Implementing Cisco Network Security
Implementing Cisco Network Security (IINS) exam is also known as CCNA Security. Introducing Network Security Fundamentals is the first chapter here. Well, it’s critical at the outset to make sure that you build a strong foundation of security to protect your corporate resources, the data in storage, and the data in transit, as well as critical systems. So we want to find out what our vulnerabilities are, what our risks are, and then find sound strategies to build countermeasures and safeguards to protect those resources. That’s what we’re going to talk about in the first topic.
Security policies and strategies. Well, like so many other disciplines, it’s extremely important to have a life-cycle approach to build the Cisco borderless network. The next thing we’re going to take a look at are the technologies that Cisco has to offer, the product line, and the architecture for delivering a solid security strategy.
Cisco Network Foundation and Protection – once we have that lifecycle in place in our written security policy, the first order of business is really hardening our network devices. So later on in the course, we’re going to look at ways to protect the data plane and the control plane of both the Layer 2 and Layer 3 Cisco devices.
Securing the management plane and AAA configuration is a topic, where we’re going to first look at protecting the management plane of the Cisco device. That means using protocols like NTPv3, SNMPv3, Secure Shell, and others. Then we’ll look at AAA services – authentication, authorization, and accounting – primarily using TACACS+ and RADIUS with the Cisco ACS server for Windows.
Securing the Data Plane on Cisco Switches is kind of repeating from the ICND classes. You know it’s common to think about the data plane on our router where 80% to 85% of our traffic is transit traffic to the router, but what about that Layer 2 device, what about that switch? We have protection mechanisms there that we need to implement to protect us for things like STP for MAC address spoofing and other very dangerous things that can happen in our network. So in this topic, we’re going to look at countermeasures to protect the data plane at Layer 2 on the Cisco switch.
Securing the data plane in IPv6 environments – yeah that’s right, you read it correctly – IPv6. We run out of IPv4 addresses, so it’s time for the large enterprise and the service provider to start transitioning very quickly to IPv6. We’re going to look at obviously we’re going to define IPv6 and see how it worked its functionality then we’ll look at deploying data plane protections for this new technology in your Cisco environment. The chapter has a lot of references to the ICND classes where we covered the IPv6 basics.
Historically a firewall system was simply just, let’s say, a Unix box running some packet filtering on it. And static packet filters – we’ve come a long way since that. We have very intelligent access control list for threat mitigation, we also have firewall features. Static firewalls, also stateful packet filtering and advanced inspection and control. In this topic, we’re going to look at the firewall system and building that firewall system as your first line of defense to protect your corporate network.
In the topic about implementation of firewall policies, we’re really going to get our hands dirty. Okay, we’re going to dig in there and look at several ways to implement a firewall system on your Cisco device. We’ll also look at how network address translation works with the classic firewall, and we’ll look at the classic firewall. But we’ll also move forward and look at the zone-based policy firewall configured on the router with the Cisco Configuration Professional (CCP). But we’ll also look at a Cisco ASA 5505 firewall configuration through the ASDM – the ASA Security Device Manager.
Further on we’re going to begin looking at the difference between IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems), promiscuous mode, and inline mode. We’ll look at the technologies and the terminology for this different animal that usually is deployed after you deploy your firewall. We’ll also look at some basics to tuning the signature set and fundamental IPS tuning to make sure that you have the best Cisco IOS, IPS environment that you can from the outset.
VPN technologies and public key infrastructure (PKI) is a topic that you have to read twice. There are a lot of crypto basics covered there which are used and you will refer on in your further practice and learning. It’s extremely important to protect the traffic that’s flowing from your corporate headquarters to remote offices, or branch offices, or teleworkers. We have to protect the confidentiality, integrity, availability and provide non-repudiation. We’ll look at a wide variety of solutions here, site-to-site VPNs with IPsec. We’ll also look at remote access IPsec VPNs including SSL TLS or SSL VPNs for those remote access users as well – a wide variety of technologies, a wide variety of solutions provided by Cisco, and we’re going to get a strong foundation here in this topic.
In the end of the CCNA Security track we will take a look at the IPsec fundamentals and the VPNs. IP security or IPsec is ubiquitous, its everywhere, and it’s easy to find an expert in IPsec. And that’s our goal to become one of those experts at deploying site-to-site VPNs and remote access VPNs, and using various Cisco technologies and solutions in this CLI and graphical user interface to rapidly deploy VPN solutions using IPsec and also if possible SSL VPNs as well.
Our Recommended Premium CCNA Training Resources
These are the best CCNA training resources online:
Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam.
And click here for a free trial of AlphaPrep premium practice tests when youre ready to test your knowledge. They have the largest question bank, with adaptive tests and advanced reporting which tells you exactly when you are ready to pass the real exam.