CCIE Security Lab Exam v4.0 Checklist

© 1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-05-06:001

CCIE Security Lab Exam v4.0 Checklist


Expansion of the Security Lab v4.0 Exam Topics

Detailed Checklist of Topics to Be Covered

Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Securitylab exam subjects. Instead, we provide this outline as a supplement to the existing labblueprint to help candidates prepare for their lab exams. Other relevant or related topics mayalso appear in the actual lab exam.

We would like to get your feedback please comment and/or rate this document.

System Hardening and Availability1

Implement, Optimize,Troubleshoot, IPv4/IPv6Content

Understanding Four Types of TrafficPlanes on a Cisco Router (Control,Management, Data, and Services)

Understanding Control PlaneSecurity Technologies and CoreConcepts Covering SecurityFeatures Available to Protect theControl Plane

Understanding ManagementPlane Security Technologies andCore Concepts Covering SecurityFeatures Available to Protect theManagement Plane

Configuring Control Plane Policing(CoPP)

Control Plane Rate Limiting



Disabling Unused Control PlaneServices (IP Source Routing, ProxyARP, Gratuitous ARP, etc.)

Disabling Unused ManagementPlane Services (Finger, BOOTP,DHCP, Cisco Discovery Protocol,etc.)

MPP (Management PlaneProtection) and UnderstandingOOB (Out-of-Band) ManagementInterfaces

Configuring Routing ProtocolAuthentication

Route Filtering and Protocol-SpecificFilters

ICMP Techniques to Reduce theRisk of ICMP-Related DoS Attacks(IP Unreachable, IP Redirect, IPMask Reply, etc.)

Selective Packet Discard (SPD)

MQC and FPM Types of ServicePolicy on the CoPP Interface

Broadcast Control on a Switch

Catalyst Switch Port Security

IPv6 Selective Packet Discard

Cisco IOS Software-Based CPUProtection Mechanisms (OptionsDrop, Logging Interval, CPUThreshold)

The Generalized TTL SecurityMechanism Known as “BGP TTLSecurity Hack” (BTSH)

Device Access Control (vty ACL,HTTP ACL, SSH Access, PrivilegeLevels)

SNMP Security

System Banners

Secure Cisco IOS File Systems

Understanding and Enabling Syslog

NTP with Authentication

Role-Based CLI Views and CiscoSecure ACS Setup



Service Authentication on Cisco IOSSoftware (FTP, Telnet, HTTP)

Network Telemetry Identificationand Classification of Security Events(IP Traffic Flow, NetFlow, SNMP,Syslog, RMON)

Threat Identification andMitigation

2


Implementing RFC 1918Antispoofing Filtering



Enabling a TCP Intercept on aRouter

Enabling a TCP Intercept on theCisco ASA Security Appliance

FPM (Flexible Packet Matching)and Protocol Header Definition File(PHDF) Files and Configuration ofNested Policy Maps

Classification Using NBAR

Understanding and EnablingNetFlow on a Router

Port Security on a Switch

Storm Control on a Switch

Private VLAN (PVLAN) on a Switch

Port Blocking on a Switch

Port ACL on a Switch

MAC ACL on a Switch

VLAN ACL on a Switch

Spanning Tree Protocol (STP)Protection Using BPDU Guard andLoop Guard on a Switch

DHCP Snooping on a Switch

IP Source Guard on a Switch



Dynamic ARP Inspection (DAI) on aSwitch

SeND for ND Protection

IPv6 First Hop Security

Disabling DTP on All NontrunkingAccess Ports

Concept of Proactive vs. ReactiveMeasures

Knowledge of Protocols: TCP, UDP,HTTP, SMTP, ICMP, FTP

Knowledge of Common Attacks:Network Reconnaissance, IPSpoofing, DHCP Snooping, DNSSpoofing, MAC Spoofing, ARPSnooping, Fragment Attack, SmurfAttack, TCP SYN Attack

Understanding and Interpreting ARPHeader Structure

Understanding and Interpreting IPHeader Structure

Understanding and Interpreting TCPHeader Structure

Understanding and Interpreting UDPHeader Structure

Understanding and InterpretingHTTP Header Structure

Understanding and InterpretingICMP Header structure

Understanding and InterpretingICMP Type Name and Codes

Understanding and InterpretingSyslog Messages

Understanding and InterpretingPacket Capture Outputs (Sniffer,Ethereal, Wireshark, TCPDump)

Understanding Different Types ofAttack Vectors

Interpreting Various show and debugOutputs

Classifying Attack Patterns UsingFPM



Memorizing Common Protocol andPort Numbers

Preventing an ICMP Attack UsingACLs

Preventing an ICMP Attack UsingNBAR

Preventing an ICMP Attack UsingPolicing

Preventing an ICMP Attack Using theModular Policy Framework (MPF) onthe Cisco ASA Security Appliance

Preventing a SYN Attack UsingACLs

Preventing a SYN Attack UsingNBAR

Preventing a SYN Attack UsingPolicing

Preventing a SYN Attack UsingCBAC

Preventing a SYN Attack Using CAR

Preventing a SYN Attack Using aTCP Intercept

Preventing a SYN Attack Using theModular Policy Framework (MPF) onthe Cisco ASA Security Appliance

Preventing Application Protocol–Specific Attacks Using FPM (e.g.,HTTP, SMTP)

Preventing Application Protocol–Specific Attacks Using NBAR(e.g., HTTP, SMTP)

Preventing Application Protocol–Specific Attacks Using theModular Policy Framework(MPF) on the Cisco ASA SecurityAppliance (e.g., HTTP, SMTP)

Preventing IP Spoofing AttacksUsing Antispoofing ACLs

Preventing IP Spoofing AttacksUsing uRPF

Preventing IP Spoofing AttacksUsing IP Source Guard



Preventing Fragment Attacks UsingACLs

Preventing MAC Spoofing AttacksUsing Port Security

Preventing ARP Spoofing AttacksUsing DAI

Preventing VLAN Hopping AttacksUsing the switchport mode accessCommand

Preventing STP Attacks Using theRoot Guard or BPDU Guard

Preventing DHCP Spoofing AttacksUsing Port Security

Preventing DHCP Spoofing AttacksUsing DAI

Preventing Port Redirection AttacksUsing ACLs

Intrusion Prevention and ContentSecurity

3


Understanding Cisco IPS SystemArchitecture (System Design,MainApp, SensorApp, EventStore)

Understanding Cisco IPS User Roles(Administrator, Operator, Viewer,Service)

Understanding Cisco IPS CommandModes (Privileged, Global, Service,Multi-Instance)

Understanding Cisco IPS Interfaces(Command and Control, Sensing,Alternate TCP Reset)

Understanding Promiscuous (IDS)vs. Inline (IPS) Monitoring

Initialization Basic Sensor (IPAddress, Mask, Default Route, etc.)

Troubleshooting Basic ConnectivityIssues

Managing Sensor ACLs



Allowing Services Ping and Telnetfrom/to Cisco IPS

Enabling Physical Interfaces

Promiscuous Mode

Inline Interface Mode

Inline VLAN Pair Mode

VLAN Group Mode

Inline Bypass Mode

Interface Notifications

Understanding the Analysis Engine

Creating Multiple Security Policiesand Applying Them to IndividualVirtual Sensors

Understanding and ConfiguringVirtual Sensors (vs0, vs1)

Assigning Interfaces to the VirtualSensor

Understanding and ConfiguringEvent Action Rules (rules0, rules1)

Understanding and ConfiguringSignatures (sig0, sig1)

Adding Signatures to Multiple VirtualSensors

Understanding and ConfiguringAnomaly Detection (ad0, ad1)

Using the Cisco IDM (IPS DeviceManager)

Using Cisco IDM Event Monitoring

Displaying Events Triggered Usingthe Cisco IPS Console

Troubleshooting Events NotTriggering

Displaying and Capturing Live Trafficon the Cisco IPS Console (PacketDisplay and Packet Capture)

SPAN and RSPAN

Rate Limiting

Configuring Event Action Variables

Target Value Ratings



Event Action Overrides

Event Action Filters

Configuring General Settings

General Signature Parameters

Alert Frequency

Alert Severity

Event Counter

Signature Fidelity Rating

Signature Status

Assigning Actions to Signatures

AIC Signatures

IP Fragment Reassembly

TCP Stream Reassembly

IP Logging

Configuring SNMP

Signature Tuning (Severity Levels,Throttle Parameters, Event Actions)

Creating Custom Signatures (Usingthe CLI and Cisco IDM)

Understanding Various Types ofSignature Engines

Understanding Various Types ofSignature Variables

Understanding Various Types ofEvent Actions

Creating a Custom String TCPSignature

Creating a Custom Flood EngineSignature

Creating a Custom AIC MIME-TypeEngine Signature

Creating a Custom Service HTTPSignature

Creating a Custom Service FTPSignature

Creating a Custom ATOMIC.ARPEngine Signature



Creating a Custom ATOMIC.IPEngine Signature

Creating a Custom TCP SweepSignature

Creating a Custom ICMP SweepSignature

Creating a Custom Trojan EngineSignature

Enabling Shunning and Blocking(Enabling Blocking Properties)

Enabling the TCP Reset Function

Configure Cisco Ironport WSA

Configuring WCCP

Active Dir Integration

Custom Categories

HTTPS Config

Services Configuration (WebReputation)

Configuring Proxy By-pass Lists

Web proxy modes

Application visibility and control

Identity Management4


Understanding the AAA Framework

Understanding the RADIUS Protocol

Understanding RADIUS Attributes(Cisco AV-PAIRS)

Understanding the TACACS+Protocol

Understanding TACACS+ Attributes

Comparison of RADIUS andTACACS+

Configuring Basic LDAP Support

Overview of Cisco Secure ACS

How to Navigate Cisco Secure ACS



Cisco Secure ACS – NetworkSettings Parameters

Cisco Secure ACS – UserSettings Parameters

Cisco Secure ACS – GroupSettings Parameters

Cisco Secure ACS – SharedProfiles Components (802.1X,NAF, NAR, Command Author,Downloadable ACL, etc.)

Cisco Secure ACS – ShellCommand Authorization SetsUsing Both Per-Group Setup andShared Profiles

Cisco Secure ACS – SystemConfiguration Parameters

Enabling AAA on a Router for vtyLines

Enabling AAA on a Switch for vtyLines

Enabling AAA on a Router for HTTP

Enabling AAA on the Cisco ASASecurity Appliance for Telnet andSSH Protocols

Using Default vs. Named MethodLists

Complex Command Authorizationand Privilege Levels, and RelevantCisco Secure ACS Profiles

Proxy Service Authentication andAuthorization on the Cisco ASASecurity Appliance for Pass-ThroughTraffic (FTP, Telnet, and HTTP), andRelevant Cisco ISE Profiles\

Using Virtual Telnet on the CiscoASA Security Appliance

Using Virtual HTTP on the CiscoASA Security Appliance

Downloadable ACLs

AAA 802.1X Authentication UsingRADIUS on a Switch

NAC-L2-802.1X on a Switch



NAC-L2-IP on a Switch

Troubleshooting Failed AAAAuthentication or Authorization

Troubleshooting Using Cisco SecureACS Logs

Cisco Identity Services EngineConfiguration and initialization

ISE authZ result handling

ISE Profiling Configuration (Probes)

ISE Guest Services

ISE Posture Assessment

ISE Client Provisioning (CPP)

ISE Configuring AD Integration/Identity Sources

ISE support for 802.1x

ISE MAB support

ISE Web Auth support

ISE definition and support for VSAs

Support for MAB in Cisco IOS

Support for Web Auth in Cisco IOS

Using the test aaa Command onthe Router, Switch, or Cisco ASASecurity Appliance

Understanding and Interpreting thedebug radius Command

Understanding and Interpreting thedebug tacacs+ Command

Understanding and Interpreting thedebug aaa authentication Command

Understanding and Interpreting thedebug aaa authorization Command

Understanding and Interpreting thedebug aaa accounting Command

Perimeter Security and Services5




Initializing the Basic Cisco ASAFirewall (IP Address, Mask, DefaultRoute, etc.)

Understanding Security Levels(Same Security Interface)

Understanding Single vs. Multimode

Understanding Firewall vs.Transparent Mode

Understanding Multiple SecurityContexts

Understanding Shared Resources forMultiple Contexts

Understanding Packet Classificationin Multiple-Contexts Mode

VLAN Subinterfaces Using 802.1QTrunking

Multiple-Mode Firewall with OutsideAccess

Single-Mode Firewall Using theSame Security Level

Multiple-Mode, Transparent Firewall

Single-Mode, Transparent Firewallwith NAT

ACLs in Transparent Firewall (forPass-Through Traffic)

Understanding How RoutingBehaves on the Adaptive SecurityAppliance (Egress and Next-HopSelection Process)

Understanding Static vs. DynamicRouting

Static Routes

RIP with Authentication

OSPF with Authentication

EIGRP with Authentication

Managing Multiple Routing Instances

Redistribution Between Protocols

Route Summarization

Route Filtering

Static Route Tracking Using an SLA



Dual ISP Support Using Static RouteTracking

Redundant Interface Pair

LAN-Based Active/Standby Failover(Routed Mode)

LAN-Based Active/Active Failover(Routed Mode)

LAN-Based Active/Standby Failover(Transparent Mode)

LAN-Based Active/Active Failover(Transparent Mode)

Stateful Failover Link

Device Access Management

Enabling Telnet

Enabling SSH

The nat-control Command vs. nonat-control Command

Enabling Address Translation (NAT,Global, and Static) Pre & Post 8.4

NAT Objects

Context-Aware firewall

Identity Firewall

Using ASDM and Cisco Prime

Policy NAT

Destination NAT

Bypassing NAT When NAT ControlIs Enabled Using Identity NAT

Bypassing NAT When NAT ControlIs Enabled Using NAT Exemption

Port Redirection Using NAT

Tuning Default Connection Limitsand Timeouts

Basic Interface Access Lists andAccess Group (Inbound andOutbound)

Time-Based Access Lists

ICMP Commands

Enabling Syslog and Parameters



NTP with Authentication

Object Groups (Network, Protocol,ICMP, and Services)

Nested Object Groups

URL Filtering

Java Filtering

ActiveX Filtering

ARP Inspection

Modular Policy Framework (MPF)

Application-Aware Inspection

Identifying Injected Errors inTroubleshooting Scenarios

Understanding and InterpretingAdaptive Security Appliance showand debug Outputs

Understanding and Interpretingthe packet-tracer and captureCommands

Cisco IOS Firewalls

Zone-Based Policy Firewall UsingMultiple-Zone Scenarios

User-Based Firewall

Secure-Group Firewall

Transparent Cisco IOS Firewall(Layer 2)

Context-Based Access Control(CBAC)

Proxy Authentication (Auth Proxy)

Port-to-Application Mapping (PAM)Usage with ACLs

Use of PAM to Change SystemDefault Ports

PAM Custom Ports for SpecificApplications

Mapping Nonstandard Ports toStandard Applications

Performance Tuning

Tuning Half-Open Connections



Understanding and Interpreting theshow ip port-map Commands

Understanding and Interpreting theshow ip inspect Commands

Understanding and Interpreting thedebug ip inspect Commands

Understanding and Interpreting theshow zone|zone-pair Commands

Understanding and Interpreting thedebug zone Commands

Cisco IOS Services

Marking Packets Using DSCP and IPPrecedence and Other Values

Unicast RPF (uRPF) With or Withoutan ACL (Strict and Loose Mode)

RTBH Filtering (Remote TriggeredBlack Hole)

Basic Traffic Filtering Using AccessLists: SYN Flags, Established, etc.(Named vs. Numbered ACLs)

Managing Time-Based Access Lists

Enabling NAT and PAT on a Router

Conditional NAT on a Router

Multihome NAT on a Router

CAR Rate Limiting with TrafficClassification Using ACLs

PBR (Policy-Based Routing) andUse of Route Maps

Traffic Policing on a Router

Traffic Characterization

Packet Classification

Packet-Marking Techniques

Confidentiality and Secure Access6


Understanding CryptographicProtocols (ISAKMP, IKEv1 and



IKEv2, ESP, Authentication Header,CA)

IPsec VPN Architecture on CiscoIOS Software and Cisco ASASecurity Appliance

Configuring VPNs Using ISAKMPProfiles

Configuring VPNs Using IPsecProfiles

GRE over IPsec Using IPsec Profiles

Router-to-Router Site-to-Site IPsecUsing the Classical CommandSet (Using Preshared Keys andCertificates)

Router-to-Router Site-to-Site IPsecUsing the New VTI CommandSet (Using Preshared Keys andCertificates)

Router-to-ASA Site-to-Site IPsec(Using Preshared Keys andCertificates)

Understanding DMVPN architecture(NHRP, mGRE, IPsec, Routing)

DMVPN Using NHRP and mGRE(Hub-and-Spoke)

DMVPN Using NHRP and mGRE(Full-Mesh)

DMVPN Through Firewalls and NATDevices

Understanding GETVPN Architecture(GDOI, Key Server, Group Member,Header Preservation, Policy, Rekey,KEK, TEK, and COOP)

Implementing GETVPN (UsingPreshared Keys and Certificates)

GETVPN Unicast Rekey

GETVPN Multicast Rekey

GETVPN Group MemberAuthorization List

GETVPN Key Server Redundancy

GETVPN Through Firewalls andNAT Devices



Integrating GET VPN with a DMVPNSolution

Basic VRF-Aware IPsec

Enabling the CA (PKI) Server (onthe Router and Cisco ASA SecurityAppliance)

CA Enrollment Process on a RouterClient

CA Enrollment Process on a CiscoASA Security Appliance Client

CA Enrollment Process on a PCClient

Clientless SSL VPN (Cisco IOSWebVPN) on the Cisco ASA SecurityAppliance (URLs)

AnyConnect VPN Client on CiscoIOS Software

AnyConnect VPN Client on the CiscoASA Security Appliance

Remote Access Using aTraditional Cisco VPN Client – ona Cisco IOS Router

Remote Access Using aTraditional Cisco VPN Client – ona Cisco ASA Security Appliance

Cisco Easy VPN – Router Serverand Router Client (Using DVTI)

Cisco Easy VPN – Router Serverand Router Client (UsingClassical Style)

Cisco Easy VPN – Cisco ASAServer and Router Client

Cisco Easy VPN Remote ConnectionModes (Client, Network, Network+)

Enabling Extended Authentication(XAUTH) on Cisco IOS Software andthe Cisco ASA Security Appliance

Enabling Split Tunneling on CiscoIOS Software and the Cisco ASASecurity Appliance

Enabling Reverse Route Injection(RRI) on Cisco IOS Software and theCisco ASA Security Appliance



Enabling NAT-T on Cisco IOSSoftware and the Cisco ASA SecurityAppliance

High-Availability Stateful Failover forIPsec with Stateful Switchover (SSO)and Hot Standby Router Protocol(HSRP)

High Availability Using LinkResiliency (with Loopback Interfacefor Peering)

High Availability Using HSRP andRRI

High Availability Using IPsec BackupPeers

High Availability Using GRE overIPsec (Dynamic Routing)

Basic QoS Features for VPN Trafficon Cisco IOS Software and the CiscoASA Security Appliance

Identifying Injected Errors inTroubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN, andCisco Easy VPN)

Understanding and Interpreting theshow crypto Commands

Understanding and Interpreting thedebug crypto Commands

Anyconnect VPN including DAPsupport

MacSec (switch-switch, Host-switch)

Wireless Security on AP and WLC

EAP methods

WPA/WPA-2

WIPS

Documents

CCIE Security Lab Exam v4.0 Checklist