In this class, you will learn the industry best practices for securing your Cisco routers and switches. You will learn to secure switches, including advanced Layer 2 security and Identity-Based Networking Services (IBNS) based on IEEE 802.1x. You will cover network platform security, VPN, Firewall, and IPS, and you will learn to secure a router's control, plane, and management planes.
You will spend a large portion of the class on advanced VPN topics, including:
•Using digital certificates for VPN authentication
•GRE over IPsec
•Virtual Tunnel Interfaces
•Dynamic Multipoint VPN (DMVPN)
•Group Encryption Transport VPN (GET VPN)
•Remote access IPsec VPN with the Easy VPN Server
•Cisco VPN Client and Easy VPN Remote (hardware client)
•SSL VPN
You'll receive five extra SECURE e-Lab credits (good for 30 days) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.
What You'll Learn
Advanced IOS security technologies for locking down routers and switches: 802.1x, COPP/COPr, and user-based authenticationVarious VPN technologies and their use in production environments: DMVPN, GRE, GRE w/ IPSEC, IPSEC, GET, Ez-VPN, and SSLIOS IPS exploration with IME and Cisco configuration professionalLaunch live attacks against the network using BackTrack4 and learn mitigation techniquesUse Cisco IME software to monitor alerts from the IOS IPS processUse the new Cisco Configuration Professional tool to configure IPSAdvanced IPS topics: event action overrides, event action filters, signature tuning, and custom signature creation
Course Outline
1. Network Foundation ControlsControl, Data, and Management Planes
2. Advanced Switched Data Plane Security ControlsCommon Layer 2 AttacksPVLANsDHCP AttacksARP PoisoningIP Source Guard
3. Cisco Identity-Based Network Services802.1 OverviewACS Integration with 802.1xCisco Secure Services ClientEAP Overview
4. Basic 802.1x Features802.1x Switch ConfigurationACS and EAP-FAST ConfigurationCSSC as an 802.1x Supplicant
5. Advanced Routed Data Plane Security ControlsUnicast Reverse Path ForwardingFlexible Packet Matching ConfigurationFlexible Netflow
6. Advanced Control Plane Security ControlsDeploy Infrastructure ACLsControl Plane PolicingControl Plane ProtectionRouting Protocol AuthenticationRouting Protocol Filtering
7. Advanced Management Plane Security ControlsConfigure IOS Software Management Access ControlsConfigure Role-Based Access ControlsConfigure SNMP in IOSDigitally Signed IOS ImagesCPU and Memory Thresholding
8. Cisco IOS Software Network Address TranslationIOS Static NAT and PAT ConfigurationsIOS Dynamic NAT and PAT Configurations
9. Basic Zone-Based Policy FirewallsZone-Based Policy Firewalls Zone PairsConfigure Layer 3/4 Inter-Zone Access PoliciesConfigure Layer 3/4 Intra-Zone Access PoliciesZBPFW Inspection of Control Plane and Management Plane TrafficTune ZBPFW Stateful Engine and Connection SettingsConfigure ZBPFW Transparent Mode and VRF Support
10. Advanced Zone-Based Policy FirewallsConfigure Layer 7 Zone-Based Policy FirewallsConfigure Zone-Based Policy Firewalls with User PoliciesConfigure Zone-Based Policy Firewall URL Filtering
11. Cisco IOS Software IPSIOS IPS Signature PoliciesTune Cisco IOS Software IPS Signature PoliciesIPS Signature Auto UpdateSelect an IPS Monitoring Solution
12. Site-to-Site VPN Architectures and TechnologiesCryptographic Controls
13. VTI-Based Site-to-Site IPsec VPNsVirtual Tunnel InterfacesPre-Shared KeysStatic VTIsDynamic VTIs
14. Scalable Authentication in Site-to-Site IPsec VPNsPKI OverviewConfigure the IOS Certificate ServerIOS CA and PKI enrollment
15. DMVPNsGeneric Routing Encapsulation (GRE)NHRP Client and ServerDMVPN Hub and Spoke ConfigurationsVerify Dynamic Routing in a DMVPN Environment
16. High Availability in Tunnel-Based IPsec VPNsIPsec High Availability FeaturesRouting Protocols for HAMitigating Failures in VTI EnvironmentsMitigating Failures in a DMVPN Environment
17. Group Encrypted Transport (GET) VPNConfiguring Key ServersConfiguring Group MembersHigh Availability
18. Remote Access VPN Architectures and TechnologiesCryptographic Controls
19. Remote Access Solutions Using SSL VPNSSL VPN OverviewConfigure SSL VPN ParametersConfigure Client Authentication PoliciesFull VPN tunnelsAnyConnect ClientClientless VPN Configuration
20. Remote Access Solutions Using EZVPNEzVPN with Dynamic VTIsCisco IPsec VPN ClientConfigure Advanced EzVPN FunctionalityConfigure PKI for EzVPN
Labs
Exclusive - Introduction to the Remote Lab SystemRemote Labs Familiarity
Lab 1: Enhanced - Advanced L2 SecurityPort ACLsVACLsPVLAN EdgeProxy Router AttacksDHCP SnoopingDAIIP Source Guard
Lab 2: Exclusive - AAA with 802.1x SecurityRADIUS ConfigurationRestricted VLANsGuest VLANsCSSCDynamic VLAN Assignment
Lab 3: Enhanced - Network Foundation ProtectionRouting Protocol Authentication (EIGRP & OSPF)SNMPv3Flexible Netflow uRPF Management Plane Protection Data Plane Protection
Lab 4: Enhanced - IOS Zone Based FirewallsBasic Zone ConfigurationAttack MitigationURL FilteringHTTP Deep Packet InspectionStateful Inspections
Lab 5: Enhanced - IOS IPSLoading Signature Definition FilesBasic ConfigurationDe-ObfuscationIPS Manager ExpressSignature ActionsCustom Signature ConfigurationEvent Action OverridesEvent Action Filters
Lab 6: Enhanced - Site-to-Site VPN using PKI and VTIsUsing VTIsIOS CAEnrollmentsVPN Configuration
Lab 7: Enhanced - DMVPNHub ConfigurationSpoke ConfigurationRouting Configuration
Lab 8: Enhanced - GET VPNsKS ConfigurationEIGRP ConfigurationGM ConfigurationConfiguring other GMs
Lab 9: Enhanced - SSL Based VPNsPort Forwarding AnyConnectCSD
Lab 10: Enhanced - EzVPN Ez-VPN Software Based ClientEz-VPN Hardware Based ClientNEM
Lab 11: Exclusive - Generic SecurityAuto SecureBOGON Best Practices
This course has extended hours - 8:30am - 6:00pm each day - to give you the most complete training experience possible. There is a lot of in-depth material included on these exams, and we want to make sure you have the proper time to absorb and understand it.
