Introduction xxi Part I: Networking Security Fundamentals Chapter 1 Networking Security Concepts 1 Basic Security Concepts 2 Security Terminology 2 Confidentiality, Integrity, and Availability (CIA) 2 Data Classification Criteria 2 Data Classification Levels 3 Classification Roles 3 Threat Classification 3 Trends in Information Security Threats 4 Preventive, Detective, and Corrective Controls 4 Risk Avoidance, Transfer, and Retention 4 Drivers for Network Security 5 Evolution of Threats 5 Data Loss and Exfiltration 5 Tracking Threats 6 Malware 6 Anatomy of a Worm 7 Mitigating Malware and Worms 7 Threats in Borderless Networks 8 Hacker Titles 8 Thinking Like a Hacker 9 Reconnaissance Attacks 9 Access Attacks 10 Password Cracking 11 Denial-of-Service Attacks 11 Distributed Denial-of-Service Attacks 12 Tools Used by Attackers 13 Principles of Secure Network Design 13 Defense in Depth 14 Chapter 2 Implementing Security Policies 15 Managing Risk 15 Quantitative Risk Analysis Formula 16 Quantitative Risk Analysis Example 17 Regulatory Compliance 17 Security Policy 19 Standards, Guidelines, and Procedures 20 Security Policy Audience Responsibilities 21 Security Awareness 21 Secure Network Lifecycle Management 22 Models and Frameworks 23 Assessing and Monitoring the Network Security Posture 23 Testing the Security Architecture 24 Incident Response 24 Incident Response Phases 24 Computer Crime Investigation 25 Collection of Evidence and Forensics 25 Law Enforcement and Liability 25 Ethics 25 Disaster-Recovery and Business-Continuity Planning 26 Chapter 3 Building a Security Strategy 27 Cisco Borderless Network Architecture 27 Borderless Security Products 28 Cisco SecureX Architecture and Context-Aware Security 28 Cisco TrustSec 30 TrustSec Confidentiality 30 Cisco AnyConnect 31 Cisco Talos 31 Threat Control and Containment 31 Cloud Security and Data-Loss Prevention 32 Secure Connectivity Through VPNs 32 Security Management 33 Part II: Protecting the Network Infrastructure Chapter 4 Network Foundation Protection 35 Threats Against the Network Infrastructure 35 Cisco Network Foundation Protection Framework 36 Control Plane Security 37 Control Plane Policing 37 Management Plane Security 38 Role-Based Access Control 39 Secure Management and Reporting 39 Data Plane Security 39 ACLs 40 Antispoofing 40 Layer 2 Data Plane Protection 40 Chapter 5 Securing the Management Plane 41 Planning a Secure Management and Reporting Strategy 42 Securing the Management Plane 42 Securing Passwords 43 Securing the Console Line and Disabling the Auxiliary Line 43 Securing VTY Access with SSH 44 Securing VTY Access with SSH Example 45 Securing Configuration and IOS Files 46 Restoring Bootset Files 47 Implementing Role-Based Access Control on Cisco Routers 47 Configuring Privilege Levels 47 Configuring Privilege Levels Example 47 Configuring RBAC 48 Configuring RBAC via the CLI Example 49 Configuring Superviews 49 Configuring a Superview Example 50 Network Monitoring 51 Configuring a Network Time Protocol Master Clock 51 Configuring an NTP Client 52 Configuring an NTP Master and Client Example 52 Configuring Syslog 53 Configuring Syslog Example 54 Configuring SNMPv3 54 Configuring SNMPv3 Example 55 Chapter 6 Securing Management Access with AAA 57 Authenticating Administrative Access 57 Local Authentication 57 Server-Based Authentication 58 Authentication, Authorization, and Accounting Framework 58 Local AAA Authentication 58 Configuring Local AAA Authentication Example 60 Server-Based AAA Authentication 61 TACACS+ Versus RADIUS 61 Configuring Server-Based AAA Authentication 62 Configuring Server-Based AAA Authentication Example 63 AAA Authorization 64 Configuring AAA Authorization Example 64 AAA Accounting 65 Configuring AAA Accounting Example 65 802.1X Port-Based Authentication 65 Configuring 802.1X Port-Based Authentication 66 Configuring 802.1X Port-Based Authentication Example 68 Chapter 7 Securing the Data Plane on Catalyst Switches 69 Common Threats to the Switching Infrastructure 70 Layer 2 Attacks 70 Layer 2 Security Guidelines 71 MAC Address Attacks 72 Configuring Port Security 72 Fine-Tuning Port Security 73 Configuring Optional Port Security Settings 74 Configuring Port Security Example 75 VLAN Hopping Attacks 76 Mitigating VLAN Attacks 76 Mitigating VLAN Attacks Example 77 DHCP Attacks 78 Mitigating DHCP Attacks 78 Mitigating DHCP Attacks Example 80 ARP Attacks 80 Mitigating ARP Attacks 80 Mitigating ARP Attacks Example 82 Address Spoofing Attacks 83 Mitigating Address Spoofing Attacks 83 Mitigating Address Spoofing Attacks Example 83 Spanning Tree Protocol Attacks 84 STP Stability Mechanisms 84 Configuring STP Stability Mechanisms 85 Configuring STP Stability Mechanisms Example 86 LAN Storm Attacks 87 Configuring Storm Control 88 Configuring Storm Control Example 88 Advanced Layer 2 Security Features 88 ACLs and Private VLANs 89 Secure the Switch Management Plane 89 Chapter 8 Securing the Data Plane in IPv6 Environments 91 Overview of IPv6 91 Comparison Between IPv4 and IPv6 91 The IPv6 Header 92 ICMPv6 93 Stateless Autoconfiguration 94 IPv4-to-IPv6 Transition Solutions 94 IPv6 Routing Solutions 94 IPv6 Threats 95 IPv6 Vulnerabilities 96 IPv6 Security Strategy 96 Configuring Ingress Filtering 96 Secure Transition Mechanisms 97 Future Security Enhancements 97 Part III: Threat Control and Containment Chapter 9 Endpoint and Content Protection 99 Protecting Endpoints 99 Endpoint Security 99 Data Loss Prevention 100 Endpoint Posture Assessment 100 Cisco Advanced Malware Protection (AMP) 101 Cisco AMP Elements 101 Cisco AMP for Endpoint 102 Cisco AMP for Endpoint Products 102 Content Security 103 Email Threats 103 Cisco Email Security Appliance (ESA) 103 Cisco Email Security Virtual Appliance (ESAV) 104 Cisco Web Security Appliance (WSA) 104 Cisco Web Security Virtual Appliance (WSAV) 105 Cisco Cloud Web Security (CWS) 105 Chapter 10 Configuring ACLs for Threat Mitigation 107 Access Control List 108 Mitigating Threats Using ACLs 108 ACL Design Guidelines 108 ACL Operation 108 Configuring ACLs 110 ACL Configuration Guidelines 110 Filtering with Numbered Extended ACLs 110 Configuring a Numbered Extended ACL Example 111 Filtering with Named Extended ACLs 111 Configuring a Named Extended ACL Example 112 Mitigating Attacks with ACLs 112 Antispoofing ACLs Example 112 Permitting Necessary Traffic through a Firewall Example 114 Mitigating ICMP Abuse Example 115 Enhancing ACL Protection with Object Groups 117 Network Object Groups 117 Service Object Groups 118 Using Object Groups in Extended ACLs 119 Configuring Object Groups in ACLs Example 119 ACLs in IPv6 121 Mitigating IPv6 Attacks Using ACLs 121 IPv6 ACLs Implicit Entries 122 Filtering with IPv6 ACLs 122 Configuring an IPv6 ACL Example 123 Chapter 11 Configuring Zone-Based Firewalls 125 Firewall Fundamentals 125 Types of Firewalls 125 Firewall Design 126 Security Architectures 127 Firewall Policies 127 Firewall Rule Design Guidelines 128 Cisco IOS Firewall Evolution 128 Cisco IOS Zone-Based Policy Firewall 129 Cisco Common Classification Policy Language 129 ZPF Design Considerations 129 Default Policies, Traffic Flows, and Zone Interaction 130 Configuring an IOS ZPF 131 Configuring an IOS ZPF Example 132 Chapter 12 Configuring Cisco IOS IPS 135 IDS and IPS Fundamentals 135 Types of IPS Sensors 136 Types of Signatures 136 Types of Alarms 136 Intrusion Prevention Technologies 137 IPS Attack Responses 137 IPS Anti-Evasion Techniques 138 Managing Signatures 140 Cisco IOS IPS Signature Files 140 Implementing Alarms in Signatures 140 IOS IPS Severity Levels 141 Event Monitoring and Management 141 IPS Recommended Practices 142 Configuring IOS IPS 142 Creating an IOS IPS Rule and Specifying the IPS Signature File Location 143 Tuning Signatures per Category 144 Configuring IOS IPS Example 147 Part IV: Secure Connectivity Chapter 13 VPNs and Cryptology 149 Virtual Private Networks 149 VPN Deployment Modes 150 Cryptology = Cryptography + Cryptanalysis 151 Historical Cryptographic Ciphers 151 Modern Substitution Ciphers 152 Encryption Algorithms 152 Cryptanalysis 153 Cryptographic Processes in VPNs 154 Classes of Encryption Algorithms 155 Symmetric Encryption Algorithms 155 Asymmetric Encryption Algorithm 156 Choosing an Encryption Algorithm 157 Choosing an Adequate Keyspace 157 Cryptographic Hashes 157 Well-Known Hashing Algorithms 158 Hash-Based Message Authentication Codes 158 Digital Signatures 159 Chapter 14 Asymmetric Encryption and PKI 161 Asymmetric Encryption 161 Public Key Confidentiality and Authentication 161 RSA Functions 162 Public Key Infrastructure 162 PKI Terminology 163 PKI Standards 163 PKI Topologies 164 PKI Characteristics 165 Chapter 15 IPsec VPNs 167 IPsec Protocol 167 IPsec Protocol Framework 168 Encapsulating IPsec Packets 169 Transport Versus Tunnel Mode 169 Confidentiality Using Encryption Algorithms 170 Data Integrity Using Hashing Algorithms 170 Peer Authentication Methods 171 Key Exchange Algorithms 172 NSA Suite B Standard 172 Internet Key Exchange 172 IKE Negotiation Phases 173 IKEv1 Phase 1 (Main Mode and Aggressive Mode) 173 IKEv1 Phase 2 (Quick Mode) 174 IKEv2 Phase 1 and 2 174 IKEv1 Versus IKEv2 175 IPv6 VPNs 175 Chapter 16 Configuring Site-to-Site VPNs 177 Site-to-Site IPsec VPNs 177 IPsec VPN Negotiation Steps 177 Planning an IPsec VPN 178 Cipher Suite Options 178 Configuring IOS Site-to-Site VPNs 179 Verifying the VPN Tunnel 183 Configuring a Site-to-Site IPsec VPN 183 Part V: Securing the Network Using the ASA Chapter 17 Introduction to the ASA 187 Adaptive Security Appliance 187 ASA Models 188 Routed and Transparent Firewall Modes 189 ASA Licensing 190 Basic ASA Configuration 191 ASA 5505 Front and Back Panel 191 ASA Security Levels 193 ASA 5505 Port Configuration 194 ASA 5505 Deployment Scenarios 194 ASA 5505 Configuration Options 194 Chapter 18 Introduction to ASDM 195 Adaptive Security Device Manager 195 Accessing ASDM 195 Factory Default Settings 196 Resetting the ASA 5505 to Factory Default Settings 197 Erasing the Factory Default Settings 197 Setup Initialization Wizard 197 Installing and Running ASDM 198 Running ASDM 200 ASDM Wizards 202 The Startup Wizard 202 VPN Wizards 203 Advanced Wizards 204 Chapter 19 Configuring Cisco ASA Basic Settings 205 ASA Command-Line Interface 205 Differences Between IOS and ASA OS 206 Configuring Basic Settings 206 Configuring Basic Management Settings 207 Enabling the Master Passphrase 208 Configuring Interfaces 208 Configuring the Inside and Outside SVIs 208 Assigning Layer 2 Ports to VLANs 209 Configuring a Third SVI 209 Configuring the Management Plane 210 Enabling Telnet, SSH, and HTTPS Access 210 Configuring Time Services 211 Configuring the Control Plane 212 Configuring a Default Route 212 Basic Settings Example 212 Configuring Basic Settings Example Using the CLI 213 Configuring Basic Settings Example Using ASDM 215 Configuring Interfaces Using ASDM 217 Configuring the System Time Using ASDM 221 Configuring Static Routing Using ASDM 223 Configuring Device Management Access Using ASDM 226 Chapter 20 Configuring Cisco ASA Advanced Settings 229 ASA DHCP Services 230 DHCP Client 230 DHCP Server Services 230 Configuring DHCP Server Example Using the CLI 231 Configuring DHCP Server Example Using ASDM 232 ASA Objects and Object Groups 235 Network and Service Objects 236 Network, Protocol, ICMP, and Service Object Groups 237 Configuring Objects and Object Groups Example Using ASDM 239 ASA ACLs 243 ACL Syntax 244 Configuring ACLs Example Using the CLI 245 Configuring ACLs with Object Groups Example Using the CLI 246 Configuring ACLs with Object Groups Example Using ASDM 247 ASA NAT Services 250 Auto-NAT 251 Dynamic NAT, Dynamic PAT, and Static NAT 251 Configuring Dynamic and Static NAT Example Using the CLI 253 Configuring Dynamic NAT Example Using ASDM 254 Configuring Dynamic PAT Example Using ASDM 257 Configuring Static NAT Example Using ASDM 258 AAA Access Control 260 Local AAA Authentication 260 Server-Based AAA Authentication 261 Configuring AAA Server-Based Authentication Example Using the CLI 261 Configuring AAA Server-Based Authentication Example Using ASDM 262 Modular Policy Framework Service Policies 266 Class Maps, Policy Maps, and Service Policies 267 Default Global Policies 269 Configure Service Policy Example Using ASDM 271 Chapter 21 Configuring Cisco ASA VPNs 273 Remote-Access VPNs 273 Types of Remote-Access VPNs 273 ASA SSL VPN 274 Client-Based SSL VPN Example Using ASDM 275 Clientless SSL VPN Example Using ASDM 286 ASA Site-to-Site IPsec VPN 294 ISR IPsec VPN Configuration 294 ASA Initial Configuration 296 ASA VPN Configuration Using ASDM 297 Appendix A Create Your Own Journal Here 303 9781587205750, TOC, 3/11/2016