CCSP Self-Study CCSP SNRS Exam Certification Guide Greg Bastien Sara Nasseh, CCIE No. 5824 Christian Abera Degu Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA ii CCSP Self-Study: CCSP SNRS Exam Certification Guide Greg Bastien Sara Nasseh, CCIE No. 5824 Christian Abera Degu Copyright © 2006 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number: 2005922370 ISBN: 1587201534 First Printing December 2005 Warning and Disclaimer This book is designed to provide information about selected topics for the Cisco CCSP SNRS exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and preci- sion, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the U.S. please contact: International Sales [email protected] iii Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Publisher John Wait Editor-In-Chief John Kane Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Development Editor Dan Young Senior Project Editor San Dee Phillips Copy Editor and Indexer Keith Cline Technical Editors Brian Done, David Lazarte, and Edward Storey Book and Cover Designer Louisa Adair Composition Interactive Composition Corporation iv About the Authors Greg Bastien, CCNP, CCSP, CISSP, is the chief technical officer of Virtue Technologies, Inc., and directs the actions of the engineering staff that supports several federal agencies. He holds a position as adjunct professor at Strayer University, teaching networking and network security courses. He completed his undergraduate and graduate degrees at Embry-Riddle Aeronautical University while on active duty as a helicopter flight instructor in the U.S. Army. Mr. Bastien lives with his wife and two sons in Potomac, Maryland. Sara Nasseh, CCIE No. 5824, CISSP, is currently a senior consultant for Intercom Consulting and Federal Systems, working as a network architect and consultant for various federal agencies. She completed her Bachelor of Science degree in computer information systems at the University of Virginia College. She obtained her CCIE in April 2000 and has more than 11 years of experience in the data communications and network systems arena. Christian Abera Degu, RHCE, CCSP, CCNP, CCDP, is a network architect with General Dynamics Network Systems supporting multiple civilian federal agencies. Mr. Degu completed his graduate degree in computer information systems. He resides in Alexandria, Virginia. v About the Technical Reviewers Brian Done is a technical director for ManTech International Corporation. He has attained an M.B.A. degree with a major in information security (InfoSec), including numerous certifications such as the CCNP, CCDP, CCSP, NSA IAM, CHSP, CISM, ISSAP, ISSMP, and CISSP. In addition to his corporate duties, he is a principal InfoSec advisor providing support on diverse enterprise topics to the U.S. government. More information can be obtained at BrianDone.com or Leadership1st.org (his foundation). David Lazarte is a CLD developer for Cisco security products. He was the developer for the SNRS v1.0 (SECUR 2.0) course and helped develop the exam. He is president and senior IT consultant for Amnetech Inc., (d/b/a American Network Technologies) and is also certified to teach career and technology education in the state of Texas. He is currently developing security courses for Cisco. He set up and taught the first local Cisco Networking Academy in the Houston Independent School District in Houston, Texas, in 1999. David taught and developed the curriculum for the Computer Maintenance Technology Magnet Program at HISD, including the local Cisco Networking Academy, and administered the local school network and databases. After leaving HISD, David provided Cisco design and support for large corporations and educational institutions, such as Houston Community College System (where he served as a member of the Technical Advisory Group for the Texas GigaPOP—Internet2), G.E. Power Systems, AIG, and Cardinal Health, providing network and security consulting, design, and implementations. He has more than 20 years of experience with computer systems and more than 15 years in networking. He has earned CCNP certification and a degree in electrical engineering technology from Del Mar College. Edward Storey has more than 11 years of LAN/WAN/server infrastructure management, design, implementation, support, consulting, and sales engineering experience. He is a systems engineer for Cisco Systems, working with the Department of State. Ed holds both CCNP and CCIP certifications. vi Dedications This book is dedicated to the memory of my brother, Ali Reza Nasseh (November 27, 1970– February 22, 1998), for his courage, compassion, and infinite love of learning. vii Acknowledgments We sincerely appreciate the efforts of all those who helped to keep us focused throughout the process and our respective families (who put up with us during the process). We especially want to thank the editorial team of Brett Bartow, Dan Young, Andrew Cupp, San Dee Phillips, Patrick Kanouse, and Michelle Grandin. We also want to thank the technical reviewers for their hard work. Last but not least, we want to thank Alen and Roger for their assistance on the questions. viii This Book Is Safari Enabled The Safari® Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45 days. Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it. To gain 45-day Safari Enabled access to this book: ■ Go to http://www.ciscopress.com/safarienabled ■ Enter the ISBN of this book (shown on the back cover, above the bar code) ■ Log in or Sign up (site membership is required to register your book) ■ Enter the coupon code FMG3-KAKI-HF5J-NYII-LNFT If you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail [email protected]. ix Contents at a Glance Foreword xxvi Introduction xxvii Part I Overview of Network Security 3 Chapter 1 Network Security Essentials 5 Chapter 2 Defining and Detailing Attack Threats 25 Chapter 3 Defense in Depth 45 Part II Managing Cisco Routers 59 Chapter 4 Basic Router Management 61 Chapter 5 Secure Router Administration 79 Part III AAA 105 Chapter 6 Authentication 107 Chapter 7 Authentication, Authorization, and Accounting 125 Chapter 8 Configuring RADIUS and TACACS+ on Cisco IOS Software 149 Chapter 9 Cisco Secure Access Control Server 173 Chapter 10 Administration of Cisco Secure Access Control Server for Windows 199 Part IV IOS Firewall Feature Set 215 Chapter 11 Securing Networks with Cisco Routers 217 Chapter 12 The Cisco IOS Firewall and Advanced Security Feature Set 241 Chapter 13 Cisco IOS Intrusion Prevention System 255 Chapter 14 Mitigating Layer 2 Attacks 279 Chapter 15 Context-Based Access Control 305 Chapter 16 Authentication Proxy and the Cisco IOS Firewall 329 Chapter 17 Identity-Based Networking Services 353 Chapter 18 Configuring 802.1x Port-Based Authentication 373