Securing Cisco Network Devices (642-551)
Cisco’s newest version of this exam for aspiring CCSPs requires a foundation of security knowledge with some hands-on experience.
A Cisco Certified Security Professional (CCSP) requires knowledge and hands-on experience with many Cisco network security technologies. Unlike most of the other exams required for CCSP certification, which are focused more on particular areas of security, the SND exam covers these from a high-level identification, implementation and configuration point-of-view. I’ll address some of the main areas to study for this new exam by mapping to the official exam objectives.
Much of the exam tested my general knowledge of how to identify, secure against and mitigate common network attacks, as well as technologies like IPSec, VPN, and authentication, authorization and accounting (AAA). There were, however, a few product-specific questions asking, for example, how to configure a Cisco PIX firewall and how to secure Cisco Layer 2 devices.
For the 90-minute exam period, I was given 62 questions, including two simulation questions. The passing score was 825 on a scale of 300 to 1,000 points. Like all the Cisco exams I’ve ever taken, you can’t move back through the question set or mark or review your answers like you can on most other certification exams. But I find Cisco exams easier overall, with many of the questions in the form of one or two lines with only one correct answer to choose from.
Although this exam does include simulation-based questions, they seem easier than those I’ve had on the new CCSP SNRS and retired CSPFA exams. The simulation questions present a company’s network scenario, topology and usually a partial configuration. You’re required to complete the remaining configuration by navigating the Cisco device command-line environment. The opening screen of the simulation-based exams warns you about spending too much time on any one simulation question; it recommends no more than 10 minutes each. Running short of time on this exam shouldn’t be an issue for most candidates, but you’ll need to pace yourself during the simulators.
Naturally, there are questions that pop up about the simulation problems: Is there partial credit? If you don’t save your configuration, will it be marked incorrect? I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or firewall; show the configuration; save; and verify my work. Many times the question-mark command is available and limited help is there if you need it. The simulation questions are generally more difficult than the more common multiple-choice questions. This exam also includes a number of pick-and-place type questions.
While there’s currently an official Cisco instructor-led SND course available, no exam-specific self-study guides have yet been published. On its Web site, Cisco usually includes a link to Cisco Press with recommended reading for each exam. For the SND exam, I found most everything I needed to learn in the Cisco Press book “Network Security Fundamentals” (ISBN 1578051672). Cisco Press also offers the CCSP Flash Cards and Exam Practice Pack, which can help you prepare for all five of the CCSP exams. I also highly recommend you read the free online chapter from “Cisco Access Control Security: AAA Administration Services.” Generally, for self-study I prefer Cisco Press’ books, but nothing made a better resource for the CCSP exams than the popular Sybex self-study guide written by Todd Lammle. (Note: This guide covers the CCSP’s previous series of exams.)
The main objectives of the SND exam are to identify Cisco security products, implement security, describe and configure IPS and HIPS, and deploy a PIX security appliance. Since a valid Cisco Certified Network Associate (CCNA) is a prerequisite, that’s where you should start to obtain the fundamental knowledge about how to configure and troubleshoot Cisco devices. The CCNA will also introduce you to the wonderful world of LANs, WANs, ACLs and many other fundamentals that are essential to your understanding before taking this exam.
The core topics of the SND exam include:
- Describe the products in the Cisco security portfolio and explain how they mitigate security threats to a network.
- Describe the security features available for a Cisco Layer 2 device in a secure network.
- Implement security on a Cisco IOS Router.
- Describe and configure Cisco IPS and HIPS.
- Configure and verify basic remote access on a Cisco VPN 3000 Concentrator.
- Implement a Cisco PIX security appliance.
Although I didn’t receive any specific questions on my exam regarding configuration and management of the Cisco VPN 3000, I’ll provide a link to information you should know.
Cisco’s Security Products
Cisco routers, switches and firewalls all include many technologies to secure them and today’s networks. Securing a network starts with a security policy — without it, it would be hard to follow the Cisco security wheel of secure, monitor, test and improve. Cisco routers can be used to secure the network to a point. And they also need to be secured.
Starting with access lists, where more specific checks should be at the top, packet filtering can be used to limit traffic to secure hosts and networks. The Cisco PIX firewall includes the adaptive security algorithm (ASA), which can inspect network traffic all the way up to Layer 7 (i.e., Application).
Tip: The reload command can be used to restart a Cisco router or firewall.
Ensuring proper time-of-day configuration using network time protocol (NTP) and external logging can be just as important. The commands for configuring logging are logging on and logging host.
Tip: CDP operates at Layer 2 and can be disabled on a device with the command no cdp run.
The PIX also supports Turbo ACLs just as Cisco routers 7200 and 7500 do. Configuring a Cisco router or firewall for SSH is another method of defense and security. The device acts as an SSH server.
Tip: Reflexive ACLs allow packets to filtered based on upper-layer protocol session information.
Mitigating Security Threats
To identify security issues, threats to a network and how to deal with them, start with identifying targets, attackers and your security policy. Reconnaissance or fingerprinting is the technique of identifying targets through ping and port scans. Once an attacker identifies a target, he can then start such things as dictionary or brute force password attacks. As previously mentioned, securing device passwords is crucial! Securing data as it moves across the network is also important in secure environments. DES, 3DES, AES, MD5 and Diffie-Hellman are all acronyms and technologies you should be familiar with for this exam. The first three are encryption algorithms for message confidentiality; MD5 is a hashing algorithm for message integrity; and Diffie-Hellman is used for IPSec peer authentication.
Tip: DES uses a 56-bit key for encryption.
For more information on IPSec encryption, go here.
Tip: IPSec prevents against replay detection.
Mitigating security threats to a network also includes fighting worms. The primary steps are:
- Containment – limiting the spread of a worm infection to areas of the network that are already affected.
- Inoculation – patching uninfected systems with the appropriate vendor patch for the vulnerability.
- Quarantine – tracking down and identifying infected machines within the contained areas and disconnecting, blocking or removing them.
- Treatment – the process of removing the worm from actively infected systems.
Security Features of Cisco Layer 2 Devices
Layer 2 security is implemented within the network’s switches. Here you can use port filtering and 802.1X authentication to prevent CAM table overflow and MAC address spoofing. You’ll most certainly want to read and study this Cisco SAFE white paper.
Tip: CAM table overflow can be mitigated with the command port security.
VLANs provide a robust method of security at Layer 2. Private virtual local area networks (PVLANs) are defined by two main types of ports:
- Promiscuous – a port that can communicate with all interfaces, including the isolated and community ports within a PVLAN.
- Isolated – a port that has complete Layer 2 separation from the other ports within the same PVLAN but not from the promiscuous ports.
PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
A host-based intrusion detection system (HIDS) can detect attacks occurring on a host. It works by intercepting OS and application calls, securing the OS and applications, validating incoming requests and analyzing log files in response to an attack. A network-based intrusion detection system (NIDS) is usually first at detecting an attack occurring at the network level and then either taking corrective action or notifying a management system where an administrator can take action. Attacks are discovered by looking for their signatures in traffic flows in the network.
Tip: A DoS attack can occur at a network device, host or the entire network.
Securing Cisco IOS Routers
Securing Cisco routers can be done by choosing secure passwords and ensuring they are encrypted. The IOS command service password-encryption will make this happen. You can also configure the router for password length with the command security passwords min-length.
Configuring Cisco IPS and HIPS
Intrusion prevention system (IPS) is the latest in the Cisco arsenal for detecting and reacting to network and device-based attacks. Similar to an IDS, IPS uses the attack signature database to send alarms, drop packets or reset the connection when an active attack is detected. For more information on IDS and IPS, study SAFE document “IDS Deployment, Tuning, and Logging in Depth.”
You may be required to configure a Cisco router for AAA on the exam. Be sure and review the guide “Configuring Basic AAA on an Access Server,” paying particular attention to the commands for TACACS servers.
Tip: The command aaa new-model enables AAA on a Cisco device and erases all previous AAA configuration.
Cisco VPN 3000 Concentrator
The two basic types of VPN services are access VPNs and site-to-site VPNs. Their three main applications are remote access, intranet and extranet connectivity. The basics of configuring these using the Cisco VPN 3000 concentrator could be covered in your exam. I recommend you read and understand this Getting Started guide.
Firewalls come in a variety of configurations and implementations. Packet-filtering firewalls limit the information transmitted into a network based on static packet-header information (routers with access-control lists). Proxy server firewalls control the connections between a client on the inside network and the Internet. Finally, stateful packet filtering firewalls combine the best of both worlds.
Cisco PIX Firewall
The Cisco PIX provides command-line modes and an Unprivileged mode, referred to as the user mode, which is available when you first access the PIX through a console or telnet session. After typing enable and the correct password, you enter the privileged mode. From here you can issue most write, show and even copy commands. You must enter the configuration mode with configuration terminal to perform any device configuration.
Tip: The PIX command write memory saves all configurations.
There are six basic commands to configure a PIX:
- ip address
The nameif command is used to assign the names inside, outside, dmz and so on to the physical ports of the PIX. It’s also used to assign interface ASA security levels. For example, nameif ethernet2 dmz sec50 assigns a name of dmz and security level of 50 to the third physical interface in the PIX. Interface numbering starts with E0 security level 0, which is the default for the outside interface, and E1 security level 100 for the inside.
Tip: Network traffic cannot flow by default from a lower-level security interface to a higher level.
The interface command identifies hardware, sets the speed, and administratively enables an interface. For example, interface e0 100full enables the outside interface and configures it for 100Mbps, full duplex.
The ip address command assigns an address to a specified interface. For example, ip address dmz 172.16.0.1 255.255.255.0.
The PIX Firewall Management Console centralizes the management of multiple PIX firewalls. And the PIX can be configured to use both RADIUS and TACACS servers for AAA. Finally, the PIX firewall switching module (FWSM) can be installed in Cisco Catalyst 6500 or 7200 switches for greater throughput.
Well, that’s that. If you’re confident in your knowledge of Cisco’s portfolio of security products and their related technologies, you should be good to go. Next month, I’ll review the new CCSP exam 642-511 Cisco Secure Virtual Private Networks (CSVPN). Good luck!
No comments yet.