CCNA security study guide

CCNA®

Security

Study Guide

ffirs.indd i firs.indd i 2/17/10 6:56:04 PM /17/10 6:56:04 PM

ffirs.indd ii firs.indd ii 2/17/10 6:56:10 PM /17/10 6:56:10 PM

CCNA®

Security

Study Guide

Tim Boyles

ffirs.indd iii firs.indd iii 2/17/10 6:56:10 PM /17/10 6:56:10 PM

Acquisitions Editor: Jeff Kellum

Development Editor: Stef Jones

Technical Editors: Chris Carson, Billy Haines

Production Editor: Angela Smith

Copy Editor: Judy Flynn

Editorial Manager: Pete Gaughan

Production Manager: Tim Tate

Vice President and Executive Group Publisher: Richard Swadley

Vice President and Publisher: Neil Edde

Media Project Manager 1: Laura Moss-Hollister

Media Associate Producer: Doug Kuhn

Media Quality Assurance: Josh Frank

Book Designers: Judy Fung and Bill Gibson

Proofreader: Rebecca Rider

Indexer: Jack Lewis

Project Coordinator, Cover: Lynsey Stanford

Cover Designer: Ryan Sneed

Copyright © 2010 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-52767-2

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by

any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under

Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the

Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,

222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher

for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street,

Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with

respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including

without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or

promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work

is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional

services. If professional assistance is required, the services of a competent professional person should be sought.

Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or

Web site is referred to in this work as a citation and/or a potential source of further information does not mean that

the author or the publisher endorses the information the organization or Web site may provide or recommendations

it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or

disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact

our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax

(317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be

available in electronic books.

Library of Congress Cataloging-in-Publication Data is available from publisher.

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John

Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without

written permission. CCNA is a registered trademark of Cisco Technology, Inc. All other trademarks are the

property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor

mentioned in this book.

10 9 8 7 6 5 4 3 2 1

ffirs.indd iv firs.indd iv 2/17/10 6:56:11 PM /17/10 6:56:11 PM

Dear Reader,

Thank you for choosing CCNA Security Study Guide. This book is part of a family

of premium-quality Sybex books, all of which are written by outstanding authors who

combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing

consistently exceptional books. With each of our titles, we’re working hard to set a new

standard for the industry. From the paper we print on, to the authors we work with, our

goal is to bring you the best books available.

I hope you see all that refl ected in these pages. I’d be very interested to hear your comments

and get your feedback on how we’re doing. Feel free to let me know what you think about

this or any other Sybex book by sending me an email at [email protected]. If you think you’ve

found a technical error in this book, please visit http://sybex.custhelp.com. Customer

feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde

Vice President and Publisher

Sybex, an Imprint of Wiley

ffirs.indd v firs.indd v 2/17/10 6:56:12 PM /17/10 6:56:12 PM

ffirs.indd vi firs.indd vi 2/17/10 6:56:13 PM /17/10 6:56:13 PM

To God and my family. Without the support and love from both, I would

not be able to do what I do. Thanks for the many blessings.

ffirs.indd vii firs.indd vii 2/17/10 6:56:13 PM /17/10 6:56:13 PM

ffirs.indd viii firs.indd viii 2/17/10 6:56:13 PM /17/10 6:56:13 PM

Acknowledgments

When you take on a project like this, there are always a number of people involved, and this one

is no exception. I could not have done this book without the help and support of several folks.

First, I’d like to thank my technical editor, Chris Carson, for keeping me honest and offering

candid feedback. Chris also contributed to this book by writing Chapter 10 and Chapter 11. His

help was invaluable. I would also like to thank Patrick Conlan, who provided access to most of

the equipment used in the writing of this book.

A special thanks goes out to Stef Jones, this book’s developmental editor. Stef was the

one to keep me in line and was a tremendous help in shaping up some of the more diffi cult

chapters.

And last but not least, thanks to the team at Sybex for supporting me in this endeavor:

Pete Gaughan, editorial manager; Jeff Kellum, acquisitions editor; and Jenni Housh, Connor

O’Brien, and Angela Smith, who are all on the editorial team. I’m sure I gave Jeff plenty of

cause for concern over the course of the better part of a year, but we all survived—I think.

Also, thanks to copyeditor Judy Flynn, proofreader Rebecca Rider, and indexer Jack Lewis.

ffirs.indd ix firs.indd ix 2/17/10 6:56:13 PM /17/10 6:56:13 PM

ffirs.indd x firs.indd x 2/17/10 6:56:13 PM /17/10 6:56:13 PM

About The Author

Tim Boyles is an IT manager at a large retailer based in the Dallas–Fort Worth Metroplex.

He has been involved in networking and security for over 20 years. He is the holder of

many certifi cations, including CISSP, CISA, CISM, GCIH, GAWN, and of course CCNA

and CCNA-Security. Tim has worked on many networking and security books. He was

previously the security practice leader for the South Central operation of BT Global

Services and has been engaged with consulting for a number of years with numerous large

corporate clients. He is also a mentor instructor for the SANS Institute, having conducted

sessions on CISSP training, Incident Handling, Wireless Penetration Testing, and Web

Application Security.

About the Contributor

Chris L. Carson, CCIE #19511, is a principal at Ethical Networks, a network and

security consulting provider in the Dallas–Ft. Worth area. He has been in the network

and security industry for more than 17 years and holds over 20 industry certifi cations,

including CCIE, CCSP, CEH, and CCNA-Security. Most of his career has been spent

working for large Cisco Gold partners throughout the United States. Chris’s previous

position as a security practice manager and principal for one of the largest Cisco partners

in North Texas has provided him with expertise in designing, implementing, and

troubleshooting solutions for many Fortune 500 customers.

ffirs.indd xi firs.indd xi 2/17/10 6:56:13 PM /17/10 6:56:13 PM

ffirs.indd xii firs.indd xii 2/17/10 6:56:13 PM /17/10 6:56:13 PM

Contents at a Glance

Introduction xxv

Assessment Test xxxii

Chapter 1 Introduction to Network Security 1

Chapter 2 Creating the Secure Network 25

Chapter 3 Securing Administrative Access 51

Chapter 4 Configuring AAA Services 77

Chapter 5 Securing Your Router 117

Chapter 6 Layer 2 Security 159

Chapter 7 Implementing Cisco IOS Firewall 193

Chapter 8 Implementing Cisco IOS Intrusion Prevention 245

Chapter 9 Understanding Cryptographic Solutions 281

Chapter 10 Using Digital Signatures 299

Chapter 11 Using Asymmetric Encryption and PKI 323

Chapter 12 Implementing Site-to-Site IPsec VPN Solutions 377

Appendix A Securing Voice Solutions 425

Appendix B Introduction to SAN Security 441

Appendix C Exploring Endpoint Security 451

Appendix D Capstone Exercise 461

Appendix E About the Companion CD 483

Glossary 487

Index 495

ffirs.indd xiii firs.indd xiii 2/17/10 6:56:13 PM /17/10 6:56:13 PM

ffirs.indd xiv firs.indd xiv 2/17/10 6:56:14 PM /17/10 6:56:14 PM

Contents

Introduction xxv

Assessment Test xxxii

Chapter 1 Introduction to Network Security 1

Threats to Network Security 2

External Threats 3

Internal Threats 5

Application Security 6

Network Security Objectives 6

Classification of Data 8

Security Controls 11

Security Controls by Type 11

Security Controls by Purpose 12

Incident Response 13

Preparation 13

Identification 15

Containment 16

Eradication 17

Recovery 17

Lessons Learned 17

Law and Ethics 18

Legal Matters 18

Intellectual Property 19

Ethics 20

Review Questions 21

Answers to Review Questions 23

Chapter 2 Creating the Secure Network 25

Creating a Security Policy 26

Goals of a Security Policy 26

Policies and Procedures 27

Other Documents 28

Managing Risk 28

Secure Network Design 32

Creating Security Awareness 34

Maintaining Operational Security 35

Defining the Systems Development Life Cycle 35

Review of Operations Security 37

Evolution of Threats 38

ftoc.indd xv toc.indd xv 2/17/10 9:04:44 PM /17/10 9:04:44 PM