Upload
bimal-roy-mehta
View
52
Download
1
Embed Size (px)
Citation preview
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:001
CCIE Security Lab Exam v4.0 Checklist
CCIE Security Lab Exam v4.0 Checklist
Expansion of the Security Lab v4.0 Exam Topics
Detailed Checklist of Topics to Be Covered
Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Securitylab exam subjects. Instead, we provide this outline as a supplement to the existing labblueprint to help candidates prepare for their lab exams. Other relevant or related topics mayalso appear in the actual lab exam.
We would like to get your feedback please comment and/or rate this document.
System Hardening and Availability1
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
Understanding Four Types of TrafficPlanes on a Cisco Router (Control,Management, Data, and Services)
Understanding Control PlaneSecurity Technologies and CoreConcepts Covering SecurityFeatures Available to Protect theControl Plane
Understanding ManagementPlane Security Technologies andCore Concepts Covering SecurityFeatures Available to Protect theManagement Plane
Configuring Control Plane Policing(CoPP)
Control Plane Rate Limiting
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:002
Disabling Unused Control PlaneServices (IP Source Routing, ProxyARP, Gratuitous ARP, etc.)
Disabling Unused ManagementPlane Services (Finger, BOOTP,DHCP, Cisco Discovery Protocol,etc.)
MPP (Management PlaneProtection) and UnderstandingOOB (Out-of-Band) ManagementInterfaces
Configuring Routing ProtocolAuthentication
Route Filtering and Protocol-SpecificFilters
ICMP Techniques to Reduce theRisk of ICMP-Related DoS Attacks(IP Unreachable, IP Redirect, IPMask Reply, etc.)
Selective Packet Discard (SPD)
MQC and FPM Types of ServicePolicy on the CoPP Interface
Broadcast Control on a Switch
Catalyst Switch Port Security
IPv6 Selective Packet Discard
Cisco IOS Software-Based CPUProtection Mechanisms (OptionsDrop, Logging Interval, CPUThreshold)
The Generalized TTL SecurityMechanism Known as “BGP TTLSecurity Hack” (BTSH)
Device Access Control (vty ACL,HTTP ACL, SSH Access, PrivilegeLevels)
SNMP Security
System Banners
Secure Cisco IOS File Systems
Understanding and Enabling Syslog
NTP with Authentication
Role-Based CLI Views and CiscoSecure ACS Setup
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:003
Service Authentication on Cisco IOSSoftware (FTP, Telnet, HTTP)
Network Telemetry Identificationand Classification of Security Events(IP Traffic Flow, NetFlow, SNMP,Syslog, RMON)
Threat Identification andMitigation
2
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
Implementing RFC 1918Antispoofing Filtering
Implementing RFC 2827Antispoofing Filtering
Implementing RFC 2401Antispoofing Filtering
Enabling a TCP Intercept on aRouter
Enabling a TCP Intercept on theCisco ASA Security Appliance
FPM (Flexible Packet Matching)and Protocol Header Definition File(PHDF) Files and Configuration ofNested Policy Maps
Classification Using NBAR
Understanding and EnablingNetFlow on a Router
Port Security on a Switch
Storm Control on a Switch
Private VLAN (PVLAN) on a Switch
Port Blocking on a Switch
Port ACL on a Switch
MAC ACL on a Switch
VLAN ACL on a Switch
Spanning Tree Protocol (STP)Protection Using BPDU Guard andLoop Guard on a Switch
DHCP Snooping on a Switch
IP Source Guard on a Switch
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:004
Dynamic ARP Inspection (DAI) on aSwitch
SeND for ND Protection
IPv6 First Hop Security
Disabling DTP on All NontrunkingAccess Ports
Concept of Proactive vs. ReactiveMeasures
Knowledge of Protocols: TCP, UDP,HTTP, SMTP, ICMP, FTP
Knowledge of Common Attacks:Network Reconnaissance, IPSpoofing, DHCP Snooping, DNSSpoofing, MAC Spoofing, ARPSnooping, Fragment Attack, SmurfAttack, TCP SYN Attack
Understanding and Interpreting ARPHeader Structure
Understanding and Interpreting IPHeader Structure
Understanding and Interpreting TCPHeader Structure
Understanding and Interpreting UDPHeader Structure
Understanding and InterpretingHTTP Header Structure
Understanding and InterpretingICMP Header structure
Understanding and InterpretingICMP Type Name and Codes
Understanding and InterpretingSyslog Messages
Understanding and InterpretingPacket Capture Outputs (Sniffer,Ethereal, Wireshark, TCPDump)
Understanding Different Types ofAttack Vectors
Interpreting Various show and debugOutputs
Classifying Attack Patterns UsingFPM
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:005
Memorizing Common Protocol andPort Numbers
Preventing an ICMP Attack UsingACLs
Preventing an ICMP Attack UsingNBAR
Preventing an ICMP Attack UsingPolicing
Preventing an ICMP Attack Using theModular Policy Framework (MPF) onthe Cisco ASA Security Appliance
Preventing a SYN Attack UsingACLs
Preventing a SYN Attack UsingNBAR
Preventing a SYN Attack UsingPolicing
Preventing a SYN Attack UsingCBAC
Preventing a SYN Attack Using CAR
Preventing a SYN Attack Using aTCP Intercept
Preventing a SYN Attack Using theModular Policy Framework (MPF) onthe Cisco ASA Security Appliance
Preventing Application Protocol–Specific Attacks Using FPM (e.g.,HTTP, SMTP)
Preventing Application Protocol–Specific Attacks Using NBAR(e.g., HTTP, SMTP)
Preventing Application Protocol–Specific Attacks Using theModular Policy Framework(MPF) on the Cisco ASA SecurityAppliance (e.g., HTTP, SMTP)
Preventing IP Spoofing AttacksUsing Antispoofing ACLs
Preventing IP Spoofing AttacksUsing uRPF
Preventing IP Spoofing AttacksUsing IP Source Guard
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:006
Preventing Fragment Attacks UsingACLs
Preventing MAC Spoofing AttacksUsing Port Security
Preventing ARP Spoofing AttacksUsing DAI
Preventing VLAN Hopping AttacksUsing the switchport mode accessCommand
Preventing STP Attacks Using theRoot Guard or BPDU Guard
Preventing DHCP Spoofing AttacksUsing Port Security
Preventing DHCP Spoofing AttacksUsing DAI
Preventing Port Redirection AttacksUsing ACLs
Intrusion Prevention and ContentSecurity
3
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
Understanding Cisco IPS SystemArchitecture (System Design,MainApp, SensorApp, EventStore)
Understanding Cisco IPS User Roles(Administrator, Operator, Viewer,Service)
Understanding Cisco IPS CommandModes (Privileged, Global, Service,Multi-Instance)
Understanding Cisco IPS Interfaces(Command and Control, Sensing,Alternate TCP Reset)
Understanding Promiscuous (IDS)vs. Inline (IPS) Monitoring
Initialization Basic Sensor (IPAddress, Mask, Default Route, etc.)
Troubleshooting Basic ConnectivityIssues
Managing Sensor ACLs
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:007
Allowing Services Ping and Telnetfrom/to Cisco IPS
Enabling Physical Interfaces
Promiscuous Mode
Inline Interface Mode
Inline VLAN Pair Mode
VLAN Group Mode
Inline Bypass Mode
Interface Notifications
Understanding the Analysis Engine
Creating Multiple Security Policiesand Applying Them to IndividualVirtual Sensors
Understanding and ConfiguringVirtual Sensors (vs0, vs1)
Assigning Interfaces to the VirtualSensor
Understanding and ConfiguringEvent Action Rules (rules0, rules1)
Understanding and ConfiguringSignatures (sig0, sig1)
Adding Signatures to Multiple VirtualSensors
Understanding and ConfiguringAnomaly Detection (ad0, ad1)
Using the Cisco IDM (IPS DeviceManager)
Using Cisco IDM Event Monitoring
Displaying Events Triggered Usingthe Cisco IPS Console
Troubleshooting Events NotTriggering
Displaying and Capturing Live Trafficon the Cisco IPS Console (PacketDisplay and Packet Capture)
SPAN and RSPAN
Rate Limiting
Configuring Event Action Variables
Target Value Ratings
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:008
Event Action Overrides
Event Action Filters
Configuring General Settings
General Signature Parameters
Alert Frequency
Alert Severity
Event Counter
Signature Fidelity Rating
Signature Status
Assigning Actions to Signatures
AIC Signatures
IP Fragment Reassembly
TCP Stream Reassembly
IP Logging
Configuring SNMP
Signature Tuning (Severity Levels,Throttle Parameters, Event Actions)
Creating Custom Signatures (Usingthe CLI and Cisco IDM)
Understanding Various Types ofSignature Engines
Understanding Various Types ofSignature Variables
Understanding Various Types ofEvent Actions
Creating a Custom String TCPSignature
Creating a Custom Flood EngineSignature
Creating a Custom AIC MIME-TypeEngine Signature
Creating a Custom Service HTTPSignature
Creating a Custom Service FTPSignature
Creating a Custom ATOMIC.ARPEngine Signature
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:009
Creating a Custom ATOMIC.IPEngine Signature
Creating a Custom TCP SweepSignature
Creating a Custom ICMP SweepSignature
Creating a Custom Trojan EngineSignature
Enabling Shunning and Blocking(Enabling Blocking Properties)
Enabling the TCP Reset Function
Configure Cisco Ironport WSA
Configuring WCCP
Active Dir Integration
Custom Categories
HTTPS Config
Services Configuration (WebReputation)
Configuring Proxy By-pass Lists
Web proxy modes
Application visibility and control
Identity Management4
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
Understanding the AAA Framework
Understanding the RADIUS Protocol
Understanding RADIUS Attributes(Cisco AV-PAIRS)
Understanding the TACACS+Protocol
Understanding TACACS+ Attributes
Comparison of RADIUS andTACACS+
Configuring Basic LDAP Support
Overview of Cisco Secure ACS
How to Navigate Cisco Secure ACS
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0010
Cisco Secure ACS – NetworkSettings Parameters
Cisco Secure ACS – UserSettings Parameters
Cisco Secure ACS – GroupSettings Parameters
Cisco Secure ACS – SharedProfiles Components (802.1X,NAF, NAR, Command Author,Downloadable ACL, etc.)
Cisco Secure ACS – ShellCommand Authorization SetsUsing Both Per-Group Setup andShared Profiles
Cisco Secure ACS – SystemConfiguration Parameters
Enabling AAA on a Router for vtyLines
Enabling AAA on a Switch for vtyLines
Enabling AAA on a Router for HTTP
Enabling AAA on the Cisco ASASecurity Appliance for Telnet andSSH Protocols
Using Default vs. Named MethodLists
Complex Command Authorizationand Privilege Levels, and RelevantCisco Secure ACS Profiles
Proxy Service Authentication andAuthorization on the Cisco ASASecurity Appliance for Pass-ThroughTraffic (FTP, Telnet, and HTTP), andRelevant Cisco ISE Profiles\
Using Virtual Telnet on the CiscoASA Security Appliance
Using Virtual HTTP on the CiscoASA Security Appliance
Downloadable ACLs
AAA 802.1X Authentication UsingRADIUS on a Switch
NAC-L2-802.1X on a Switch
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0011
NAC-L2-IP on a Switch
Troubleshooting Failed AAAAuthentication or Authorization
Troubleshooting Using Cisco SecureACS Logs
Cisco Identity Services EngineConfiguration and initialization
ISE authZ result handling
ISE Profiling Configuration (Probes)
ISE Guest Services
ISE Posture Assessment
ISE Client Provisioning (CPP)
ISE Configuring AD Integration/Identity Sources
ISE support for 802.1x
ISE MAB support
ISE Web Auth support
ISE definition and support for VSAs
Support for MAB in Cisco IOS
Support for Web Auth in Cisco IOS
Using the test aaa Command onthe Router, Switch, or Cisco ASASecurity Appliance
Understanding and Interpreting thedebug radius Command
Understanding and Interpreting thedebug tacacs+ Command
Understanding and Interpreting thedebug aaa authentication Command
Understanding and Interpreting thedebug aaa authorization Command
Understanding and Interpreting thedebug aaa accounting Command
Perimeter Security and Services5
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0012
Initializing the Basic Cisco ASAFirewall (IP Address, Mask, DefaultRoute, etc.)
Understanding Security Levels(Same Security Interface)
Understanding Single vs. Multimode
Understanding Firewall vs.Transparent Mode
Understanding Multiple SecurityContexts
Understanding Shared Resources forMultiple Contexts
Understanding Packet Classificationin Multiple-Contexts Mode
VLAN Subinterfaces Using 802.1QTrunking
Multiple-Mode Firewall with OutsideAccess
Single-Mode Firewall Using theSame Security Level
Multiple-Mode, Transparent Firewall
Single-Mode, Transparent Firewallwith NAT
ACLs in Transparent Firewall (forPass-Through Traffic)
Understanding How RoutingBehaves on the Adaptive SecurityAppliance (Egress and Next-HopSelection Process)
Understanding Static vs. DynamicRouting
Static Routes
RIP with Authentication
OSPF with Authentication
EIGRP with Authentication
Managing Multiple Routing Instances
Redistribution Between Protocols
Route Summarization
Route Filtering
Static Route Tracking Using an SLA
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0013
Dual ISP Support Using Static RouteTracking
Redundant Interface Pair
LAN-Based Active/Standby Failover(Routed Mode)
LAN-Based Active/Active Failover(Routed Mode)
LAN-Based Active/Standby Failover(Transparent Mode)
LAN-Based Active/Active Failover(Transparent Mode)
Stateful Failover Link
Device Access Management
Enabling Telnet
Enabling SSH
The nat-control Command vs. nonat-control Command
Enabling Address Translation (NAT,Global, and Static) Pre & Post 8.4
NAT Objects
Context-Aware firewall
Identity Firewall
Using ASDM and Cisco Prime
Policy NAT
Destination NAT
Bypassing NAT When NAT ControlIs Enabled Using Identity NAT
Bypassing NAT When NAT ControlIs Enabled Using NAT Exemption
Port Redirection Using NAT
Tuning Default Connection Limitsand Timeouts
Basic Interface Access Lists andAccess Group (Inbound andOutbound)
Time-Based Access Lists
ICMP Commands
Enabling Syslog and Parameters
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0014
NTP with Authentication
Object Groups (Network, Protocol,ICMP, and Services)
Nested Object Groups
URL Filtering
Java Filtering
ActiveX Filtering
ARP Inspection
Modular Policy Framework (MPF)
Application-Aware Inspection
Identifying Injected Errors inTroubleshooting Scenarios
Understanding and InterpretingAdaptive Security Appliance showand debug Outputs
Understanding and Interpretingthe packet-tracer and captureCommands
Cisco IOS Firewalls
Zone-Based Policy Firewall UsingMultiple-Zone Scenarios
User-Based Firewall
Secure-Group Firewall
Transparent Cisco IOS Firewall(Layer 2)
Context-Based Access Control(CBAC)
Proxy Authentication (Auth Proxy)
Port-to-Application Mapping (PAM)Usage with ACLs
Use of PAM to Change SystemDefault Ports
PAM Custom Ports for SpecificApplications
Mapping Nonstandard Ports toStandard Applications
Performance Tuning
Tuning Half-Open Connections
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0015
Understanding and Interpreting theshow ip port-map Commands
Understanding and Interpreting theshow ip inspect Commands
Understanding and Interpreting thedebug ip inspect Commands
Understanding and Interpreting theshow zone|zone-pair Commands
Understanding and Interpreting thedebug zone Commands
Cisco IOS Services
Marking Packets Using DSCP and IPPrecedence and Other Values
Unicast RPF (uRPF) With or Withoutan ACL (Strict and Loose Mode)
RTBH Filtering (Remote TriggeredBlack Hole)
Basic Traffic Filtering Using AccessLists: SYN Flags, Established, etc.(Named vs. Numbered ACLs)
Managing Time-Based Access Lists
Enabling NAT and PAT on a Router
Conditional NAT on a Router
Multihome NAT on a Router
CAR Rate Limiting with TrafficClassification Using ACLs
PBR (Policy-Based Routing) andUse of Route Maps
Traffic Policing on a Router
Traffic Characterization
Packet Classification
Packet-Marking Techniques
Confidentiality and Secure Access6
Implement, Optimize,Troubleshoot, IPv4/IPv6Content
Understanding CryptographicProtocols (ISAKMP, IKEv1 and
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0016
IKEv2, ESP, Authentication Header,CA)
IPsec VPN Architecture on CiscoIOS Software and Cisco ASASecurity Appliance
Configuring VPNs Using ISAKMPProfiles
Configuring VPNs Using IPsecProfiles
GRE over IPsec Using IPsec Profiles
Router-to-Router Site-to-Site IPsecUsing the Classical CommandSet (Using Preshared Keys andCertificates)
Router-to-Router Site-to-Site IPsecUsing the New VTI CommandSet (Using Preshared Keys andCertificates)
Router-to-ASA Site-to-Site IPsec(Using Preshared Keys andCertificates)
Understanding DMVPN architecture(NHRP, mGRE, IPsec, Routing)
DMVPN Using NHRP and mGRE(Hub-and-Spoke)
DMVPN Using NHRP and mGRE(Full-Mesh)
DMVPN Through Firewalls and NATDevices
Understanding GETVPN Architecture(GDOI, Key Server, Group Member,Header Preservation, Policy, Rekey,KEK, TEK, and COOP)
Implementing GETVPN (UsingPreshared Keys and Certificates)
GETVPN Unicast Rekey
GETVPN Multicast Rekey
GETVPN Group MemberAuthorization List
GETVPN Key Server Redundancy
GETVPN Through Firewalls andNAT Devices
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0017
Integrating GET VPN with a DMVPNSolution
Basic VRF-Aware IPsec
Enabling the CA (PKI) Server (onthe Router and Cisco ASA SecurityAppliance)
CA Enrollment Process on a RouterClient
CA Enrollment Process on a CiscoASA Security Appliance Client
CA Enrollment Process on a PCClient
Clientless SSL VPN (Cisco IOSWebVPN) on the Cisco ASA SecurityAppliance (URLs)
AnyConnect VPN Client on CiscoIOS Software
AnyConnect VPN Client on the CiscoASA Security Appliance
Remote Access Using aTraditional Cisco VPN Client – ona Cisco IOS Router
Remote Access Using aTraditional Cisco VPN Client – ona Cisco ASA Security Appliance
Cisco Easy VPN – Router Serverand Router Client (Using DVTI)
Cisco Easy VPN – Router Serverand Router Client (UsingClassical Style)
Cisco Easy VPN – Cisco ASAServer and Router Client
Cisco Easy VPN Remote ConnectionModes (Client, Network, Network+)
Enabling Extended Authentication(XAUTH) on Cisco IOS Software andthe Cisco ASA Security Appliance
Enabling Split Tunneling on CiscoIOS Software and the Cisco ASASecurity Appliance
Enabling Reverse Route Injection(RRI) on Cisco IOS Software and theCisco ASA Security Appliance
CCIE Security Lab Exam v4.0 Checklist
© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:0018
Enabling NAT-T on Cisco IOSSoftware and the Cisco ASA SecurityAppliance
High-Availability Stateful Failover forIPsec with Stateful Switchover (SSO)and Hot Standby Router Protocol(HSRP)
High Availability Using LinkResiliency (with Loopback Interfacefor Peering)
High Availability Using HSRP andRRI
High Availability Using IPsec BackupPeers
High Availability Using GRE overIPsec (Dynamic Routing)
Basic QoS Features for VPN Trafficon Cisco IOS Software and the CiscoASA Security Appliance
Identifying Injected Errors inTroubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN, andCisco Easy VPN)
Understanding and Interpreting theshow crypto Commands
Understanding and Interpreting thedebug crypto Commands
Anyconnect VPN including DAPsupport
MacSec (switch-switch, Host-switch)
Wireless Security on AP and WLC
EAP methods
WPA/WPA-2
WIPS