Knowledge United

Learn to secure the network environment using existing Cisco IOS security features and configure the three primary components of the Cisco IOS Firewall Feature set (Firewall, Intrusion Prevention System [IPS], and Authentication, Authorization, and Accounting [AAA]). In this task-oriented course, you'll get the knowledge and skills needed to secure Cisco IOS router networks. Expand the reach of your enterprise network to teleworkers and remote sites, and explore implementing a highly available network with connectivity options such as VPN and wireless.

What You'll Learn

• Cisco hierarchical network model as it pertains to the WAN
• Implement teleworker configuration and access
• Implement and verify frame-mode MPLS
• Configure a site-to-site IPSEC VPN
• Configure Cisco EZVPN
• Strategies used to mitigate network attacks
• Configure Cisco device hardening
• Configure IOS firewall features

Who Needs to Attend

IT professionals, network administrators, and technicians who need to design, configure, or support a Cisco WAN that utilizes Cisco's remote access technologies. This course is highly recommended for people pursuing CCNP, CCDP, and CCIE certifications.

Course Outline

1. Network Requirements

• The IIN and the SONA framework
• Cisco conceptual network models, such as Cisco Enterprise Architecture and Cisco hierarchical network model
• Requirements for establishing secure remote connections in a converged network

2. Connect Teleworkers

• Topologies for Facilitating Remote Connections
  • Typical remote connections an enterprise network has to support
  • Challenges faced in connecting teleworkers to the enterprise network and the solutions that exist to address these challenges
• Cable Technology
  • Basic terminology and standards organizations that are relevant to cable technology
  • Components of a cable system that provide data services
  • Features of cable technology
  • How digital cable systems use the RF bands for signal transmission
  • How data services can be delivered over a cable network using an HFC architecture
  • Combination of technologies and components that make a cable system work
  • Provisioning a cable modem in a TCP/IP-based customer network
• DSL Technology
  • Features of DSL
  • Variants of DSL
  • Distance limitations of DSL
  • Basic facts of ADSL technology
  • How ADSL coexists with telephony service
  • CAP and DMT: the competing modulation standards for ADSL signaling
  • How data is transmitted over ADSL infrastructure with PPPoE
  • How data is transmitted over ADSL infrastructure with PPPoA
• Configuring the CPE as the PPPoE and PPPoA Client
  • Configure a Cisco router as a PPPoE client
  • Configure an ATM interface for PPPoE client operations
  • Configure the PPPoE DSL dialer interface
  • Configure PAT
  • Configure a DHCP server to allocate IP address to the users behind the client DSL router
  • Configure a static route
  • Review the output of various debug and show commands to verify the PPPoE operations
  • Step-by-step procedure to configure a PPPoA on the CPE router
  • Configure the DSL ATM interface
• Verifying Broadband ADSL Configurations
  • Bottom-up approach to troubleshoot a DSL connection problem
  • Isolate problems to Layer 1
  • Confirm an Administratively Down state
  • Confirm the correct DSL operating mode on the CPE router ATM interface
  • Isolate problems to Layer 2
  • Determine if data is being received from the ISP
  • Determine if PPP is negotiating successfully

3. Implement Frame-Mode MPLS

• Introducing MPLS Networks
  • Elements of the MPLS conceptual model
  • Router switching mechanisms
  • MPLS data and control planes
  • Structure of an MPLS label and its format
  • Function of different types of LSRs in MPLS networks
  • Interactions between the control plane and the data plane in an LSR that enable the basic functions of label switching and forwarding of labeled packets to occur
• Assigning MPLS Labels to Packets
  • Performing label allocation in a frame-mode MPLS network
  • Distributing labels in a frame-mode MPLS network
  • How the LFIB table is populated
  • Packet propagation across an MPLS network
  • How PHP improves MPLS performance by eliminating routing lookups on egress LSRs
• Implementing Frame-Mode MPLS
  • Configuring frame-mode MPLS on a Cisco IOS router
  • Enable IP CEF on a router as a step in implementing frame-mode MPLS
  • Enable MPLS on a frame-mode interface as a step in implementing frame-mode MPLS
  • Configure the MTU size in label switching as a step in implementing frame-mode MPLS
• MPLS VPN Technology
  • MPLS VPN architecture and how it improves on the traditional methods of overlay and peer-to-peer VPN
  • Components of an MPLS VPN and how they are interconnected to enable enterprise network connectivity between sites
  • How routing information is propagated across the P-network
  • End-to-end flow of routing updates in an MPLS VPN
  • MPLS VPN packet forwarding

4. IPsec VPNs

• IPsec Components and IPsec VPN Features
  • IPsec protocol and basic functions; advantages of IPsec VPNs over other types of VPNs
  • IKE protocols
  • IKE functionality
  • Two protocols that are used for IPsec
  • Message authentication and integrity check
  • Differences and the functionality between symmetric and asymmetric encryption algorithms
  • PKI
• Site-to-Site IPsec VPN Operations
  • Five steps of IPsec operation
  • Configuration of IPsec
  • Configuration of the ISAKMP parameters
  • Configuration to define the IPsec transform set, the crypto ACL, and the crypto map
  • Configuration to apply the crypto map to the interface
  • Configuration of the interface ACL for IPsec
• Configuring IPsec Site-to-Site VPN Using SDM
  • Navigating the site-to-site VPN wizard interface
  • Components that will be configured by the SDM site-to-site VPN wizard
  • Launching the site-to-site VPN wizard
  • Set the parameters of the site-to-site VPN tunnel
  • How SDM sets IKE policies
  • Select a transform set and associate additional transform sets as required
  • Define the traffic that the VPN protects
  • Complete the configuration by viewing the settings in the Summary window
• Configuring GRE Tunnels over IPsec
  • GRE
  • Purpose of a secure GRE tunnel
  • Components that will be configured by the SDM site-to-site VPN secure GRE tunnel wizard
  • Configure a backup GRE-over-IPsec tunnel that the router can use when the primary tunnel fails
  • Select the authentication method to be used on the VPN
  • Configure IKE using the SDM wizard
  • Configure the IPsec transform set using the SDM wizard
  • Configure dynamic or static routing over the GRE and IPsec tunnel
  • Complete the configuration by viewing the settings in the Summary window
• High Availability Options
  • How high availability of IPsec VPNs is achieved
  • Failover option of backup IPsec peers
  • Use of HSRP for IOS IPsec VPN resiliency
  • IPsec stateful failover
  • How a WAN connection can be backed up by using an IPsec VPN
• Configuring Cisco Easy VPN and Easy VPN Server Using SDM
  • General operation of Cisco Easy VPN including its benefits and the role of each of its components
  • Functionality provided by Cisco Easy VPN Server, concept of dynamic crypto maps, and functionality provided by Easy VPN Remote
  • Steps required to configure Cisco Easy VPN Server using SDM
  • Configure IKE using the SDM wizard
  • Configure the IPsec transform set using the SDM wizard
  • Locations where Easy VPN group policies can be stored
  • Locations where user records for Xauth can be stored
  • Configure local group policies
  • Complete the configuration by viewing the settings in the Summary window
• Implementing the Cisco VPN Client
  • Steps required to configure the software VPN client on a PC
  • Steps required to configure Cisco VPN Client

5. Cisco Device Hardening

• Mitigating Network Attacks
  • Cisco Self-Defending Network strategy
  • Types of attacks that enterprise networks must defend against
  • Mitigate reconnaissance attacks including packet sniffers, port scans, ping sweeps, and Internet information queries
  • Mitigate access attacks including password attacks, trust exploitation, buffer overflow, port redirection, and man-in-the-middle attacks
  • Mitigate DoS attacks including IP spoofing and DDoS
  • Mitigate worm, virus, and Trojan horse attacks
  • Mitigate application layer attacks
  • Vulnerabilities in configuration management protocols and recommendations for mitigating these vulnerabilities
  • Use open source tools to discover network vulnerabilities and threats
• Disabling Unused Cisco Router Network Services and Interfaces
  • Router services and interfaces that are vulnerable to network attack
  • Using the auto secure command to automate the process of locking down a Cisco router
  • Configure AutoSecure on a Cisco router
  • Compare the process of locking down a Cisco router with the CLI auto secure command and the One-Step Lockdown mode of the Security Audit wizard available in SDM
• Securing Cisco Router Installations and Administrative Access
  • Configuring passwords
  • Setting a login failure rate and using IOS login enhancements
  • Setting timeouts
  • Setting multiple privilege levels
  • Configuring banner messages
  • Role-based CLI and the commands required to configure basic CLI views
  • Secure the Cisco IOS boot image and configuration files
• Mitigating Threats and Attacks with Access Lists
  • Types and formats of IP ACLs used by routers to restrict access and filter packets
  • Apply ACLs to router interfaces
  • Using traffic filtering with ACLs to mitigate threats in a network
  • Implement ACLs to mitigate threats
  • Configure router ACLs to help reduce the effects of DDoS attacks
  • Combine many ACL functions into two or three larger ACLs
  • Some of the caveats to be considered when building ACLs
• Securing Management and Reporting Features
  • Factors you must consider when planning the secure management and reporting configuration of network devices
  • Factors that affect the architecture of secure management and reporting in terms of in-band and OOB information paths
  • Steps used to configure an SSH server for secure management and reporting
  • How the syslog function plays a key role in network security
  • How to configure syslog on Cisco routers using syslog router commands
  • Security features of SNMPv3
  • Configure SNMPv3 on a Cisco IOS router or a switch
  • Configure an NTP client including authentication in client mode
  • Configure a Cisco router as an NTP server
• Configuring AAA on Cisco Routers
  • Three components of AAA
  • AAA access modes
  • AAA RADIUS and TACACS+ protocols
  • Configure AAA login authentication on Cisco routers using CLI
  • Configure AAA login authentication on Cisco routers using SDM
  • Troubleshoot AAA on a Cisco perimeter router using the debug aaa command
  • AAA authorization and the commands that are required to configure it on Cisco routers
  • AAA accounting and the commands that are required to configure it on Cisco routers

6. Cisco IOS Threat Defense Features

• Introducing the Cisco IOS Firewall
  • Basic structure of a layered defense
  • Operational strengths and weaknesses of the three firewall technologies
  • Basic operation of a stateful firewall
  • Features of the Cisco IOS Firewall
  • How the Cisco IOS Firewall combines the features of packet inspection and proxy firewalls to provide an optimal security solution
  • Cisco IOS Firewall process
• Implementing Cisco IOS Firewalls
  • Configure Cisco IOS Firewall from the Cisco IOS CLI
  • When and how to use the Basic and Advanced Firewall Configuration wizards in SDM
  • Configure a basic firewall using SDM
  • Configure the interfaces on an advanced firewall using SDM
  • Configure a DMZ on an advanced firewall
  • Configure inspection rules
  • Complete the Advanced Firewall wizard configuration by viewing the settings in the Summary window
  • Use the SDM logging function to monitor firewall activity
• Introducing Cisco IOS IPS
  • Functions and operations of IDS and IPS systems and the difference between IDS and IPS
  • Types of IDS and IPS systems
  • Four types of IDS and IPS signatures
  • What happens when a signature is matched
• Configuring Cisco IOS IPS
  • Configure and verify IOS IPS using the CLI interface
  • Cisco IOS IPS tasks you can complete with SDM
  • Select interfaces and configure SDF locations within the SDM IPS Policies wizard
  • View the IPS policy summary and deliver the IPS configuration to the router using the SDM IPS Policies wizard
  • Configure IPS policies and global settings using the SDM
  • View SDEE messages in the SDM
  • Tune signatures using the SDM