IPExpert CCIE Security WB 1 0


385 26 17MB

English Pages 109

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

IPExpert CCIE Security WB 1 0

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

IPexpert’s Preparation Workbook for the Cisco® CCIE™ Security Laboratory Exam Preparing for Cisco System’s “CCIE” (Cisco Certified Internetworking Expert) certification is one of the networking industries most challenging tasks. In fact, many of the technical engineers who set out to achieve this certification never succeed! It requires intense preparation for a very challenging written examination. Upon successful completion of this rigorous written exam you then qualify for the second, and most challenging, part of the exam – the hands on, CCIE Lab. With such prestige and reward, it’s no wonder why thousands of networking professionals are currently pursuing their CCIE Certification. Many of these inspiring engineers already hold certifications such as the MCSE, CNE, A+, CNX, CISSP™, CCNA, CCDA, CCNP, CCDP™ and CCSP, but the ultimate goal is to be at the pinnacle and earn the title, “CCIE”. While reviewing the CCIE Security Lab requirements and preparation methods, the engineers associated with IPexpert, Inc. realized that there was a need for some sort of lab workbook. We went through the complete process most engineers have gone through, or are currently going through. What we found was that a large portion of the available material gave you the “theoretical knowledge” of various scenarios, as did the technical classes, but the most valuable asset is actually configuring various labs on real routers and dealing with the issues that arose during the actual configuration. While there are currently a few limited methods in obtaining preparation labs, advanced material was hard to obtain, especially material that covered the wide variety of technical scenarios that could appear on the lab exam. IPexpert’s Preparation Workbook for the Cisco ® CCIE Security Laboratory Exam, which has been designed by CCIE certified engineers (some Double and Triple Certified!), is designed for engineers with classroom and textbook preparation. This workbook is not designed for use as a classroom walkthrough, but as an actual CCIE Lab primer.

Before We Begin Congratulations! You now possess the ULTIMATE CCIE Lab preparation resource available today! The following resource has been designed by senior engineers, technical instructors and authors who have decades of internetworking experience. Although there is no way to guarantee a 100% success rate on the CCIE Lab, we feel VERY confident that upon completion your chances of passing the Lab will improve dramatically! At the beginning of each section you will be referred to a diagram of the network topology (Diagram A) located on page 5. All Sections utilize the same exact physical topology, which can be rented at http://www.ipexpert.net Each section has been carefully laid out and will challenge you with a specific technology or protocol. Within each section, there is a baseline overview of the technologies covered in that particular lab scenario, as well as an “estimated completion time” for each scenario. Each lab starts out with “technical tasks” section that will give you specific tasks or requirements that must be met in order to successfully complete each lab scenario. If you are unsure of the command or unsure how to complete a required task, there is a “technical tips” section that provides the student with a portion of the IOS commands that you will need to use to successfully complete the task. Finally, there is an “Instructor’s Comments” section with technical pointers from one of our technical Instructors. Also, for your convenience, ALL technical configurations, diagrams and documentation is available via download at www.certificationtalk.com. (When logging into CertificationTalk, but sure that your browser is configured to accept cookies. If it is not, you will have problems moving in and out of different forums.) At the end of each scenario you will find an “IPexpert’s Recommendation – Additional Learning Material” section that will provide you with some additional technical resources (i.e. published books, additional labs by IPexpert and helpful URL’s).

Technical Support For questions, technical support and all correct solution configurations please visit CertificationTalk, our on-line technical support forum located at http://www.CertificationTalk.com or email us at [email protected].

Feedback At IPexpert, Inc. we’re always trying to improve our technical products, service and support. If you have any questions or comments please send them to [email protected] to ensure that your comments are received by the appropriate individual. Also, at a token of our appreciation, ALL IPexpert customers who pass their CCIE™ lab and obtain a CCIE™ # will be entitled to a special gift! Please submit your success stories to [email protected] for gift redemption (and include your shirt size! ☺)

Additional CCIE Preparation Material Be sure the check out the following additional CCIE preparation products from IPexpert! CCIE Routing & Switching (R&S)

IPexpert’s Ultimate Preparation Workbook for the Cisco CCIE R&S Laboratory Exam

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook! ) IPexpert’s 5-Day CCIE (R&S) Lab Preparation Boot Camp

IPexpert’s 1-Day Lab Experience for the Cisco CCIE R&S Lab Exam CCIE Security

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook! ) IPexpert’s Preparation Workbook for the Cisco CCIE Security Laboratory Exam IPexpert’s 5-Day CCIE (Security) Lab Preparation Boot Camp

IPexpert’s 1-Day Lab Experience for the Cisco CCIE Security Lab Exam CCIE Communications & Services (C&S)

IPexpert’s CCIE-level virtual lab e-Scenarios for the CCIE R&S, Security and C&S Laboratory Exam (Please be sure to check out IPexpert’s Virtual Lab e-Scenario Catalog located at the back of this workbook! ) IPexpert’s Preparation Workbook for the Cisco CCIE C&S Laboratory Exam

CCIE Voice

IPexpert’s Preparation Workbook for the Cisco CCIE Voice Laboratory Exam (Coming in May 2003)

2

IPEXPERT END-USER LICENSE AGREEMENT END USER LICENSE FOR ONE (1) PERSON ONLY IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS. This is a legally binding agreement between you and IPEXPERT, the “Licensor”) from whom you have licensed the IPEXPERT training materials (the “Training Materials”). By using the Training Materials, you agree to be bound by the terms of this License, except to the extent these terms have been modified by a written agreement (the “Governing Agreement”) signed by you (or the party that has licensed the Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License terms, the Licensor is unwilling to license the Training Materials to you. In such event, you may not use the Training Materials, and you should promptly contact the Licensor for return instructions. The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Training Materials throughout the term of this License. Copyright and Proprietary Rights. The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United States and International copyright laws. All copyright, trademark, and other proprietary rights in the Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT Information") are reserved to IPEXPERT. The Training Materials cannot be used by or transferred to any other person. You may not rent, lease, loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create derivative works based upon the Training Materials in whole or in part. You may not reproduce, store, upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical, recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing out or downloading portions of the text and images for your own personal, non-commercial use without the prior written permission of IPEXPERT. You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity. Exclusions of Warranties. THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED “AS IS”. LICENSOR HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This agreement gives you specific legal rights, and you may also have other rights that vary from state to state. Choice of Law and Jurisdiction. This Agreement shall be governed by and construed in accordance with the laws of the State of Michigan, without reference to any conflict of law principles. You agree that any litigation or other proceeding between you and Licensor in connection with the Training Materials shall brought in the Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods shall not apply to this License. If any provision of this Agreement is held invalid, the remainder of this License shall continue in full force and effect. Limitation of Claims and Liability. ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL THE LICENSOR’S LIABILITY UNDER, ARISING OUT OF OR RELATING TO THIS AGREEMENT EXCEED THE AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST PROFITS, LOSS OF DATA, OR COSTS OF COVER. Entire Agreement. This is the entire agreement between the parties and may not be modified except in writing signed by both parties. U.S. Government - Restricted Rights The Training Materials and accompanying documentation are “commercial computer Training Materials” and “commercial computer Training Materials documentation,” respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction release, performance, display or disclosure of the Training Materials and accompanying documentation by

3

the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement. IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING MATERIALS.

4

Diagram A (Master Topology Diagram)

5

IPexpert’s Preparation Workbook for the Cisco® CCIE™ Security Laboratory Exam Table of Contents Section 1:

General Cisco Security (Page 16)

Unnecessary Services TCP Intercept Configuration Sessions, Timers DoS Attacks Rate Limiting Unicast RPF Check Logging & Logging Levels Passwords Network Time Protocol (NTP) Timestamps User Privilege Levels Privilege level with ACS AAA Dynamic Host Configuration Protocol (DHCP) Disabling Unnecessary Interface Services Controlling Interactive Access Flood Management Telnet, SSH Hide Telnet Address Intrusion Detection Instructor’s Tips, Notes and Comments IPexpert’s Recommendation – Additional Learning Material

Section 2:

Access Control Lists (ACLs) & Network Address Translation (Page 20)

Route Maps Time Based ACL’s Named ACL’s Standard ACL’s Extended ACL’s SNMP ACL’s HTTP ACL’s Reflexive ACL’s Dynamic ACL’s Context Based Access Control (CBAC) CBAC / NAT Port Address Mapping (PAM) Inside Global and Local Outside Global and Local NAT Overload (Port Address Translation / PAT) Static NAT Static NAT/PAT to Specific Port NAT with Multiple Exit Points “Route-map NAT” NAT with Overlapping IP addresses Instructor’s Tips, Notes, and Comments IPexpert’s Recommendation – Additional Learning Material for ACL’s & NAT Section 3:

Advanced Virtual Private Networks (VPN) (Page 23)

IPsec ISAKMP IPSec Router to Router Fully Meshed 6

IPSec Router to Router With GRE Tunnel IPSec Router to Router NAT/GRE Tunnel IPSec Pix to Router Fully Meshed IPSec Through Pix to Router GRE Tunnel Dynamic VPN’s Extended Authentication IPSec Tunnel Mode IPSec Transport Mode IPSec TED (Ver 1, 2 and 3) Tunnel End Point Discovery Aggressive-mode client-endpoint IPSec Manual Keying Between Routers Instructor’s Tips, Notes and Comments IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 4:

Advanced Private Internet Exchange (PIX) (Page 26)

Password Management Interface Commands Addressing Network & Port Address Translation Global Configuration Routing Options ARP Timeout Static Configurations Access Lists DMZ Configuration URL Filtering SNMP Fixup Logging Telnet, SSH Sysopt Unicast RPF Guards Instructor’s Tips, Notes and Comments IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 5:

IOS and PIX Intrusion Detection (Page 30)

IOS IDS Configuration PIX IDS Configuration Default Attack Policy Default Info Policy Syslog configuration Net Ranger Post Office Configuration Disabling a Signature Clearing the IDS Configuration Enabling IDS for SMTP Spam messages Instructor’s Tips, Notes and Comments IPexpert’s Recommendation – Additional Learning Material for VPNs

Section 6:

AAA (Authentication, Authorization, Accounting) (Page 33)

AAA On routers Authorization Accounting TACACS+ 7

RADIUS Privilege Levels Console Authorization Backup Methods Authentication-Proxy (TACACS+) Authentication-Proxy (RADIUS) PPP Callback with TACACS+ PPP Callback with RADIUS Instructor’s Tips, Notes, and Comments IPexpert’s Recommendation – Additional Learning Material for AAA

Section 7:

Catalyst 3550 Switch Configuration (Page 36)

VTP VLANs MST RSTP DHCP Option-82 System Logging SNMP Port-Security UDLD VLAN-Maps Switch Optimization SSH AAA Fast EtherChannels Fallback Bridging IP Routing (EIGRP) NTP Instructor’s Tips, Notes, and Comments IPexpert’s Recommendation – Additional Learning Material for the 3550

Section 8:

Multiprotocol Challenge A (Page 40)

Frame Relay ISDN VLAN Configuration ATM Controlling Interactive Access Disabling unnecessary services DoS Prevention Rate Limiting (CAR) Logging SSH Port Security 802.1x Unicast RPF Check Redundancy OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication RIP v2 RIP Authentication BGP Route Reflectors BGP Communities CHAP one-way authentication NTP Authentication PIX DMZ Configuration 8

PIX SSH access PIX NAT ICMP control on PIX Websense filtering PIX Pre-shared key VPN CBAC IDS

Section 9:

Multiprotocol Challenge B (Page 45)

Frame Relay ISDN ISDN Backup CHAP one-way authentication PPP Callback VLAN Configuration ATM OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication RIP v2 RIP Authentication EIGRP Authentication BGP Route Reflectors Unicast RPF Check Controlling Interactive Access Disabling unnecessary services DoS Prevention Rate Limiting (CAR) Logging SSH Port Security 802.1x NTP Authentication PIX DMZ Configuration PIX Static configuration PIX SSH access PIX Telnet PIX NAT IDS on the PIX Java and ActiveX filtering on the PIX Pre-shared key VPN AAA Authentication AAA Command Authorization IDS

Section 10:

Multiprotocol Challenge C (Page 51)

Frame Relay ISDN ISDN Backup VLAN Configuration ATM OSPF over Frame Relay OSPF Authentication RIP v2 RIP Authentication BGP Confederations BGP Authentication 9

Controlling Interactive Access Disabling unnecessary services DoS Prevention Logging SSH VTP authentication Port Based Storm Control Port Blocking 802.1q Trunking Layer 2 EtherChannel UDLD SNMP ACL’s HTTP ACL’s Network Based Application Recognition (NBAR) PIX DMZ Configuration PIX Static configuration PIX SSH access PIX NAT Java and ActiveX filtering on the PIX Pre-shared key VPN

Section 11:

Multiprotocol Challenge D (Page 56)

Controlling Interactive Access Disabling unnecessary services DoS Prevention Frame Relay ISDN ISDN Backup VLAN Configuration ATM OSPF over Frame Relay OSPF Authentication RIP v2 RIP Authentication EIGRP Authentication BGP Route Reflectors BGP Authentication CHAP authentication DiffServ Compliant WRED Logging Port Security PIX DMZ Configuration PIX Static configuration PIX Telnet PIX NAT PIX NAT 0 IDS on the PIX Java and ActiveX filtering on the PIX Pre-shared key VPN GRE IPSEC over GRE NAT NAT with GRE and IPSEC

Section 12:

Multiprotocol Challenge E (Page 61)

Frame Relay ISDN 10

VLAN Configuration ATM Controlling Interactive Access Disabling unnecessary services DoS Prevention SNMP SSH Port Security Unicast RPF Check Redundancy OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication OSPF Demand Circuit Separated Area 0 RIP v2 RIP Authentication BGP Redundancy BGP Communities BGP through PIX BGP AS Path manipulation CHAP one-way authentication PPP Callback NTP Authentication PIX DMZ Configuration PIX SSH access PIX NAT TCP Intercept VPN Redundancy Pre-shared key based VPN CBAC PAM WRED Priority Queuing

Section 13:

Multiprotocol Challenge F (Page 66)

ISDN ATM Controlling Interactive Access Disabling unnecessary services SNMP v3 HTTP ACL Port Security Redundancy VTP VLAN Trunking (ISL) Port-Based Traffic Control IP Accounting OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication RIP v2 RIP Authentication BGP Private AS BGP Authentication BGP Communities PAP Authentication ISDN Backup NTP Authentication 11

Time Zones PIX DMZ Configuration PIX NAT PIX NAT 0 Unicast RPF Check PIX Fixup Pre-shared key based VPN IOS – PIX VPN CBAC IOS IDS

Section 14:

Multiprotocol Challenge G (Page 71)

ISDN ATM Disabling unnecessary services DoS Prevention CAR SSH SPAN Fast EtherChannel 802.1q VTP Pruning VTP Authentication Spanning-tree Portfast Redundancy OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication RIP RIP v2 RIP Authentication EIGRP MD5 Authentication BGP Authentication BGP Route Manipulation CHAP one-way authentication PPP Callback PIX DMZ Configuration PIX NAT PIX Name command PIX IDS Sysopt Command Pre-shared key based VPN VPN Client NAT PAT NAT Static Configuration Priority Queuing

Section 15:

Multiprotocol Challenge H (Page 76)

ISDN ATM Disabling unnecessary services DoS Prevention CAR SSH SNMP ACL Login Banners 12

Controlling Interactive Access Anti-Spoofing Unicast RPF Checks Unnecessary interface services Redundancy OSPF over Frame Relay OSPF Authentication RIP RIP v2 EIGRP MD5 Authentication BGP Authentication BGP AS Manipulation CHAP ISDN Backup PIX DMZ Configuration PIX SSH Sysopt Command Pre-shared key based VPN TCP Intercept

Section 16:

Multiprotocol Challenge I (Page 81)

ISDN ATM Controlling Interactive Access Disabling unnecessary services DoS Prevention SNMP v3 HTTP ACL SSH Port Security HSRP Redundancy OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication OSPF Demand Circuit Separated Area 0 RIP v2 RIP Authentication BGP Redundancy BGP Communities BGP through PIX BGP AS Path manipulation CHAP one-way authentication PPP Callback NTP Authentication PIX DMZ Configuration PIX SSH access PIX NAT TCP Intercept VPN Redundancy Pre-shared key based VPN CBAC PAM WRED Priority Queuing

Section 17:

Multiprotocol Challenge J (Page 86)

13

ISDN ATM Controlling Interactive Access Disabling unnecessary services DoS Prevention SNMP ACL HTTP ACL SSH Port Security 802.1x Fast Etherchannel 802.1q VTP authentication UDLD Spanning-tree Features. Redundancy OSPF over Frame Relay OSPF Demand Circuit OSPF Authentication OSPF Demand Circuit Separated Area 0 RIP v2 RIP Authentication EIGRP EIGRP Authentication BGP Redundancy BGP through PIX BGP AS Path manipulation CHAP one-way authentication PPP Callback PIX DMZ Configuration PIX SSH access PIX NAT Websense configuration Pre-shared key based VPN CBAC AAA NAT NAT w/ VPN

Section 18:

Cisco CCIE Lab Preparation Tips (Page 93)

Appendix A:

IPexpert’s Virtual Lab e-Scenario Catalog (Page 96)

100 Series (CCNA) 200 Series (CCNP) 300 Series (CCIE)

Appendix B:

BONUS BGP LAB! A Sample Virtual Lab e-Scenario (# 315 – BGP) (Page 99)

Internal BGP Peers External BGP Peers BGP Route Advertisement Route Aggregation AS Path Filtering Synchronization BGP Next-Hop 14

Documentation:

Configurations, Show Commands and Diagrams Can Be Downloaded at www.certificationtalk.com

15