Cisco SND Training Class Securing Cisco Network Devices CCSP
 Training Class Description
In this 5-day, entry-level network security course, you'll learn basic concepts such as network security policies, network attack methods, and threat mitigation
techniques, along with the Cisco security product portfolio. You will examine the most important security technologies, including hardening Cisco IOS routers and
switches against attack, Layer 2 security, stateful firewalling, Intrusion Prevention Systems (IPS), and Virtual Private Networks (VPNs).
SND 2.0 prepares you for the 642-552 SND exam as well. Professionals who pass the SND exam and the CCNA exam are awarded both the Cisco Information
Security Specialist certification and the CNSS 4011 InfoSec Professional certification. Exam 642-552 SND is required for the Cisco Certified Security
Professional certification and for several Cisco Qualified Specialist certifications, including: Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist
Audience
Network professionals who need to understand basic security concepts, require the basic knowledge and skills needed
to deploy Cisco security, and are seeking CCSP certification, Cisco Qualified Specialist Certifications in Firewall, VPN, or IPS, or Cisco Information Security Specialist certification
Upon Completion of this course you will learn
- Importance of security policies to the implementation of secure networks
- Recognize threats and vulnerabilities to networks and implement basic mitigation measures
- Products that form the basis of the Cisco security portfolio
- Various common security vulnerabilities and network attack methodologies
- Mitigation of common security vulnerabilities
- Hands-on experience with tools used by network attackers,
- Importance of security policies to the implementation of secure networks
- Recognize threats and vulnerabilities to networks and implement basic mitigation measures
- Products that form the basis of the Cisco security portfolio
- Various common security vulnerabilities and network attack methodologies
- Mitigation of common security vulnerabilities
- Hands-on experience with tools used by network attackers,
- Hands-on experience with the security features of Cisco IOS Switches
- Discussion of specialized security devices and systems including PIX Firewalls, Adaptive
- Security Appliances, the 4215 IPS Sensor family, Cisco
- Security Agent, and the 3000 VPN Concentrator series.
CCSP Certification Training Boot Camp
Cisco SND Training Class Outline Securing Cisco Network Devices
1. Introduction to Network Security Policies
- Understand the Requirement for a Network Security Policy
- Network Attack Mitigation Techniques
- Thinking Like a Hacker
- Designing a Secure Network Life-Cycle Model
- Developing a Comprehensive Security Policy
- Building Cisco Self-Defending Networks
2. Securing the Perimeter
- Applying a Security Policy for Cisco Routers
- Securing Administrative Access to Cisco Routers
- Configuring AAA Functions on a Cisco Router
- Cisco Security Device Manager (SDM)
- Disabling Unused Cisco Router Network Services
- Implementing Secure Management and Reporting
- Defending the Network Perimeter with Cisco Products
3. Securing LAN and WAN Devices
- Applying Security Policies to Network Switches
- Mitigating Layer 2 Attacks
- Using Cisco Catalyst Security Features
- Securing WLANs
4. Cisco IOS Firewall Configuration
- Firewall Technologies
- Building Static Packet Filters with Cisco ACLs
- Configuring a Cisco IOS Firewall with Cisco SDM
- Defending Your Network with the Cisco Security Appliance Product Family
5. Securing Networks with Cisco IOS IPS
- IDS and IPS
- Configuring Cisco IOS IPS
- Defending Your Network with the Cisco IPS Product Family
6. Building IPsec VPNs
- IPsec Chalk Talk
- IPsec VPNs
- Building a Site-to-Site IPsec VPN Using the IOS CLI
- Building a Site-to-Site IPsec VPN Using Cisco SDM
- Building Remote-Access VPNs
- Defending Your Network with the Cisco VPN Product Family
Labs
Lab 1: Remote Lab Environment
We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SND, each pod is equipped with a
perimeter router (2811), an IOS firewall (2811), and a pod switch (3560). An Internet router (1841) is used to simulate an
Internet environment, including the ISP, a headquarters router, and an NTP service. Also, each pod is equipped with a
VMWare server providing six different systems in different security zones. The systems include: DMZ Server, Inside
Server, Admin PC, User PC, Outside PC, and HQ Server. In this first lab, you'll explore the resources in the pod and learn how to access those resources.
Lab 2: Exclusive - Network Address Translation
Network Address Translation (NAT) plays an integral part of the security between networks. In fact, most networks that
connect to the Internet perform NAT at the perimeter. As such, we developed this lab so you can learn to configure
dynamic NAT for the inside systems using a pool of globally routable IP addresses and to configure a static NAT for the DMZ Server.
Lab 3: Ethical Hacking
At this stage of the labs, the only security feature configured on the pod devices is NAT. In this lab, you'll discover how
easy it is to use freely available tools to wreak havoc on an unsecured network. During remaining labs, you'll configure
security features that mitigate all of the attacks demonstrated during this lab. While the standard Cisco labs use only
Nmap to perform a simple port scan on a host, our labs add exclusive demonstrations including those noted below:
Lab 4: Securing Administrative Access
In this lab, you will configure the most basic security for administrative access to the pod devices. You will configure the
passwords required to reach the command line and passwords that allow privileged-mode access. You will see how the
passwords are encrypted and transformed by default and how to encrypt the passwords that are clear text by default. In
our exclusive portion, you will explore password-cracking methods to which different types of passwords are vulnerable.
Lab 5: AAA with the Local Database
In this lab, you will enable local Authentication, Authorization, and Accounting (AAA). With local AAA, usernames and
passwords are stored in the configuration of the IOS device itself. You will also configure role-based CLI, which allows
different types of users to be granted access to different sets of commands. In our exclusive portion, you will use AAA
Authorization to bind specific role-based CLI views to specific users. You will also configure enhanced virtual login features that temporarily suspend logins when authentication failure rates are high.
Lab 6: SDM Security Audit
Security Device Manager (SDM) is a GUI that runs on IOS routers. It features the Security Audit, which analyzes the
current router configuration against security best practices, and it generates a report showing potential issues in the
current configuration. The administrator then chooses which issues should be automatically fixed by SDM.
Lab 7: Exclusive - Secure Management
You will enhance the manageability of the IOS-FW and other IOS devices in this lab. You will configure NTP, ensuring
that clocks are kept in sync, and you will configure NTP authentication to mitigate rogue NTP updates. Then you'll
configure Syslog services so security messages and other messages will be sent to and stored on a Syslog server as
well as a local buffer in the router itself. Finally, you will configure SSH, a secure remote terminal protocol that can replace the clear text Telnet protocol.
Lab 8: Exclusive - Catalyst Security Features
The standard Cisco lab guide treats this subject as a paper case study, not a hands-on lab. In our exclusive lab, you
will learn to configure features to protect against Layer 2 attacks such as MAC address flooding and ARP cache
poisoning. You will use smart port macros, port security, private VLAN edge, DHCP snooping, and dynamic ARP inspection
Lab 9: Exclusive - Access Control Lists
In our exclusive lab, you will configure and test IOS Access Control Lists (ACLs), a key component to many IOS
security features. Using ACLs, you will configure the Perimeter Router as a packet filtering firewall and limit access to
the router's VTY lines. You will then test the strengths and weaknesses of ACLs, showing that some of the attack methods demonstrated in Lab 3 have been mitigated, while others still exist.
Lab 10: IOS Stateful Firewall
Configure stateful firewall on the IOS-FW router to provide enhanced protection over the packet filtering ACLs configured
on the Perimeter Router. You will use SDM to configure the stateful firewall as described below. In our exclusive portion
of the lab, you will demonstrate that the SYN flood attack and the port redirection attack performed during Lab 3 are now mitigated.
Lab 11: IOS Intrusion Prevention Systems
In this lab, you will explore the use of the IOS Intrusion Prevention System (IPS) feature. Enable IOS IPS with the IPS
Rule Wizard in SDM, and then generate some suspicious traffic to test IOS IPS. You will examine how some of the
signatures are defined and configure some signatures to react by blocking the offending packets and sending TCP
resets to bring down the offending connection. These actions will allow mitigation of the remaining two attacks that were
demonstrated during Lab 3 (worm propagation and buffer overflow attack). You will also configure signature filtering to reduce false positive alarms.
Lab 12: Site-to-Site VPN
Configure a Site-to-Site VPN connection between the IOS-FW and the HQ Router. The HQ Server, behind the HQ
Router, is not reachable until the VPN connection comes up. The perimeter router is configured as a packet filtering
firewall, so its ACLs must be updated to allow the VPN traffic. The IOS-FW will be configured as a termination point for
the Site-to-Site tunnel using SDM. After configuration, you will test that interesting traffic will automatically initiate the VPN tunnel.
Lab 13: Remote-Access VPN
In this lab, you will use the Easy VPN Server Wizard in SDM to configure the IOS-FW to accept connections from VPN
clients. You will also install and configure the Cisco VPN Client software on the Outside PC. After configuration, you will
be able to use the VPN Client on the Outside PC to provide secure access to resources on the internal networks.
Dates and Locations
9/17/2007-9/21/2007 San Jose, CA
9/24/2007-9/28/2007 Rockville, MD
10/15/2007-10/19/2007 Calgary, AB
10/22/2007-10/26/2007 Montreal, QC
10/29/2007-11/2/2007 Vancouver, BC
11/12/2007-11/16/2007 Ottawa, ON
11/19/2007-11/23/2007 Toronto, ON
|
