 |  |  |
 |
 | Module 1 - 8: Outline |
|  |
 |  |  |
 |
 | Module : Intrusion Detection and Prevention Technology |
|  |
 |
 | |
| Overview of Intrusion Detection and Prevention |
|
 | |
| Introduction to intrusion detection and prevention |
 |
| Network-based versus host-based |
 |
| Types of alarms |
|
 |
| Inspection Engine |
|
 | |
| Signature-based detection |
 |
| Types of signatures |
 |
| Anomaly-based detection |
|
 |
| Cisco IDS and IPS Devices |
|
 | |
| Cisco integrated solutions |
 |
| Cisco IPS 4200 Series sensors |
|
 |
| |
 | | |
|  |
 |
 | Module : Configure Network Intrusion Detection and Prevention |
|  |
 |
 | |
| Cisco IOS Intrusion Prevention System |
|
 | |
| Cisco IOS Intrusion Prevention System (IPS) |
 |
| Cisco IOS IPS signatures |
 |
| Cisco IOS IPS configuration tasks |
 |
| Install the Cisco IOS IPS |
 |
| Configure logging using Syslog or SDEE |
 |
| Verify the IPS configuration |
|
 |
| Configure Attack Guards on the PIX Security Appliance |
|
 | |
| Mail Guard |
 |
| DNS Guard |
 |
| FragGuard and Virtual Reassembly |
 |
| AAA Flood Guard |
 |
| SYN Flood Guard |
 |
| Connection limits |
|
 |
| Configure Intrusion Prevention on the PIX Security Appliance |
|
 | |
| Intrusion detection and the PIX Security Appliance |
 |
| Configure intrusion detection |
 |
| Configure IDS policies |
|
 |
| Configure Shunning on the PIX Security Appliance |
|
 | |
| Overview of shunning |
 |
| Example of shunning an attacker |
|
 |
| |
 | | |
|  |
 |
 | Module : Encryption and VPN Technology |
|  |
 |
 | |
| Encryption Basics |
|
 | |
| Symmetrical encryption |
 |
| Asymmetrical encryption |
 |
| Diffie-Hellman |
|
 |
| Integrity Basics |
|
 | |
| Hashing |
 |
| Hashed Method Authentication Code (HMAC) |
 |
| Digital signatures and certificates |
|
 |
| Implementing Digital Certificates |
|
 | |
| Certificate authority support |
 |
| Simple Certificate Enrollment Protocol (SCEP) |
 |
| Microsoft CA server |
 |
| Enroll a device with a CA |
|
 |
| VPN Topologies |
|
 | |
| Site-to-site VPNs |
 |
| Remote access VPNs |
|
 |
| VPN Technologies |
|
 | |
| VPN technology options |
 |
| WebVPN |
 |
| Tunneling protocols |
 |
| Tunnel interfaces |
|
 |
| IPSec |
|
 | |
| Overview |
 |
| Authentication Header (AH) |
 |
| Encapsulating Security Payload (ESP) |
 |
| Tunnel and transport modes |
 |
| Security associations |
 |
| Five steps of IPSec |
 |
| Internet Key Exchange (IKE) |
 |
| IKE and IPSec |
 |
| Cisco VPN solutions |
|
 |
| |
 | | |
|  |
 |
 | Module : Configure Site-to-Site VPN Using Pre-shared Keys |
|  |
 |
 | |
| Prepare a Router for Site-to-Site VPN using Pre-shared Keys |
|
 | |
| IPSec encryption with pre-shared keys |
 |
| Planning the IKE and IPSec policy |
 |
| Step 1 – Determine ISAKMP (IKE Phase 1) policy |
 |
| Step 2 – Determine IPSec (IKE Phase 2) policy |
 |
| Step 3 – Check the current configuration |
 |
| Step 4 – Ensure the network works without encryption |
 |
| Step 5 – Ensure ACLs are compatible with IPSec |
|
 |
| Configure a Router for IKE Using Pre-shared Keys |
|
 | |
| Step 1 – Enable or disable IKE |
 |
| Step 2 – Create IKE policies |
 |
| Step 3 – Configure pre-shared keys |
 |
| Step 4 – Verify the IKE configuration |
|
 |
| Configure a Router with IPSec Using Pre-shared Keys |
|
 | |
| Steps to configure IPSec |
 |
| Step 1 – Configure transform set suites |
 |
| Step 2 – Configure global IPSec SA lifetimes |
 |
| Step 3 – Create crypto ACLs |
 |
| Step 4 – Create crypto maps |
 |
| Step 5 – Apply crypto maps to interfaces |
|
 |
| Test and Verify the IPSec Configuration of the Router |
|
 | |
| Test and verify IPSec |
 |
| Display the configured ISAKMP policies |
 |
| Display the configured transform sets |
 |
| Display the current state of IPSec SAs |
 |
| Display the configured crypto maps |
 |
| Enable debug output for IPSec events |
 |
| Enable debug output for ISAKMP events |
 |
| Configure a VPN using SDM |
|
 |
| Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys |
|
 | |
| IPSec configuration tasks |
 |
| Task 1 – Prepare to configure VPN support |
 |
| Task 2 – Configure IKE parameters |
 |
| Task 3 – Configure IPSec parameters |
 |
| Task 4 – Test and verify the IPSec configuration |
|
 |
| |
 | | |
|  |
 |
 | Module : Configure Site-to-Site VPNs Using Digital Certificates |
|  |
 |
 | |
| Configure CA Support on a Cisco Router |
|
 | |
| Steps to configure CA support |
 |
| Step 1 – manage the non-volatile RAM (NVRAM) |
 |
| Step 2 – set the router time and date |
 |
| Step 3 – add a CA server entry to the router host table |
 |
| Step 4 – generate an RSA key pair |
 |
| Step 5 – declare a CA |
 |
| Step 6 – authenticate the CA |
 |
| Step 7 – request a certificate for the router |
 |
| Step 8 – save the configuration |
 |
| Step 9 – monitor and maintain CA interoperability |
 |
| Step 10 – verify the CA support configuration |
|
 |
| Configure an IOS Router Site-to-Site VPN Using Digital Certificates |
|
 | |
| Configuration tasks |
 |
| Task 1 – prepare for IKE and IPSec |
 |
| Task 2 – configure CA support |
 |
| Task 3 – configure IKE |
 |
| Task 4 – configure IPSec |
 |
| Task 5 – test and verify IPSec |
|
 |
| Configure a PIX Security Appliance Site-to-Site VPN Using Digital Certificates |
|
 | |
| Scaling PIX Security Appliance VPNs |
 |
| Enroll the PIX Security Appliance with a CA |
|
 |
| |
 | | |
|  |
 |
 | Module : Configure Remote Access VPN |
|  |
 |
 | |
| Introduction to Cisco Easy VPN |
|
 | |
| Introduction to Cisco Easy VPN |
 |
| Overview of the Easy VPN Server |
 |
| Overview of the Cisco Easy VPN Remote |
 |
| How Cisco Easy VPN works |
 |
| Easy VPN Remote client connection in detail |
|
 |
| Configure the Easy VPN Server |
|
 | |
| Cisco Easy VPN Server configuration tasks |
 |
| Task 1 – create an IP address pool |
 |
| Task 2 – configure group policy lookup |
 |
| Task 3 – create ISAKMP policy for remote VPN access |
 |
| Task 4 – define a group policy for a mode configuration push |
 |
| Task 5 – create a transform set |
 |
| Task 6 – create a dynamic crypto map with RRI |
 |
| Task 7 – apply mode configuration to the dynamic crypto map |
 |
| Task 8 – apply a dynamic crypto map to the router interface |
 |
| Task 9 – enable IKE dead peer detection |
 |
| Task 10 – (optional) Configure XAUTH |
 |
| Task 11 – (optional) Enable XAUTH save password feature |
|
 |
| Configure Easy VPN Remote for the Cisco VPN Client 4.x |
|
 | |
| Cisco Easy VPN Client 4.x configuration tasks |
 |
| Task 1 – install the Cisco VPN Client 4.x on the remote PC |
 |
| Task 2 – create a new client connection entry |
 |
| Task 3 – choose an authentication method |
 |
| Task 4 – configure transparent tunneling |
 |
| Task 5 – enable and add backup servers |
 |
| Task 6 – configure connection to the Internet through dial-up networking |
|
 |
| Configure Cisco Easy VPN Remote for Access Routers |
|
 | |
| Easy VPN Remote modes of operation |
 |
| Configuration tasks for Cisco Easy VPN Remote for access routers |
 |
| Task 1 – configure the DHCP server pool |
 |
| Task 2 – configure and assign the Cisco Easy VPN Client profile |
 |
| Task 3 – (optional) configure XAUTH save password feature |
 |
| Task 4 – (optional) initiate the VPN tunnel (XAUTH) |
 |
| Task 5 – verify the Cisco Easy VPN configuration |
|
 |
| Configure the PIX Security Appliance as an Easy VPN Server |
|
 | |
| Easy VPN Server general configuration tasks |
 |
| Task 1 – create ISAKMP policy for remote VPN Client access |
 |
| Task 2 – create an IP address pool |
 |
| Task 3 – define a group policy for mode configuration push |
 |
| Task 4 – create a transform set |
 |
| Tasks 5 through 7 – dynamic crypto map |
 |
| Task 8 – configure XAUTH |
 |
| Task 9 – configure NAT and NAT 0 |
 |
| Task 10 – enable IKE dead peer detection |
|
 |
| Configure a PIX 501 or 506E as an Easy VPN Client |
|
 | |
| PIX Security Appliance Easy VPN Remote feature overview |
 |
| Easy VPN Remote configuration |
 |
| Easy VPN Client device mode and enabling Easy VPN Remote clients |
 |
| Easy VPN Remote authentication |
|
 |
| Configure the Adaptive Security Appliance to Support WebVPN |
|
 | |
| WebVPN end-user interface |
 |
| Configure WebVPN general parameters |
 |
| Configure WebVPN servers and URLs |
 |
| Configure WebVPN port forwarding |
 |
| Configure WebVPN e-mail proxy |
 |
| Configure WebVPN content filters and ACLs |
|
 |
| |
 | | |
|  |
 |
 | Module : Secure Network Architecture and Management |
|  |
 |
 | |
| Layer 2 Security Best Practices |
|
 | |
| Factors affecting layer 2 mitigation techniques |
 |
| Single security zone, one user group, single physical switch |
 |
| Single security zone, one user group, multiple physical switches |
 |
| Single security zone, multiple user groups, single physical switch |
 |
| Single security zone, multiple user groups, multiple physical switches |
 |
| Multiple security zones, one user group, single physical switch |
 |
| Multiple security zones, one user group, multiple physical switches |
 |
| Multiple security zones, multiple user groups, single physical switch |
 |
| Multiple security zones, multiple user groups, multiple physical switches |
 |
| Layer 2 security best practices |
|
 |
| SDM Security Audit |
|
 | |
| Using SDM to perform security audits |
 |
| Using SDM monitor mode |
|
 |
| Router Management Center (MC) |
|
 | |
| Introduction to the Router MC |
 |
| Key concepts in the Router MC |
 |
| Supported tunneling technologies |
 |
| Router MC installation |
 |
| Installation process |
 |
| Getting started with the Router MC |
 |
| Router MC interface |
 |
| Installation process |
 |
| Basic work flow and tasks |
|
 |
| Simple Network Management Protocol (SNMP) |
|
 | |
| SNMP introduction |
 |
| SNMP security |
 |
| SNMP Version 3 (SNMPv3) |
 |
| SNMP management applications |
 |
| Configure SNMP support on an IOS router |
 |
| Configure SNMP support on a PIX Security Appliance |
|
 |
| |
 | | |
|  |
 |
 | Module : PIX Security Appliance Contexts, Failover, and Management |
|  |
 |
 | |
| Configure a PIX Security Appliance to Perform in Multiple Context Mode |
|
 | |
| Security context overview |
 |
| Enable multiple context mode |
 |
| Configure a security context |
 |
| Manage security contexts |
|
 |
| Configure PIX Security Appliance Failover |
|
 | |
| Understanding failover |
 |
| Failover requirements |
 |
| Serial cable-based failover configuration |
 |
| Active/standby LAN-based failover configuration |
 |
| Active/active failover |
|
 |
| Configure Transparent Firewall Mode |
|
 | |
| Transparent firewall mode overview |
 |
| Enable transparent firewall mode |
 |
| Monitor and maintain a transparent firewall |
|
 |
| PIX Security Appliance Management |
|
 | |
| Managing Telnet access |
 |
| Managing SSH access |
 |
| Command authorization |
 |
| PIX Security Appliance password recovery |
 |
| Adaptive Security Appliance password recovery |
 |
| File management |
 |
| Image upgrade and activation keys |
|
 |
| |
 | | |
|  |
 |  |  |