In this class, you will learn the industry best practices for securing your Cisco routers and switches. You will learn to secure switches, including advanced Layer 2 security and Identity-Based Networking Services (IBNS) based on IEEE 802.1X. You will cover network platform security, VPN, Firewall, and IPS, and you will learn to secure a router's control, plane, and management planes.

You will spend a large portion of the class on advanced VPN topics, including:

• Using digital certificates for VPN authentication
• GRE over IPsec
• Virtual Tunnel Interfaces
• Dynamic Multipoint VPN (DMVPN)
• Group Encryption Transport VPN (GET VPN)
• Remote access IPsec VPN with the Easy VPN Server
• Cisco VPN Client and Easy VPN Remote (hardware client)
• SSL VPN

A Global Knowledge Exclusive: Bonus Lab Credits

You'll receive five extra SECURE e-Lab credits (good for 30 days) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.

What You'll Learn

• Advanced IOS security technologies for locking down routers and switches: 802.1X, COPP/COPr, and user-based authentication
• Various VPN technologies and their use in production environments: DMVPN, GRE, GRE w/ IPSEC, IPSEC, GET, Ez-VPN, and SSL
• IOS IPS exploration with IME and Cisco configuration professional
• Launch live attacks against the network using BackTrack4 and learn mitigation techniques
• Use Cisco IME software to monitor alerts from the IOS IPS process
• Use the new Cisco Configuration Professional tool to configure IPS
• Advanced IPS topics: event action overrides, event action filters, signature tuning, and custom signature creation

Who Needs to Attend

• Internetwork professionals who want to ensure security of their network using IOS devices
• Anyone seeking to learn the latest features in IOS 15.0 code to evaluate for their production environments
• Internetwork professionals who seek CCNP Security certification

Prerequisites

• IINS 2.0 - Implementing Cisco IOS Network Security

Follow-On Courses

• IPS - Implementing Cisco Intrusion Prevention System v7.0
• FIREWALL 2.0 - Deploying Cisco ASA Firewall Solutions
• VPN 2.0 - Deploying Cisco ASA VPN Solutions

Certification Programs and Certificate Tracks

This course is part of the following programs or tracks:

• Cisco VPN Security Specialist
• Cisco IOS Security Specialist
• CCNP Security - Cisco Certified Network Professional Security
• Cisco Firewall Security Specialist

Course Outline

1. Network Foundation Controls

• Control, Data, and Management Planes

2. Advanced Switched Data Plane Security Controls

• Common Layer 2 Attacks
• PVLANs
• DHCP Attacks
• ARP Poisoning
• IP Source Guard

3. Cisco Identity-Based Network Services

• 802.1 Overview
• ACS Integration with 802.1X
• Cisco Secure Services Client
• EAP Overview

4. Basic 802.1X Features

• 802.1X Switch Configuration
• ACS and EAP-FAST Configuration
• CSSC as an 802.1X Supplicant

5. Advanced Routed Data Plane Security Controls

• Unicast Reverse Path Forwarding
• Flexible Packet Matching Configuration
• Flexible Netflow

6. Advanced Control Plane Security Controls

• Deploy Infrastructure ACLs
• Control Plane Policing
• Control Plane Protection
• Routing Protocol Authentication
• Routing Protocol Filtering

7. Advanced Management Plane Security Controls

• Configure IOS Software Management Access Controls
• Configure Role-Based Access Controls
• Configure SNMP in IOS
• Digitally Signed IOS Images
• CPU and Memory Thresholding

8. Cisco IOS Software Network Address Translation

• IOS Static NAT and PAT Configurations
• IOS Dynamic NAT and PAT Configurations

9. Basic Zone-Based Policy Firewalls

• Zone-Based Policy Firewalls Zone Pairs
• Configure Layer 3/4 Inter-Zone Access Policies
• Configure Layer 3/4 Intra-Zone Access Policies
• ZBPFW Inspection of Control Plane and Management Plane Traffic
• Tune ZBPFW Stateful Engine and Connection Settings
• Configure ZBPFW Transparent Mode and VRF Support

10. Advanced Zone-Based Policy Firewalls

• Configure Layer 7 Zone-Based Policy Firewalls
• Configure Zone-Based Policy Firewalls with User Policies
• Configure Zone-Based Policy Firewall URL Filtering

11. Cisco IOS Software IPS

• IOS IPS Signature Policies
• Tune Cisco IOS Software IPS Signature Policies
• IPS Signature Auto Update
• Select an IPS Monitoring Solution

12. Site-to-Site VPN Architectures and Technologies

• Cryptographic Controls

13. VTI-Based Site-to-Site IPsec VPNs

• Virtual Tunnel Interfaces
• Pre-Shared Keys
• Static VTIs
• Dynamic VTIs

14. Scalable Authentication in Site-to-Site IPsec VPNs

• PKI Overview
• Configure the IOS Certificate Server
• IOS CA and PKI enrollment

15. DMVPNs

• Generic Routing Encapsulation (GRE)
• NHRP Client and Server
• DMVPN Hub and Spoke Configurations
• Verify Dynamic Routing in a DMVPN Environment

16. High Availability in Tunnel-Based IPsec VPNs

• IPsec High Availability Features
• Routing Protocols for HA
• Mitigating Failures in VTI Environments
• Mitigating Failures in a DMVPN Environment

17. Group Encrypted Transport (GET) VPN

• Configuring Key Servers
• Configuring Group Members
• High Availability

18. Remote Access VPN Architectures and Technologies

• Cryptographic Controls

19. Remote Access Solutions Using SSL VPN

• SSL VPN Overview
• Configure SSL VPN Parameters
• Configure Client Authentication Policies
• Full VPN tunnels
• AnyConnect Client
• Clientless VPN Configuration

20. Remote Access Solutions Using EZVPN

• EzVPN with Dynamic VTIs
• Cisco IPsec VPN Client
• Configure Advanced EzVPN Functionality
• Configure PKI for EzVPN

Labs

Lab 0: Exclusive - Introduction to the Remote Lab System

• Remote Labs Familiarity

Lab 1: Enhanced - Advanced L2 Security

• Port ACLs
• VACLs
• PVLAN Edge
• Proxy Router Attacks
• DHCP Snooping
• DAI
• IP Source Guard

Lab 2: Enhanced - Network Foundation Protection

• Routing Protocol Authentication (EIGRP & OSPF)
• SNMPv3
• Flexible Netflow
• uRPF
• Management Plane Protection
• Data Plane Protection

Lab 3: Enhanced - IOS Zone Based Firewalls

• Basic Zone Configuration
• Attack Mitigation
• URL Filtering
• HTTP Deep Packet Inspection
• Stateful Inspections

Lab 4: Enhanced - IOS IPS

• Loading Signature Definition Files
• Basic Configuration
• De-Obfuscation
• IPS Manager Express
• Signature Actions

Lab 5: Enhanced - Site-to-Site VPN using PKI and VTIs

• Using VTIs
• IOS CA
• Enrollments
• VPN Configuration

Lab 6: Enhanced - DMVPN

• Hub Site Configuration
• Spoke Site One Configuration
• Spoke Site Two Configuration
• Routing Configuration
• Test and Verify DMVPN Connectivity

Lab 7: Enhanced - GET VPNs

• OSPF Configuration
• NAT Configuration
• Key Server Configuration
• Group Memeber Configuration
• Configuring other GMs

Lab 8: Enhanced - EzVPN

• EZ-VPN Server Wizard in CCP
• Ez-VPN Software Based Client
• Ez-VPN Hardware Based Client
• Interactive Authentication for Hardware Clients
• Network Extension Mode

Additional Hands-On Labs Available as an Appendix to the Lab Guide

Lab A-1: Exclusive - AAA with 802.1X Security

• RADIUS Configuration
• Restricted VLANs
• Guest VLANs
• CSSC
• Dynamic VLAN Assignment

Lab A-2: Exclusive - SSL Based VPNs

• Configure Clientless SSL VPN Access
• Configure and Test Port Forwarding
• Configure and Test Full Tunnel AnyConnect SSL VPN
• Configure and Test Cisco Secure Desktop

Lab A-3: IOS Best Practices

• Work with the BOGON List
• Securing the IOS with AutoSecure
• Investigating an Attack
• Beyond What the Auditors Expect

Lab A-4: Site-to-Site VPN Using VTIs and PKI

• Configure an IOS PKI Server
• Assign an SSL Trustpoint in CCP
• Enroll the IOS-FW with the CA Server via CCP
• Configure the IOS-FW for VPN via CCP
• Enroll the Site1-Rtr with the CA via the CLI
• Configure the Site1-Rtr for VPN via the CLI
• Test and Verify the VPN