SND - Securing Cisco Network Devices

Overview:

In this 5-day, entry-level network security course, you'll learn basic concepts such as network security policies, network attack methods, and threat mitigation techniques, along with the Cisco security product portfolio. You will examine the most important security technologies, including hardening Cisco IOS routers and switches against attack, Layer 2 security, stateful firewalling, Intrusion Prevention Systems (IPS), and Virtual Private Networks (VPNs).

SND 2.0 prepares you for the 642-552 SND exam as well. Professionals who pass the SND exam and the CCNA exam are awarded both the Cisco Information Security Specialist certification and the CNSS 4011 InfoSec Professional certification. Exam 642-552 SND is required for the Cisco Certified Security Professional certification and for several Cisco Qualified Specialist certifications, including: Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist.

Description:

Appendix A:

• Network Address Translation

1. Introduction to Network Security Policies

• Understand the Requirement for a Network Security Policy
• Network Attack Mitigation Techniques
• Thinking Like a Hacker
• Designing a Secure Network Life-Cycle Model
• Developing a Comprehensive Security Policy
• Building Cisco Self-Defending Networks

2. Securing the Perimeter

• Applying a Security Policy for Cisco Routers
• Securing Administrative Access to Cisco Routers
• Configuring AAA Functions on a Cisco Router
• Cisco Security Device Manager (SDM)
• Disabling Unused Cisco Router Network Services
• Implementing Secure Management and Reporting
• Defending the Network Perimeter with Cisco Products

3. Securing LAN and WAN Devices

• Applying Security Policies to Network Switches
• Mitigating Layer 2 Attacks
• Using Cisco Catalyst Security Features
• Securing WLANs

4. Cisco IOS Firewall Configuration

• Firewall Technologies
• Building Static Packet Filters with Cisco ACLs
• Configuring a Cisco IOS Firewall with Cisco SDM
• Defending Your Network with the Cisco Security Appliance Product Family

5. Securing Networks with Cisco IOS IPS

• IDS and IPS
• Configuring Cisco IOS IPS
• Defending Your Network with the Cisco IPS Product Family

6. Building IPsec VPNs

• IPsec Chalk Talk
• IPsec VPNs
• Building a Site-to-Site IPsec VPN Using the IOS CLI
• Building a Site-to-Site IPsec VPN Using Cisco SDM
• Building Remote-Access VPNs
• Defending Your Network with the Cisco VPN Product Family

Agenda:

We've enhanced our labs beyond what you'll find in a standard Cisco SND course. Our labs cover everything that Cisco teaches plus our own exclusive material.

Lab 1: Remote Lab Environment

We provide an unparalleled lab infrastructure for CCSP-oriented courses. For SND, each pod is equipped with a perimeter router (2811), an IOS firewall (2811), and a pod switch (3560). An Internet router (1841) is used to simulate an Internet environment, including the ISP, a headquarters router, and an NTP service. Also, each pod is equipped with a VMWare server providing six different systems in different security zones. The systems include: DMZ Server, Inside Server, Admin PC, User PC, Outside PC, and HQ Server. In this first lab, you'll explore the resources in the pod and learn how to access those resources.

Lab 2: Exclusive -  Network Address Translation

Network Address Translation (NAT) plays an integral part of the security between networks. In fact, most networks that connect to the Internet perform NAT at the perimeter. As such, we developed this lab so you can learn to configure dynamic NAT for the inside systems using a pool of globally routable IP addresses and to configure a static NAT for the DMZ Server.

• Configure Dynamic NAT
• Configure Static NAT
• Test and Verify NAT

Lab 3: Ethical Hacking

At this stage of the labs, the only security feature configured on the pod devices is NAT. In this lab, you'll discover how easy it is to use freely available tools to wreak havoc on an unsecured network. During remaining labs, you'll configure security features that mitigate all of the attacks demonstrated during this lab. While the standard Cisco labs use only Nmap to perform a simple port scan on a host, our labs add exclusive demonstrations including those noted below:

• Perform an Nmap Scan of the DMZ Server
• Exclusive - Footprint FTP and HTTP servicesExclusive - Demonstration of a buffer overflow attack resulting in command line access to the compromised system
• Exclusive - Demonstration of a port forwarding attack using the DMZ Server to access systems on the internal network via their private IP addresses
• Exclusive - Demonstration of a SYN flood attack against a server
• Exclusive - Simulate the propagation of a worm
• Exclusive - Demonstration of an ARP cache poisoning attack resulting in a man-in-the-middle situation and allowing the theft of confidential information including usernames and passwords

Lab 4: Securing Administrative Access

In this lab, you will configure the most basic security for administrative access to the pod devices. You will configure the passwords required to reach the command line and passwords that allow privileged-mode access. You will see how the passwords are encrypted and transformed by default and how to encrypt the passwords that are clear text by default. In our exclusive portion, you will explore password-cracking methods to which different types of passwords are vulnerable.

• Configure Enable and Enable Secret Passwords
• Configure Line Passwords
• Using Service Password Encryption
• Exclusive - Demonstration of Password Cracking (including Enable Secret Cracking)
• Configure Banner Messages

Lab 5: AAA with the Local Database

In this lab, you will enable local Authentication, Authorization, and Accounting (AAA). With local AAA, usernames and passwords are stored in the configuration of the IOS device itself. You will also configure role-based CLI, which allows different types of users to be granted access to different sets of commands. In our exclusive portion, you will use AAA Authorization to bind specific role-based CLI views to specific users. You will also configure enhanced virtual login features that temporarily suspend logins when authentication failure rates are high.

• Configure the Local User Database
• Demonstration of Local AAA Authentication
• Configure Role-Based CLI
  • Exclusive - Super Views
• Exclusive - Enable AAA Authorization using Role-Based CLI
• Configure Enhanced Virtual Login Features
  • Exclusive - Configure trusted IP addresses from which logins should always be allowed

Lab 6: SDM Security Audit

Security Device Manager (SDM) is a GUI that runs on IOS routers. It features the Security Audit, which analyzes the current router configuration against security best practices, and it generates a report showing potential issues in the current configuration. The administrator then chooses which issues should be automatically fixed by SDM.

• Prepare the Router for SDM
• Launch SDM
• Execute an SDM Security Audit

Lab 7: Exclusive - Secure Management

You will enhance the manageability of the IOS-FW and other IOS devices in this lab. You will configure NTP, ensuring that clocks are kept in sync, and you will configure NTP authentication to mitigate rogue NTP updates. Then you'll configure Syslog services so security messages and other messages will be sent to and stored on a Syslog server as well as a local buffer in the router itself. Finally, you will configure SSH, a secure remote terminal protocol that can replace the clear text Telnet protocol.

• Configure NTP
• Configure Syslog
• Configure SSH

Lab 8: Exclusive - Catalyst Security Features

The standard Cisco lab guide treats this subject as a paper case study, not a hands-on lab. In our exclusive lab, you will learn to configure features to protect against Layer 2 attacks such as MAC address flooding and ARP cache poisoning. You will use smart port macros, port security, private VLAN edge, DHCP snooping, and dynamic ARP inspection.

• Perform a MAC flooding attack
• Configure a Smart Ports Macro to set port security features and verify that the MAC flooding attack is mitigated
• Perform an ARP cache poisoning attack
• Configure Private VLAN Edge and verify that the ARP cache poisoning attack has been mitigated
• Configure DHCP snooping and dynamic ARP inspection and verify that this is another method that can mitigate the ARP cache poisoning attack

Lab 9: Exclusive - Access Control Lists

In our exclusive lab, you will configure and test IOS Access Control Lists (ACLs), a key component to many IOS security features. Using ACLs, you will configure the Perimeter Router as a packet filtering firewall and limit access to the router's VTY lines. You will then test the strengths and weaknesses of ACLs, showing that some of the attack methods demonstrated in Lab 3 have been mitigated, while others still exist.

• Use ACLs to limit VTY access
• Use ACLs to filter unexpected traffic
• Test the strength of packet filtering ACLs

Lab 10: IOS Stateful Firewall

Configure stateful firewall on the IOS-FW router to provide enhanced protection over the packet filtering ACLs configured on the Perimeter Router. You will use SDM to configure the stateful firewall as described below. In our exclusive portion of the lab, you will demonstrate that the SYN flood attack and the port redirection attack performed during Lab 3 are now mitigated.

• Configure stateful firewall policy as follows:
  • Allow all outbound connections from the inside network
  • Allow only inbound connections to FTP and HTTP to the DMZ Server
  • Restrict connections from the DMZ Server to be NTP requests to the NTP server
• Verify expected connectivity is allowed
• Exclusive - Verify that SYN flood attacks and port forwarding attacks are now mitigated

Lab 11: IOS Intrusion Prevention Systems

In this lab, you will explore the use of the IOS Intrusion Prevention System (IPS) feature. Enable IOS IPS with the IPS Rule Wizard in SDM, and then generate some suspicious traffic to test IOS IPS. You will examine how some of the signatures are defined and configure some signatures to react by blocking the offending packets and sending TCP resets to bring down the offending connection. These actions will allow mitigation of the remaining two attacks that were demonstrated during Lab 3 (worm propagation and buffer overflow attack). You will also configure signature filtering to reduce false positive alarms.

• Configure IOS IPS using SDM
• Test IOS IPS
  • Exclusive - Demonstration of deobfuscation
  • Exclusive - Examination of signature definitions
• Exclusive - Configure inline blocking to mitigate worm propagation and buffer overflow attacks
• Exclusive - Configure signature filtering to reduce false positive alarms

Lab 12: Site-to-Site VPN

Configure a Site-to-Site VPN connection between the IOS-FW and the HQ Router. The HQ Server, behind the HQ Router, is not reachable until the VPN connection comes up. The perimeter router is configured as a packet filtering firewall, so its ACLs must be updated to allow the VPN traffic. The IOS-FW will be configured as a termination point for the Site-to-Site tunnel using SDM. After configuration, you will test that interesting traffic will automatically initiate the VPN tunnel.

• Exclusive - Update ACL policy on the perimeter router to allow IPSec traffic
• Use SDM to configure Site-to-Site VPN on the IOS-FW
• Test and verify the VPN tunnel behavior

Lab 13: Remote-Access VPN

In this lab, you will use the Easy VPN Server Wizard in SDM to configure the IOS-FW to accept connections from VPN clients. You will also install and configure the Cisco VPN Client software on the Outside PC. After configuration, you will be able to use the VPN Client on the Outside PC to provide secure access to resources on the internal networks.

• Configure remote access VPN on the IOS-FW using SDM
• Install and configure the Cisco Easy VPN Client on the Outside PC
• Test and verify remote access VPN behavior

Audience:

Network professionals who need to understand basic security concepts, require the basic knowledge and skills needed to deploy Cisco security, and are seeking CCSP certification, Cisco Qualified Specialist Certifications in Firewall, VPN, or IPS, or Cisco Information Security Specialist certification.

Objectives:

• Importance of security policies to the implementation of secure networks
• Recognize threats and vulnerabilities to networks and implement basic mitigation measures
• Products that form the basis of the Cisco security portfolio
• Various common security vulnerabilities and network attack methodologies
• Mitigation of common security vulnerabilities
• Hands-on experience with tools used by network attackers, including:
  • Port scanning
  • Port forwarding
  • Buffer overflow
  • ARP cache poisoning
• Hands-on experience with the security features of Cisco IOS Routers, including:
  • Security Device Manager
  • Securing the router itself
  • Authentication and authorization
  • SSH and HTTPS
  • Access control lists
  • Stateful firewalling
  • IOS Intrusion Prevention System
  • Site-to-Site VPN
  • Remote-Access VPN
• Hands-on experience with the security features of Cisco IOS Switches, including:
  • Port Security
  • Private VLAN Edge
  • DHCP Snooping
  • Dynamic ARP Inspection
• Discussion of specialized security devices and systems including PIX Firewalls, Adaptive Security Appliances, the 4215 IPS Sensor family, Cisco
• Security Agent, and the 3000 VPN Concentrator series.