posture assessments, VPN, 135
endpoint security
data encryption, 279
enterprise campuses (CAN), 28
ESA (Email Security Appliance)
antimalware protection, 264
antivirus protection, 264
spam filtering, 263
ESP (Encapsulating Security Payload), 78
exams
certification, 299
options of, 302
U.S. government recognition, 301
validation period, 301
failing, 302
preparing for
items needed for exam day, 299
test proctors, 299
retaking, 302
skills practice
addressing schemes, 282
cabling, 283
clientless SSL VPN configuration, 286, 293
HQ-ASA configuration, 285, 291-293
HQ_SW configuration, 284-285, 290-291
ISP configuration, 283
R1_BRANCH configuration, 283-284, 289-290
site-to-site IPsec VPN configuration, 286-288, 294-295
topologies, 281
zone-based policy firewall configuration, 288-289, 295-297
failing exams, 302
false positives/negatives (IPS), 250
FIB (Forwarding Information Base) tables and CEF, 149
files, AMP
reputations, 264
retrospection, 265
sandboxing, 265
filtering
security zone policies, 4
URL filtering, Cisco CWS, 274
FirePOWER
firewalls
application inspection firewalls, 186
ASA, 219
ASDM access rules, 233
AVC services, 221
console ports, 221
contexts, 225
deploying, 222
DHCP server/client integration, 222
features of, 221
Global configuration mode, 229
high availability, 223
high availability with failover, 222-224
identity firewalls, 222
IP routing, 222
lock slots, 221
management ports, 221
network data ports, 221
objects/object groups, 235-240
power code sockets, 221
Privileged EXEC mode, 229
reset buttons, 221
ROM monitor mode, 229
services of, 222
Specific configuration mode, 229
stateful packet inspection, 221
status LED, 220
USB ports, 221
User EXEC mode, 229
ASAv, 221
benefits of, 182
defining, 181
identity firewalls, ASA, 222
limitations of, 183
next-generation firewalls, 188-189
personal firewalls, 189, 275-276
requirements of, 182
security zones, 2
stateful firewalls, 187
zone-based policy firewall configuration skills practice, 288-289, 295-297
ZPF
benefits of, 210
C3PL and ZPF configuration, 210-211, 214-218
C3PL and ZPL configuration, 212-213
DMZ-private policies, 210
private-DMZ policies, 210
private-public policies, 210
public-DMZ policies, 209
self zones, 211
full tunnel SSL VPN, 87
GET messages (SNMP), 40
global addresses (inside/outside), NAT, 192
Global configuration mode (ASA Firewall), 229
GRE (Generic Routing Encapsulation), 73
group policies, clientless SSL VPN configuration, 90
hard copy storage (paper/discs) and data loss/exfiltration, 9
hashing
authentication
Cisco products, 14
Cisco products, 14
SHA-2, 13
hierarchical CA PKI topologies, 23
high availability, ASA
active/active failover model, 223
active/standby failover model, 223
clustering, 223
high availability with failover, 222-224
HMAC (Hash Message Authentication Code), 13-14, 80
Host Scan and VPN endpoint posture assessments, 135
host subinterface (CPPr), 151
HQ-ASA configuration skills practice, 285, 291-293
HQ_SW configuration skills practice, 284-285, 290-291
HTTP (Hypertext Transfer Protocol), 75
ICMP-type object groups (ASA Firewall), 235
identity firewalls, ASA, 222
IDS (Intrusion Detection Systems)
alerts, 255
anomaly-based IDS, 253
anomaly detection, 247
blocks, 255
drops, 255
monitors, 255
network tap, 248
policy-based IDS, 253
profile-based IDS, 253
promiscuous (passive) mode, 245
reputation-based IDS, 254
resets, 255
rule-based detection, 247
shuns, 255
trigger actions, 255
IKE (Internet Key Exchange), 17
IKEv1
Aggressive mode, 83
Main mode, 82
Quick mode, 83
in-band management (secure management systems), 35-36
information classification/handling and social engineering (access attacks), 8
inline mode (IPS), 245
inside local/global addresses (NAT), 191
integrity (data)
CIA Triad, 1
cryptography and, 11
interfaces, clientless SSL VPN configuration, 88
Internet edges (CAN), 28
intranet data centers (CAN), 28
IOS
authorization, privilege levels, 137-138
CLI-based site-to-site IPsec VPN, 114
ACL compatibility, 115
IPsec transform sets, 117
MD5 checksum, verifying, 140-141
resilient configuration, 139-140
ZPF
benefits of, 210
C3PL and ZPF configuration, 210-218
C3PL and ZPL configuration, 212-218
DMZ-private policies, 210
private-DMZ policies, 210
private-public policies, 210
public-DMZ policies, 209
self zones, 211
IP (Internet Protocol). See also IPsec
AnyConnect SSL VPN and client IP address assignments, 100
routing, ASA, 222
spoofing, 6
IPS (Intrusion Prevention Systems)
alerts, 255
AMP, 256
anomaly-based IPS, 253
blacklisting, 256
blocks, 255
DMZ servers, 250
drops, 255
false positives/negatives, 250
FirePOWER
NGIPS, 256
inline mode, 245
inside networks, 250
monitors, 255
outside networks, 250
policy-based IPS, 253
profile-based IPS, 253
resets, 255
shuns, 255
trigger actions, 255
true positives/negatives, 250
IPsec. See also IP
3DES, 79
AES, 79
anti-replay protection, 76
authentication
ECDSA signatures, 80
HMAC, 80
PSK, 80
RSA encrypted nonces, 80
RSA signatures, 80
Client U-turns, 132
DES, 79
encryption, 79
ESP, 78
HMAC, 80
SEAL, 79
site-to-site VPN
ASA site-to-site IPsec VPN, 122-128
IOS CLI-based site-to-site IPsec VPN, 114-122
Suite B cryptographic standard, 81
transform sets, IOS CLI-based site-to-site IPsec VPN, 117
IPSG (IP Source Guard), 164-165
ISAKMP (Internet Security Association and Key Management Protocol)
IKE and, 82
IOS CLI-based site-to-site IPsec VPN, 115-117
ISE (Identity Services Engines), 49-50
isolated ports (PVLAN), 171
ISP configuration skills practice, 283
Java detection, AnyConnect SSL VPN, 106
Johnson, Allan, 153
key exchange/management and cryptography, 11
key management
ECDH key agreements, 81
keyed hashes (MAC), 143
Layer 2 network security
CAM table overflow attacks, 157
CDP reconnaissance, 157
DAI
configuring, 163
verifying, 164
DHCP
LLDP reconnaissance, 157
MAC spoofing, 156
LED (status), ASA, 220
legacy VPN, 74
LLDP (Link-Layer Discovery Protocol) reconnaissance, 157
local AAA authentication, 45-46
local addresses (inside/outside), NAT, 191
lock slots, ASA, 221
MAC (Message Authentication Code), 143
MAC addresses
MAC PACL, 176
Main mode (IKEv1), 82
malvertising, 8
malware
adware, 9
ESA, 264
file reputation, 264
file retrospection, 265
file sandboxing, 265
IPS, 256
antimalware, ESA, 264
email, 259
endpoint security, 275, 278-279
ransomware, 9
scareware, 9
spyware, 9
Trojan horses, 9
viruses, 8
worms, 9
man-in-the-middle attacks, 6
management consoles, 246
management plane
access security, configuring, 36-37
defining, 149
SNMP
agents, 39
authNoPriv mode, 40
authPriv mode, 40
GET messages, 40
managers, 39
MIB, 40
noAuthNoPriv mode, 40
SET messages, 40
trap messages, 40
SSH/HTTPS, 38
management ports, ASA, 221
Manual NAT (NAT tables), 194
Manual NAT after Auto NAT (NAT tables), 195
McAfee Antivirus, 266
MD5 authentication, OSPF authentication, 144-146
MDM (Mobile Device Management) and BYOD, 69
cloud-based deployments, 70
onboarding new devices, 72
on-premises deployments, 70
message filtering, ESA, 265
MIB (Management Information Base) in SNMP, 40
mobile devices and BYOD
deployments, 67
mobile device security, 67
monitor actions, IDS/IPS, 255
MPF (Modular Policy Frameworks), ASA MPF, 240-244
MPLS VPN (Multiprotocol Label Switching VPN), 73
MQC (Modular QoS CLI), 151
NAC (Network Admission Control) and VPN endpoint posture assessments, 135
NAT (Network Address Translation), 191
AnyConnect SSL VPN configuration, 104
bidirectional NAT, 193
dynamic NAT, 193
verifying, 200
dynamic PAT (NAT Overload), 193
configuring, 201
verifying, 202
exemptions, ASA site-to-site IPsec VPN, 125
global addresses (inside/outside), 192
local addresses (inside/outside), 191
NAT tables, 194
outside NAT, 193
policy NAT, 193
verifying, 206
process of, 192
reference topology, 195
static NAT, 193
verifying, 197
static PAT, 193
NAT-T (NAT Traversal), 134
network object groups (ASA Firewall), 235
network objects (ASA Firewall), 235
networks
attacks
DDoS attacks, 6
reconnaissance attacks, 5
botnets, 6
Branch/SOHO topologies, 29
BYOD deployments, 68
CAN, 28
cloud topologies, 31
control plane
CoPP, 150
CPPr, 151
defining, 149
data center topologies, 31
data plane, 149
data ports, ASA, 221
Layer 2 security
CAM table overflow attacks, 157
CDP reconnaissance, 157
LLDP reconnaissance, 157
MAC spoofing, 156
management plane, defining, 149
taps, IDS, 248
virtual network topologies, 31
WAN topologies, 29
next-generation firewalls, 188-189
noAuthNoPriv mode (SNMPv3), 40
NTP (Network Time Protocol), 42-43
OCSP (Online Certificate Status Protocol), PKI, 28
Odom, Wendell, 153
OOB (Out-Of-Band) management (secure management systems), 35-36
origin authentication, IPsec, 76, 80
OSPF (Open Shortest Path First) authentication
outbreak filtering, ESA, 266
outside local/global addresses (NAT), 192
outside NAT, 193
packets (data)
inspection, ASA, 221
paper (hard copy storage) and data loss/exfiltration, 9
passive (promiscuous) mode (IDS), 245
passwords
attacks, 6
data loss/exfiltration, 9
managing, 8
personal firewalls, 189, 275-276
PGP (Pretty Good Privacy), 17
pharming attacks, 7
phishing attacks, 7
antiphishing defenses, 8
email, 259
ping of death, 7
PKCS (Public-Key Cryptography Standards), 25
PKI (Public Key Infrastructure)
certificate authentication, 27
certificate enrollment process, 27
CRL, 27
cross-certified CA topologies, 24
enrollment, 27
hierarchical CA topologies, 23
OCSP, 28
retrieving certificates, 26
revocation, 27
SCEP, 27
components of, 22
CRL, 27
cross-certified CA topologies, 24
hierarchical CA topologies, 23
OCSP, 28
PKCS, 25
RA, 24
single-root topologies, 23
X.509 standard, 25
PKIX (PKI X.509), 24
platform detection, AnyConnect SSL VPN, 106
policy maps
CSPL, ZPF configuration, 212-215
MPF, 241
policy NAT, 193
verifying, 206
ports
authentication. See 802.1X
community ports (PVLAN), 172
console ports, ASA, 221
isolated ports (PVLAN), 171
management ports, ASA, 221
network data ports, ASA, 221
promiscuous ports (PVLAN), 171
redirection, 6
SPAN, 248
USB ports, ASA, 221
power cord sockets, ASA, 221
practicing skills (exam preparation)
addressing schemes, 282
cabling, 283
clientless SSL VPN configuration, 286, 293
HQ-ASA configuration, 285, 291-293
HQ_SW configuration, 284-285, 290-291
ISP configuration, 283
R1_BRANCH configuration, 283-284, 289-290
site-to-site IPsec VPN configuration, 286-288, 294-295
topologies, 281
zone-based policy firewall configuration, 288-289, 295-297
preparing for exams
items needed for exam day, 299
test proctors, 299
pretexting, 7
principles of security
CIA Triad, 1
SIEM, 1
private-DMZ policies, ZPF, 210
private-public policies, ZPF, 210
privilege levels
accessing, 138
verifying, 138
Privileged EXEC mode (ASA Firewall), 137, 229
proctors (exams), 299
promiscuous (passive) mode (IDS), 245
promiscuous ports (PVLAN), 171
PSK (Pre-Shared Keys)
IOS CLI-based site-to-site IPsec VPN, 117
IPsec authentication, 80
public-DMZ policies, ZPF, 209
PVLAN (Private VLAN)
community ports, 172
configuring, 173
isolated ports, 171
promiscuous ports, 171
topology, 172
VLAN usage, 172
Quick mode (IKEv1), 83
R1_BRANCH configuration skills practice, 283-284, 289-290
RA (Registration Authorities), 24
RADIUS, server-based AAA, 46-48
deploying, 51
troubleshooting, 58
ransomware, 9
RBAC (role-based CLI authorization), 138-139
RC encryption algorithm, 16
reconnaissance attacks, 5
reflection attacks, 7
remote-access VPN, 74
AnyConnect SSL VPN
ActiveX, 106
client authentication, 100
client IP address assignments, 100
Java detection, 106
platform detection, 106
server authentication, 100
topology sample, 99
troubleshooting connections, 111
verifying configurations, 108-109
clientless SSL VPN, 86
SSL/TLS encapsulation, 85
verifying configurations, 95-96
full tunnel SSL VPN, 87
thin client SSL VPN, 86
removable storage devices, data loss/exfiltration, 9
replays, anti-replay protection, 76
reports, Cisco CWS, 274
reputations (files)
AMP, 264
requirements for exam day, 299
reset actions, IDS/IPS, 255
reset buttons, ASA, 221
retaking exams, 302
retrospection (files), AMP, 265
risks, defining, 2
ROM monitor mode (ASA Firewall), 229
routed mode deployments, ASA, 222
routing protocol authentication, OSPF, 143
RSA encryption algorithm, 17-19, 80
rule-based detection (IDS), 247
sandboxing (files), AMP, 265
Santos, Omar, 153
ScanSafe. See Cisco CWS
scareware, 9
SCEP (Simple Certificate Enrollment Protocol), 27
score reports (exams), 299-301
SCP (Secure Copy Protocol), 43-44
SEAL encryption algorithm, 16, 79
secure management systems
access security, configuring, 36-37
NTP, 42
authentication, 43
verifying client synchronization, 43
SNMP
agents, 39
authNoPriv mode, 40
authPriv mode, 40
GET messages, 40
managers, 39
MIB, 40
noAuthNoPriv mode, 40
SET messages, 40
trap messages, 40
SSH/HTTPS, configuring, 38
security
endpoint security
data encryption, 279
skills practice, 281
addressing schemes, 282
cabling, 283
clientless SSL VPN configuration, 286, 293
HQ-ASA configuration, 285, 291-293
HQ_SW configuration, 284-285, 290-291
ISP configuration, 283
R1_BRANCH configuration, 283-284, 289-290
site-to-site IPsec VPN configuration, 286-288, 294-295
topologies, 281
zone-based policy firewall configuration, 288-289, 295-297
STP
threats
data loss/exfiltration, 9
DDoS attacks, 6
DoS attacks, 6
reconnaissance attacks, 5
social engineering attacks, 7-8
web security
zones
filtering policies, 4
firewalls, 2
security object groups (ASA Firewall), 235
self zones (ZPL), 211
server-based AAA
deploying, 51
troubleshooting, 58
servers
AnyConnect SSL VPN, server authentication, 100
DMZ servers, IPS, 250
service object groups (ASA Firewall), 235
service objects (ASA Firewall), 235
service policies
CSPL, ZPF configuration, 213
MPF, 241
SET messages (SNMP), 40
severity levels (Syslog), 38-39
SHA authentication, OSPF, 146-147
SHA-1 (Secure Hash Algorithm 1), 13-14
SHA-2 (Secure Hash Algorithm 2), 13
shun actions, IDS/IPS, 255
SIEM (Security Information Event Management), 1
signatures, IPsec authentication
ECDSA signatures, 80
RSA signatures, 80
single-root PKI topologies, 23
site-to-site IPsec VPN
ASA site-to-site IPsec VPN, 122
ASDM site-to-site VPN wizard, 123
IOS CLI-based site-to-site IPsec VPN, 114
negotiations, steps of, 113-114
skills practice, 286-288, 294-295
site-to-site VPN, 74
skills practice, 281
addressing schemes, 282
cabling, 283
clientless SSL VPN configuration, 286, 293
HQ-ASA configuration, 285, 291-293
HQ_SW configuration, 284-285, 290-291
ISP configuration, 283
R1_BRANCH configuration, 283-284, 289-290
site-to-site IPsec VPN configuration, 286-288, 294-295
topologies, 281
zone-based policy firewall configuration, 288-289, 295-297
smartphones, data loss/exfiltration, 9
smishing attacks, 8
smurf attacks, 7
SNMP (Simple Network Management Protocol)
agents, 39
authNoPriv mode, 40
authPriv mode, 40
GET messages, 40
managers, 39
MIB, 40
noAuthNoPriv mode, 40
SET messages, 40
trap messages, 40
social engineering (access attacks)
baiting, 8
defenses, 8
malvertising, 8
pharming, 7
phishing, 7
pretexting, 7
smishing, 8
something for something, 8
spam, 8
spear phishing, 7
tailgating, 8
vishing, 8
whaling, 7
software
antimalware
AMP, 264
ESA, 264
antispyware, endpoint security, 275-277
antivirus software
McAfee Antivirus, 266
Sophos Antivirus, 266
something for something (social engineering/access attacks), 8
Sophos Antivirus, 266
ESA spam filtering, 263
SPAN (Switched Port Analyzer), 248
spear phishing, 7
Specific configuration mode (ASA Firewall), 229
spoofing attacks
IP spoofing, 6
spyware, 9
SSL (Secure Sockets Layer), 17
remote-access VPN
full tunnel SSL VPN, 87
thin client SSL VPN, 86
Standalone mode (AnyConnect Security Mobility Client), 100
start-stop records (AAA accounting), 54
stateful firewalls, 187
stateful packet inspection, ASA, 221
static NAT, 193
verifying, 197
static PAT, 193
status LED, ASA, 220
stop-only records (AAA accounting), 54
storage devices (removable), data loss/exfiltration, 9
STP security
Stuppi, John, 153
Suite B cryptographic standard and IPsec, 81
superviews (CLI), 138
supplicants (802.1X authentication), 62-63
switches, ACL
TACACS+ (Terminal Access Controller Access Control System Plus), server-based AAA, 46-48
deploying, 51
troubleshooting, 58
tailgating, 8
TCP SYN flood attacks, 7
test proctors, 299
thin client SSL VPN, 86
threats (security)
data loss/exfiltration, 9
defining, 2
network attacks
DDoS attacks, 6
DoS attacks, 6
reconnaissance attacks, 5
social engineering (access attacks)
defenses, 8
TLS (Transport Layer Security), SSL/TLS encapsulation and clientless SSL VPN, 85
topologies (networks)
Branch/SOHO, 29
CAN, 28
clouds, 31
data centers, 31
skills practice, 281
virtual networks, 31
WAN, 29
traffic flows
ASA Firewall, 231
transform sets (IPsec), IOS CLI-based site-to-site IPsec VPN, 117
transit subinterface (CPPr), 151
transparent (bridged) mode deployments, ASA, 222
transport mode
AH, 79
ESP, 78
trap messages (SNMP), 40
trigger actions, IDS/IPS, 255
Trojan horses, 9
troubleshooting
AnyConnect SSL VPN connections, 111
server-based AAA, 58
true positives/negatives (IPS), 250
trust exploitation, 6
tunnel mode
AH, 79
ESP, 78
two-factor authentication, 8
unencrypted devices, data loss/exfiltration, 9
URL (Uniform Resource Locators)
clientless SSL VPN configuration, 88
filtering, Cisco CWS, 274
U.S. government recognition of CCNA Security certification, 301
USB memory sticks, data loss/exfiltration, 9
USB ports, ASA, 221
User EXEC mode (ASA Firewall), 137, 229
user object groups (ASA Firewall), 235
verifying, 178
verifying
AnyConnect SSL VPN configurations, 108-109
clientless SSL VPN configurations, 95-96
DAI, 164
dynamic NAT, 200
dynamic PAT, 202
IOS resilient configuration, 140
IPSG, 165
NAT
dynamic NAT, 200
dynamic PAT, 202
policy NAT, 206
static NAT, 197
NTP client synchronization, 43
parser views (CLI), 139
policy NAT, 206
privilege levels, 138
site-to-site IPsec VPN
ASA site-to-site IPsec VPN, 125-128
IOS CLI-based site-to-site IPsec VPN, 119-122
static NAT, 197
VACL, 178
VLAN
views (CLI)
assigning to users, 139
superviews, 138
virtual network topologies, 31
viruses
antivirus defenses, 8
antivirus software, 266
email, 259
vishing, 8
VLAN (Virtual Local Area Networks)
PVLAN
community ports, 172
configuring, 173
isolated ports, 171
promiscuous ports, 171
topology, 172
VLAN usage, 172
VLAN maps. See VACL
VPN (Virtual Private Networks)
Always-on VPN, 134
AnyConnect SSL VPN
ActiveX, 106
client authentication, 100
client IP address assignments, 100
Java detection, 106
platform detection, 106
server authentication, 100
topology sample, 99
troubleshooting connections, 111
verifying configurations, 108-109
ASDM site-to-site VPN wizard, 123
benefits of, 73
Client U-turns, 132
clientless SSL VPN, 86
SSL/TLS encapsulation, 85
verifying configurations, 95-96
DAP, 135
endpoint posture assessments, 135
full tunnel SSL VPN, 87
GRE, 73
legacy VPN, 74
MPLS VPN, 73
NAT-T, 134
remote-access VPN, 74
full tunnel SSL VPN, 87
thin client SSL VPN, 86
site-to-site IPsec VPN
ASA site-to-site IPsec VPN, 122-128
ASDM site-to-site VPN wizard, 123
IOS CLI-based site-to-site IPsec VPN, 114-122
site-to-site VPN, 74
split tunneling, 132
types of, 73
vulnerabilities, defining, 2
WAN (Wide-Area Network) topologies, 29
web security
WebLaunch mode (AnyConnect Security Mobility Client), 100
whaling, 7
worms, 9
X.509 standard, 25
zone-based policy firewall configuration skills practice, 288-289, 295-297
ZPF (Zone-Based Policy Firewalls)
benefits of, 210
C3PL and ZPF configuration, 210-211, 216-218
policy maps, 215
C3PL and ZPL configuration, 216-218
service policies, 213
DMZ-private policies, 210
private-DMZ policies, 210
private-public policies, 210
public-DMZ policies, 209
self zones, 211
CCNA Security 210-260 IINS Exam Topics
Symmetric and Asymmetric Encryption
Symmetric Encryption Algorithms
Asymmetric Encryption Algorithms
Comparing Symmetric and Asymmetric Encryption Algorithms
Activity: Compare Symmetric and Asymmetric Encryption Algorithms
CCNA Security 210-260 IINS Exam Topics
Key Topics
Public Key Infrastructure
PKI Terminology, Components, and Classes of Certificates
PKI Topologies
PKI Standards
PKI Operations
Activity: Order the Steps in the PKI Process
Enrollment and Revocation
Certificate Authorities and Certificates
Network Architectures and Topologies
Campus-Area Network (CAN)
WAN and Branch/SOHO
Data Center
Cloud and Virtual Networks
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
In-band and Out-of-band Management
Management Plane Security
Access Security
SSH/HTTPS
Syslog
Activity: Match the Syslog Severity Level to Its Keyword
Simple Network Management Protocol (SNMP)
SNMPv3 Configuration and Demonstration
Network Time Protocol (NTP)
Secure Copy Protocol (SCP)
Packet Tracer Activity: Configure NTP, Syslog, and NTP
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
AAA
RADIUS and TACACS+
RADIUS
TACACS+
Activity: Identify the AAA Communication Protocol
ACS and ISE
ACS
ISE
Fundamentals of NAC and ISE
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Server-based AAA Authentication
Activity: Match the AAA Method to Its Description
Server-based AAA Authorization
Server-based AAA Accounting
Server-based AAA Verification and Troubleshooting
Configuring AAA Using a RADIUS Server
Configuring AAA Using a TACACS + Server
Packet Tracer Activity: Configure AAA Authentication
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
802.1X
Terminology and Concepts
Configuration and Verification
Configuring and Verifying 802.1X
Activity: Match the 802.1X Terminology to Its Description
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
BYOD Architecture
Cisco ISE for BYOD Mobility
BYOD Management
Activity: Match the BYOD Terminology to Its Description
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
VPNs
IPsec Framework
IPsec Protocols
AH
ESP
IPsec Modes of Operations
Confidentiality
Data Integrity
Origin Authentication
Key Management
Suite B Cryptographic Standard
IKE
IKEv1 Phase 1
IKEv1 Phase 2
IKEv1 Phase 1 and IKEv1 Phase 2
IKEv2
Activity: Identify the IPsec Terminology
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Concepts
Clientless SSL VPN Concepts
Clientless SSL VPN Configuration
Task 1: Launch Clientless SSL VPN Wizard from ASDM
Task 2: Configure the SSL VPN URL and Interface
Task 3: Configure User Authentication
Task 4: Configure User Group Policy
Task 5: Configure Bookmarks
Clientless SSL VPN Verification
Configuring and Testing Clientless SSL VPNs
Activity: Order the Steps when Configuring Clientless SSL VPN
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
AnyConnect SSL VPN Concepts
SSL VPN Server Authentication
SSL VPN Client Authentication
SSL VPN Client IP Address Assignment
AnyConnect SSL VPN Configuration and Verification
Phase 1: Configure Cisco ASA for Cisco AnyConnect
Task 1: Connection Profile Identification
Task 2: VPN Protocols and Device Certificate
Task 3: Client Image
Task 4: Authentication Methods
Task 5: Client Address Assignment
Task 6: Network Name Resolution Servers
Task 7: Network Address Translation Exemption
Task 8: AnyConnect Client Deployment and Summary
Phase 2: Configure the Cisco AnyConnect VPN Client
Phase 3: Verify AnyConnect Configuration and Connection
Configuring and Verifying AnyConnect SSL VPNs
Activity: Order the Steps when Configuring AnyConnect SSL VPN
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
IPsec Negotiation
Cisco IOS CLI-based Site-to-Site IPsec VPN
Configuration
Step 1: ACL Compatibility
Step 2: IKE Phase 1—ISAKMP Policy
Step 3: IKE Phase 2—IPsec Transform Set
Step 4: Crypto ACLs
Step 5: IPsec Crypto Map
Verification
Activity: Order the Steps when Configuring IOS-based Site-to-Site IPsec VPN
Configuring IOS-based Site-to-Site IPsec VPN
Cisco ASA Site-to-Site IPsec VPN
Configuration
Step 1: Launch the ASDM Site-to-Site VPN Wizard
Step 2: Peer Device Identification
Step 3: Traffic to Protect
Step 4: Security
Step 5: NAT Exempt
Verification
Configuring ASA-based Site-to-Site IPsec VPN
Packet Tracer Activity: Configure IOS Site-to-Site IPsec VPN
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Hairpinning and Client U-Turn
Split Tunneling
Always-on VPN
NAT Traversal
Configuring Advanced Remote-Access VPN Features on Cisco ASA
Endpoint Posture Assessment
Activity: Identify Advanced VPN Technologies
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Cisco IOS Authorization with Privilege Levels
Configuring Privilege Levels
Authorization with Role-Based CLI
Configuring Role-Based CLI
Cisco IOS Resilient Configuration
Cisco IOS File Authenticity
Activity: Order the Steps when Configuring Role-based CLI
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Routing Protocol Authentication
OSPF MD5 Authentication
MD5 Authentication with Key Chain
MD5 Authentication Without Key Chain
OSPF SHA Authentication
Configuring MD5 Authentication for OSPF with Key Chain
Activity: Order the Steps when Configuring OSPF SHA Authentication
Packet Tracer Activity: Configure Routing Protocol Authentication
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Functional Planes of the Network
Control Plane Policing
Configuring Cisco Control Plane Policing
Control Plane Protection
Activity: Compare CoPP and CPPr
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Common Layer 2 Attacks
STP Attacks
ARP Spoofing
MAC Spoofing
CAM Table Overflows
CDP/LLDP Reconnaissance
VLAN Hopping
DHCP Spoofing
Layer 2 Security Threats
Activity: Match the Switch Attack to Its Description
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
DHCP Snooping
Configuring DHCP Snooping
Dynamic ARP Inspection
IP Source Guard
Configuring ID Source Guard
Port Security
Configuring Port Security
STP Security Mechanisms
PortFast
BPDU Guard
Root Guard
Loop Guard
Configuring STP Stability Mechanisms
Activity: Match the Layer 2 Security Feature to Its Description
Packet Tracer Activity: Configure Layer 2 VLAN and STP Security
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Private VLANs
Configuring Private VLANs
PVLAN Edge
ACLs on Switches
PACL Configuration
VACL Configuration
Configuring Port ACLs
Native VLAN
Activity: Match the Switch Port Security Feature to Its Description
Packet Tracer Activity: Configure IP ACLs
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Firewall Overview
Packet Filtering
Proxy and Application Firewalls
Stateful Firewalls
Next-Generation Firewalls
Personal Firewall
Cisco ASA Next-Generation Firewalls
Activity: Match the Firewall Type to Its Description
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
NAT Fundamentals
NAT on Cisco ASA
Static NAT
Dynamic NAT
Dynamic PAT
Policy NAT
Configuring NAT on Cisco ASA with ASDM
Activity: Match the NAT Terminology to Its Description
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
ZPF Concepts
ZPF Zones and Zone Pairs
Introduction to C3PL
Class Maps
Policy Maps
Service Policy
Default Policies and Traffic Flows
ZPF Configuration and Verification
Configuring Class Maps
Configuring Policy Maps
Configuration and Verification
IOS Zone-Based Policy Firewall
Activity: Match the ZPF Terminology to Its Description
Packet Tracer Activity: Configure IOS Zone-based Policy Firewall (ZPF)
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Cisco ASA Family
ASA Features and Services
ASA Deployments
ASA High Availability
ASA Contexts
Introducing the Cisco ASA
Activity: Match the ASA Feature or Service to Its Descriptions
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
ASA Default Configuration
ASA Management Access
Configuring ASA Management Access
ASA Interfaces
ASA Access Rules
Configuring ASA Access Rules
ASA Objects and Object Groups
Configuring ASA Network and Service Objects and Object Groups
ASA Modular Policy Framework
Activity: Match the ASA MPF Concept with Its Definitionv
Configuring ASA Modular Policy Framework
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
IDS vs. IPS
Host-based vs. Network-based IPS
IPS Deployment Options
IPS Placement
IPS Terminology
IDS and IPS Concepts
Activity: Match the IDS and IPS Terminology to Its Definition
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Detection Technologies
Signatures
Trigger Actions
Blacklisting
Next-Generation IPS with FirePOWER
IDS and IPS Technologies
Activity: Compare IPS Alarm Characteristics
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
ESA Overview
ESA Deployment
ESA Features
Filtering Spam
Fighting Viruses and Malware
Email Data Loss Prevention
Advanced Malware Protection
ESA Mail Processing
Incoming Mail Processing
Outgoing Mail Processing
Content Security with the Cisco Email Security Appliance (ESA)
Activity: Order the Steps in the ESA Incoming Email Process
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Cisco WSA
Cisco CWS
Web Content Security with the Cisco WSA and Cisco CWS
Activity: Order the Steps in the WSA Traffic Flow
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
Endpoint Security Overview
Personal Firewalls
Antivirus
Antispyware
Antimalware
Data Encryption
Endpoint Security Technologies
Activity: Identify Endpoint Security Technologies
Study Resources
Check Your Understanding
CCNA Security 210-260 IINS Exam Topics
Key Topics
CCNA Security Skills Practice
Introduction
Topology Diagram
Addressing Table
ISP Configuration
Implementation
Step 1: Cable the Network As Shown in the Topology
Step 2: Configure Initial Settings for R1_BRANCH
Step 3: Configure Initial Settings for HQ_SW
Step 4: Configure Initial Settings for HQ-ASA
Step 5: Configure Clientless SSL VPN
Step 6: Configure Site-to-Site IPsec VPN
Step 7: Configure a Zone-Based Policy Firewall
Answers to CCNA Security Skills Practice
Step 1: Cable the Network As Shown in the Topology
Step 2: Configure Initial Settings for R1_BRANCH
Step 3: Configure Initial Settings for HQ_SW
Step 4: Configure Initial Settings for HQ-ASA
Step 5: Configure Clientless SSL VPN
Step 6: Configure Site-to-Site IPsec VPN
Step 7: Configure a Zone-Based Policy Firewall
Practice Exam