CBT Nuggets Cisco CCNA Security 640-554: Implementing Cisco IOS Network Security (IINS)

CCNA Security 640-554: Implementing Cisco IOS Network Security, produced by Cisco expert Keith Barker, helps prepare you for the new 640-554 Cisco exam, and also prepares you to address many of the real world vulnerabilities you come across today.

Keith dives into the Cisco Configuration Professional (CCP), the latest GUI (Graphical User Interface) software which will help you manage your Cisco routers. Not only does this training focus on switch security and router security, it also explains and demonstrates how to configure the ASA (Adaptive Security Appliance) firewall. Keith, author of the CCNA Security Cert guide, covers the material in a way that is thorough, fun and engaging.

Whether you're fairly new to the network security world, or you've been in it for a while and simply want to fill in the gaps and see how all the pieces can be integrated together to build a fortress of security using a defense in depth approach, this series is for you.

Content:

Introduction to CCNA Security - 00:07:29
Our networks today are mission critical, they carry sensitive data, and companies depend on them more than ever to survive and thrive. Because of that, the security and protection of the data moving through the network has never been more important. Join Keith as he provides an overview of what is covered in this series, and some of the prerequisites that will assist you in taking full advantage of these videos. This course maps to the Cisco published objectives for the new CCNA Security, 640-554

Network Foundation Protection - 00:38:17
Where do you start when trying to secure a network? In this Nugget, Keith walks you through a framework called Network Foundation Protection (NFP), which can be used to identify the core functions of your network as well as the security techniques you can use to protect your network and its resources.
Maps to CCNA Security objectives: Describe securing the control, data and management plane; Describe common security threats; Implement security on Cisco IOS routers; Describe secure network management.

Fortifying the Local Router - 00:42:09
A ship that leaks is likely to sink, and a router that has security holes is likely to be compromised. In this video, Keith walks you through the specific steps to improve the security posture of a router, including using Authentication, Authorization and Accounting (AAA) features to leverage the router's local database. We also discuss and demonstrate how to perform the security bootstrapping of a router in preparation for Cisco Configuration Professional (CCP, the GUI router management tool).
Maps to CCNA Security objectives: Implement security on Cisco routers; Describe AAA; Verify AAA functionality; Implement AAA (authentication, authorization, and accounting); Implement secure network management.

AAA, RADIUS and TACACS+ - 00:47:37
Using the local database of a router to store usernames and passwords is fine in a small network, but when there are hundreds of network routers and switches, and several administrators, keeping all of that information on each router is tedious. What can be done? The answer is "centralized" AAA services delivered via Remote Authentication Dial-In User Service (RADIUS) and/or Terminal Access Controller Access Control System (TACACS+). Have no fear, in this video Keith walks you through these concepts and then demonstrates them for reinforcement.
Maps to CCNA Security objectives: Implement security on Cisco routers; Describe securing the management plane; Implement AAA (authentication, authorization, and accounting); Describe TACACS+; Describe RADIUS; Describe AAA; Verify AAA functionality; Describe secure network management; Implement secure network management.

Securing the Switched Data-plane - 00:50:46
What do the following have in common: Rogue switches and DHCP servers, CAM table overflow attacks, VLAN hopping and ARP poisoning? The answer is that any one of them could bring our network to its knees by manipulating the Layer 2 Data-plane. In this Nugget, Keith explains and demonstrates attacks that can be implemented, and even more importantly, he shows you how to implement the counter measures to prevent or mitigate these attacks.
>br>Maps to CCNA Security objectives: Describe common security threats; Describe Layer 2 security using Cisco switches; Describe VLAN security.

Tools to Protect the Management-plane - 00:43:12
If we lose management functionality of a router, it normally means bad news. In this Video, Keith teaches you about Role Based Access Control (RBAC) using Cisco's Parser Views and walks you through the Security Audit feature of Cisco Configuration Professional (CCP). Other topics included in this video are SSH lockdown, unicast RFP checking, Network Time Protocol (NTP) and Simple Network Management Protocol (SNMP).
Maps to CCNA Security objectives: Describe common security threats; Implement security on Cisco routers; Describe securing the control, data, and management plane.

Controlling the IPv4 Data-plane with ACLs - 00:34:21
Using technical controls, such as Access Control Lists (ACLs) used for filtering traffic on the data-plane is an important skill. In this video, Keith reviews the use of access lists, and points out some default behavior which may surprise you. The use of the ACL editor in CCP is demonstrated, as well as the use of Object Groups to simplify the creation of Access Control Entries (ACEs) within an ACL.
Maps to CCNA Security objectives: Implement security on Cisco routers; Describe securing the control, data, and management plane; Describe standard, extended, and named IPv4 IOS access control lists (ACLs) to filter packets; Describe considerations when building ACLs.

Protecting IPv6 Networks - 00:53:27
What's 128 bits long, and can provide millions of addresses for each and every living person on the earth? You got it: IPv6! In this video, Keith compares and contrasts IPv6 with IPv4 and demonstrates how to install IPv6 addresses and OSPFv3 on a router, as well as how to implement Access Control Lists for packet filtering in an IPv6 environment.
Maps to CCNA Security objectives: Describe IPv4 to IPv6 transition; Implement IP ACLs to mitigate threats in a network; Implement security on Cisco routers.

IOS Firewall Fundamentals - 00:31:20
Small or medium sized businesses may not have the budget for a dedicated firewall appliance, but they still want (and need) the security that a stateful firewall can provide. Have no fear, IOS Firewall solutions are here. In this video, Keith explains the design concepts behind a firewall, including stateful filtering, and demonstrates two methods that can be used to implement stateful filtering.
Maps to CCNA Security objectives: Implement security on Cisco routers; Describe operational strengths and weaknesses of the different firewall technologies; Describe stateful firewalls.

Zone Based Firewall Implementation - 00:25:46
"Why can't I access the Web?" asks the user. Being able to interpret the GUI interface of CCP to identify exactly what traffic is permitted, inspected, or dropped by the IOS Zone Based Firewall (ZBF) is a critical skill you should practice. In this video, Keith walks you through the design and configuration of a ZBF, and then shows you how to navigate the interface and interpret the policies correctly. The self zone is also discussed and demonstrated.
Maps to CCNA Security objectives: Implement zone-based policy firewall using CCP; Describe Cisco Security Manager; Implement security on Cisco routers.

ASA Firewall - 00:47:28
Stateful filtering is only the beginning of what this Adaptive Security Appliance (ASA) can do. In this Nugget, you join Keith in discussing the logic that the ASA uses to decide whether or not to forward traffic, and then you will start with a new ASA in its default settings and put together a working configuration that allows users to access the Internet, including the use of NAT, Access Control Lists, and policy modifications.
Maps to CCNA Security objectives: Implement the Cisco Adaptive Security Appliance (ASA); Implement Network Address Translation (NAT) and Port Address Translation (PAT)

Intrusion Prevention Systems (IPS) - 00:45:16
"A stitch in time, saves 9," and in a network, preventing an attack from reaching its victim is a wise move to prevent the damage caused by an attack. In this video, Keith introduces you to the world of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to discuss with you their abilities to detect and often prevent a network attack. You will also learn the pros and cons of each method as well as the methodologies used to detect attacks.
Maps to CCNA Security objectives: Describe Cisco Intrusion Prevention System (IPS) deployment considerations; Describe IPS technologies.

IOS-based IPS - 00:48:51
In a small or branch office with a single router, using the IOS Intrusion Prevention System (IOS IPS) adds an additional layer of security on top of the routing functionality already present in the router. The IOS IPS uses a subset of the same signatures as the IDS/IPS modules and appliances. All that is required is an IOS version that supports the IPS feature and enough memory to load the signatures into memory. In this video, Keith walks you through installation and configuration of IPS, configuring event action overrides and verifying it works by launching a SYN flood attack (courtesy of the BackTrack suite).
Maps to CCNA Security objectives: Configure Cisco IOS IPS using CCP; Implement security on Cisco routers

Cryptography Essentials - 00:42:01
As guardians of the network, it is our responsibility to ensure that data (especially sensitive data) remains secret from unauthorized individuals, and to make sure that data arriving at a receiving host on the network hasn't been maliciously altered since it left the sending host. The tools of the trade to assist us in implementing this security include encryption algorithms and secret keys (only known by the sender and receiver) to provide confidentiality, and hashing algorithms to provide data integrity. In this video, Keith walks you through each of these concepts including the use of "Digital Signatures" as you learn the building blocks for cryptography.
Maps to CCNA Security objectives: Describe the different methods used in cryptography.

IPsec Site to Site VPNs - 00:53:33
In this video, Keith demystifies the world of IPsec by breaking each component down into bite sized chunks. This Nugget also includes a full demonstration of planning, configuring and testing an IPsec Site-to-Site VPN tunnel using IOS routers as the VPN gateways.
Maps to CCNA Security Objectives: Describe VPN technologies; Describe the building blocks of IPSec; Implement an IOS IPsec site-to-site VPN with pre-shared key authentication; Verify VPN operations.

SSL VPNs - 00:51:26
Secure Sockets Layer (SSL) has provided session authentication and data encryption for decades. Because the support for SSL is embedded into most customers' browsers, it is convenient to use an SSL VPN connection (because we don't have to first install a client software package to use the VPN). In this video, Keith takes you behind the scenes of SSL to see how it uses Public-key Cryptography (the use of Public Key Infrastructure, PKI) to authenticate and share the key that is needed for symmetrical encryption of the session between the client and the server. The video also includes a demonstration of configuring both the non-client and AnyConnect SSL VPNs, along with verification of each.
Maps to CCNA Security Objectives: Implement Secure Sockets Layer (SSL) VPN using ASA device manager; Verify VPN operations, Describe the different methods used in cryptography.

Defense in Depth - 00:24:15
"We have a state of the art firewall protecting the whole network, that should be enough." (Famous last words of the last Chief Information Officer (CIO). Today, downtime or compromise of our networks equates to risk. To lesson that risk we implement fault tolerance, technical controls for securing the management, control and data planes, and use devices like IDS/IPS to identify attacks on the network. In this video Keith reviews several of the mitigation techniques learned in earlier nuggets, and introduces a few new ones as well. The National Institute of Standards and Technology (NIST) System Development Life Cycle is presented, along with Cisco's security wheel.
Maps to CCNA Security Objectives: Describe common security threats; Describe Cisco Security Manager