CCIE Collaboration Home Lab Topology and Base Configurations
Ccie Security Lab Checklist
-
Upload
alireza-hemmati -
Category
Documents
-
view
242 -
download
2
Transcript of Ccie Security Lab Checklist
-
8/9/2019 Ccie Security Lab Checklist
1/12
CCIE Security Lab Exam v4.0 Checklist
Expansion of the Security Lab v4.0 Exam TopicsDetaile Checklist of Topics to !e Covere
Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. Instead, eprovide this outline as a supplement to the existin! lab blueprint to help candidates prepare for their lab exams. "therrelevant or related topics may also appear in the actual lab exam.
#e ould like to !et your feedback please comment and$or rate this document.
1System Hardening and Availability
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
Understanding Four Types o Trai! Planes on a Cis!o "outer #Control, $anagement, %ata, and
&ervi!es'
Understanding Control Plane &e!urity Te!hnologies and Core Con!epts Covering &e!urityFeatures (vailable to Prote!t the Control Plane
Understanding $anagement Plane &e!urity Te!hnologies and Core Con!epts Covering &e!urityFeatures (vailable to Prote!t the $anagement Plane
Coniguring Control Plane Poli!ing #CoPP'
Control Plane "ate )imiting
%isabling Unused Control Plane &ervi!es #IP &our!e "outing, Pro*y ("P, +ratuitous ("P, et!'
%isabling Unused $anagement Plane &ervi!es #Finger, -OOTP, %.CP, Cis!o %is!overy Proto!ol,et!'
$PP #$anagement Plane Prote!tion' and Understanding OO- #Outo-and' $anagement
Intera!es
Coniguring "outing Proto!ol (uthenti!ation
"oute Filtering and Proto!ol&pe!ii! Filters
IC$P Te!hni0ues to "edu!e the "is1 o IC$P"elated %o& (tta!1s #IP Unrea!hable, IP "edire!t,
IP $as1 "eply, et!'
&ele!tive Pa!1et %is!ard #&P%'
$2C and FP$ Types o &ervi!e Poli!y on the CoPP Intera!e
-road!ast Control on a &3it!h
Catalyst &3it!h Port &e!urity
IPv6 &ele!tive Pa!1et %is!ard
Cis!o IO& &ot3are-ased CPU Prote!tion $e!hanisms #Options %rop, )ogging Interval, CPUThreshold'
The +eneralized TT) &e!urity $e!hanism no3n as 5-+P TT) &e!urity .a!1 #-T&.'
%evi!e (!!ess Control #vty (C), .TTP (C), &&. (!!ess, Privilege )evels'
&7$P &e!urity
&ystem -anners
-
8/9/2019 Ccie Security Lab Checklist
2/12
&e!ure Cis!o IO& File &ystems
Understanding and 8nabling &yslog
7TP 3ith (uthenti!ation
"ole-ased C)I 9ie3s and Cis!o &e!ure (C& &etup
&ervi!e (uthenti!ation on Cis!o IO& &ot3are #FTP, Telnet, .TTP' 7et3or1 Telemetry Identii!ation and Classii!ation o &e!urity 8vents #IP Trai! Flo3, 7etFlo3,
&7$P, &yslog, "$O7'
2Threat Identification and Mitigation
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
Implementing "FC :;:< (ntispooing Filtering
Implementing "FC = (ntispooing Filtering
Implementing "FC =4?: (ntispooing Filtering
8nabling a TCP Inter!ept on a "outer
8nabling a TCP Inter!ept on the Cis!o (&( &e!urity (pplian!e
FP$ #Fle*ible Pa!1et $at!hing' and Proto!ol .eader %einition File #P.%F' Files and
Coniguration o 7ested Poli!y $aps
Classii!ation Using 7-("
Understanding and 8nabling 7etFlo3 on a "outer
Port &e!urity on a &3it!h
&torm Control on a &3it!h
Private 9)(7 #P9)(7' on a &3it!h
Port -lo!1ing on a &3it!h
Port (C) on a &3it!h
$(C (C) on a &3it!h
9)(7 (C) on a &3it!h
&panning Tree Proto!ol #&TP' Prote!tion Using -P%U +uard and )oop +uard on a &3it!h
%.CP &nooping on a &3it!h
IP &our!e +uard on a &3it!h
%ynami! ("P Inspe!tion #%(I' on a &3it!h
&e7% or 7% Prote!tion
IPv6 First .op &e!urity
%isabling %TP on (ll 7ontrun1ing (!!ess Ports
Con!ept o Proa!tive vs "ea!tive $easures
no3ledge o Proto!ols@ TCP, U%P, .TTP, &$TP, IC$P, FTP
no3ledge o Common (tta!1s@ 7et3or1 "e!onnaissan!e, IP &pooing, %.CP &nooping, %7&
-
8/9/2019 Ccie Security Lab Checklist
3/12
&pooing, $(C &pooing, ("P &nooping, Fragment (tta!1, &mur (tta!1, TCP &A7 (tta!1
Understanding and Interpreting ("P .eader &tru!ture
Understanding and Interpreting IP .eader &tru!ture
Understanding and Interpreting TCP .eader &tru!ture
Understanding and Interpreting U%P .eader &tru!tureUnderstanding and Interpreting .TTP .eader &tru!ture
Understanding and Interpreting IC$P .eader stru!ture
Understanding and Interpreting IC$P Type 7ame and Codes
Understanding and Interpreting &yslog $essages
Understanding and Interpreting Pa!1et Capture Outputs #&nier, 8thereal, Bireshar1, TCP%ump'
Understanding %ierent Types o (tta!1 9e!tors
Interpreting 9arious sho3 and debug Outputs
Classiying (tta!1 Patterns Using FP$
$emorizing Common Proto!ol and Port 7umbers
Preventing an IC$P (tta!1 Using (C)s
Preventing an IC$P (tta!1 Using 7-("
Preventing an IC$P (tta!1 Using Poli!ing
Preventing an IC$P (tta!1 Using the $odular Poli!y Frame3or1 #$PF' on the Cis!o (&(&e!urity (pplian!e
Preventing a &A7 (tta!1 Using (C)s
Preventing a &A7 (tta!1 Using 7-("
Preventing a &A7 (tta!1 Using Poli!ing
Preventing a &A7 (tta!1 Using C-(C
Preventing a &A7 (tta!1 Using C("
Preventing a &A7 (tta!1 Using a TCP Inter!ept
Preventing a &A7 (tta!1 Using the $odular Poli!y Frame3or1 #$PF' on the Cis!o (&( &e!urity(pplian!e
Preventing (ppli!ation Proto!ol&pe!ii! (tta!1s Using FP$ #eg, .TTP, &$TP'
Preventing (ppli!ation Proto!ol&pe!ii! (tta!1s Using 7-(" #eg, .TTP, &$TP'
Preventing (ppli!ation Proto!ol&pe!ii! (tta!1s Using the $odular Poli!y Frame3or1 #$PF' on
the Cis!o (&( &e!urity (pplian!e #eg, .TTP, &$TP'
Preventing IP &pooing (tta!1s Using (ntispooing (C)s
Preventing IP &pooing (tta!1s Using u"PF
Preventing IP &pooing (tta!1s Using IP &our!e +uard
Preventing Fragment (tta!1s Using (C)s
-
8/9/2019 Ccie Security Lab Checklist
4/12
Preventing $(C &pooing (tta!1s Using Port &e!urity
Preventing ("P &pooing (tta!1s Using %(I
Preventing 9)(7 .opping (tta!1s Using the s3it!hport mode a!!ess Command
Preventing &TP (tta!1s Using the "oot +uard or -P%U +uard
Preventing %.CP &pooing (tta!1s Using Port &e!urityPreventing %.CP &pooing (tta!1s Using %(I
Preventing Port "edire!tion (tta!1s Using (C)s
3Intrusion Prevention and Content Security
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
Understanding Cis!o IP& &ystem (r!hite!ture #&ystem %esign, $ain(pp, &ensor(pp, 8vent&tore'
Understanding Cis!o IP& User "oles #(dministrator, Operator, 9ie3er, &ervi!e'
Understanding Cis!o IP& Command $odes #Privileged, +lobal, &ervi!e, $ultiInstan!e'
Understanding Cis!o IP& Intera!es #Command and Control, &ensing, (lternate TCP "eset'
Understanding Promis!uous #I%&' vs Inline #IP&' $onitoring
Initialization -asi! &ensor #IP (ddress, $as1, %eault "oute, et!'
Troubleshooting -asi! Conne!tivity Issues
$anaging &ensor (C)s
(llo3ing &ervi!es Ping and Telnet rom/to Cis!o IP&
8nabling Physi!al Intera!es
Promis!uous $ode
Inline Intera!e $ode
Inline 9)(7 Pair $ode
9)(7 +roup $ode
Inline -ypass $ode
Intera!e 7otii!ations
Understanding the (nalysis 8ngine
Creating $ultiple &e!urity Poli!ies and (pplying Them to Individual 9irtual &ensors
Understanding and Coniguring 9irtual &ensors #vs?, vs:'
(ssigning Intera!es to the 9irtual &ensor
Understanding and Coniguring 8vent (!tion "ules #rules?, rules:'
Understanding and Coniguring &ignatures #sig?, sig:'
(dding &ignatures to $ultiple 9irtual &ensors
Understanding and Coniguring (nomaly %ete!tion #ad?, ad:'
Using the Cis!o I%$ #IP& %evi!e $anager'
-
8/9/2019 Ccie Security Lab Checklist
5/12
Using Cis!o I%$ 8vent $onitoring
%isplaying 8vents Triggered Using the Cis!o IP& Console
Troubleshooting 8vents 7ot Triggering
%isplaying and Capturing )ive Trai! on the Cis!o IP& Console #Pa!1et %isplay and Pa!1etCapture'
&P(7 and "&P(7
"ate )imiting
Coniguring 8vent (!tion 9ariables
Target 9alue "atings
8vent (!tion Overrides
8vent (!tion Filters
Coniguring +eneral &ettings
+eneral &ignature Parameters(lert Fre0uen!y
(lert &everity
8vent Counter
&ignature Fidelity "ating
&ignature &tatus
(ssigning (!tions to &ignatures
(IC &ignatures
IP Fragment "eassembly
TCP &tream "eassembly
IP )ogging
Coniguring &7$P
&ignature Tuning #&everity )evels, Throttle Parameters, 8vent (!tions'
Creating Custom &ignatures #Using the C)I and Cis!o I%$'
Understanding 9arious Types o &ignature 8ngines
Understanding 9arious Types o &ignature 9ariables
Understanding 9arious Types o 8vent (!tions
Creating a Custom &tring TCP &ignature
Creating a Custom Flood 8ngine &ignature
Creating a Custom (IC $I$8Type 8ngine &ignature
Creating a Custom &ervi!e .TTP &ignature
Creating a Custom &ervi!e FTP &ignature
-
8/9/2019 Ccie Security Lab Checklist
6/12
Creating a Custom (TO$IC("P 8ngine &ignature
Creating a Custom (TO$ICIP 8ngine &ignature
Creating a Custom TCP &3eep &ignature
Creating a Custom IC$P &3eep &ignature
Creating a Custom TroDan 8ngine &ignature8nabling &hunning and -lo!1ing #8nabling -lo!1ing Properties'
8nabling the TCP "eset Fun!tion
Conigure Cis!o Ironport B&(
Coniguring BCCP
(!tive %ir Integration
Custom Categories
.TTP& Conig
&ervi!es Coniguration #Beb "eputation'
Coniguring Pro*y -ypass )ists
Beb pro*y modes
(ppli!ation visibility and !ontrol
Identity Management
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
Understanding the ((( Frame3or1
Understanding the "(%IU& Proto!ol
Understanding "(%IU& (ttributes #Cis!o (9P(I"&'
Understanding the T(C(C&E Proto!ol
Understanding T(C(C&E (ttributes
Comparison o "(%IU& and T(C(C&E
Coniguring -asi! )%(P &upport
Overvie3 o Cis!o &e!ure (C&
.o3 to 7avigate Cis!o &e!ure (C&
Cis!o &e!ure (C& 7et3or1 &ettings Parameters
Cis!o &e!ure (C& User &ettings Parameters
Cis!o &e!ure (C& +roup &ettings Parameters
Cis!o &e!ure (C& &hared Proiles Components #
-
8/9/2019 Ccie Security Lab Checklist
7/12
8nabling ((( on a "outer or vty )ines
8nabling ((( on a &3it!h or vty )ines
8nabling ((( on a "outer or .TTP
8nabling ((( on the Cis!o (&( &e!urity (pplian!e or Telnet and &&. Proto!ols
Using %eault vs 7amed $ethod )istsComple* Command (uthorization and Privilege )evels, and "elevant Cis!o &e!ure (C& Proiles
Pro*y &ervi!e (uthenti!ation and (uthorization on the Cis!o (&( &e!urity (pplian!e or Pass
Through Trai! #FTP, Telnet, and .TTP', and "elevant Cis!o I&8 ProilesG
Using 9irtual Telnet on the Cis!o (&( &e!urity (pplian!e
Using 9irtual .TTP on the Cis!o (&( &e!urity (pplian!e
%o3nloadable (C)s
(((
-
8/9/2019 Ccie Security Lab Checklist
8/12
Understanding and Interpreting the debug aaa a!!ounting Command
!Perimeter Security and Services
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
Initializing the -asi! Cis!o (&( Fire3all #IP (ddress, $as1, %eault "oute, et!'
Understanding &e!urity )evels #&ame &e!urity Intera!e'
Understanding &ingle vs $ultimode
Understanding Fire3all vs Transparent $ode
Understanding $ultiple &e!urity Conte*ts
Understanding &hared "esour!es or $ultiple Conte*ts
Understanding Pa!1et Classii!ation in $ultipleConte*ts $ode
9)(7 &ubintera!es Using
-
8/9/2019 Ccie Security Lab Checklist
9/12
&tateul Failover )in1
%evi!e (!!ess $anagement
8nabling Telnet
8nabling &&.
The nat!ontrol Command vs no nat!ontrol Command8nabling (ddress Translation #7(T, +lobal, and &tati!' Pre Post
-
8/9/2019 Ccie Security Lab Checklist
10/12
User-ased Fire3all
&e!ure+roup Fire3all
Transparent Cis!o IO& Fire3all #)ayer ='
Conte*t-ased (!!ess Control #C-(C'
Pro*y (uthenti!ation #(uth Pro*y'Portto(ppli!ation $apping #P($' Usage 3ith (C)s
Use o P($ to Change &ystem %eault Ports
P($ Custom Ports or &pe!ii! (ppli!ations
$apping 7onstandard Ports to &tandard (ppli!ations
Perorman!e Tuning
Tuning .alOpen Conne!tions
Understanding and Interpreting the sho3 ip portmap Commands
Understanding and Interpreting the sho3 ip inspe!t Commands
Understanding and Interpreting the debug ip inspe!t Commands
Understanding and Interpreting the sho3 zoneKzonepair Commands
Understanding and Interpreting the debug zone Commands
Cis!o IO& &ervi!es
$ar1ing Pa!1ets Using %&CP and IP Pre!eden!e and Other 9alues
Uni!ast "PF #u"PF' Bith or Bithout an (C) #&tri!t and )oose $ode'
"T-. Filtering #"emote Triggered -la!1 .ole'
-asi! Trai! Filtering Using (!!ess )ists@ &A7 Flags, 8stablished, et! #7amed vs 7umbered
(C)s'
$anaging Time-ased (!!ess )ists
8nabling 7(T and P(T on a "outer
Conditional 7(T on a "outer
$ultihome 7(T on a "outer
C(" "ate )imiting 3ith Trai! Classii!ation Using (C)s
P-" #Poli!y-ased "outing' and Use o "oute $aps
Trai! Poli!ing on a "outer
Trai! Chara!terization
Pa!1et Classii!ation
Pa!1et$ar1ing Te!hni0ues
"Confidentiality and Secure Access
Implement, Optimize, Troubleshoot, IPv4/IPv6 Content
-
8/9/2019 Ccie Security Lab Checklist
11/12
Understanding Cryptographi! Proto!ols #I&($P, I8v: and I8v=, 8&P, (uthenti!ation .eader,
C('
IPse! 9P7 (r!hite!ture on Cis!o IO& &ot3are and Cis!o (&( &e!urity (pplian!e
Coniguring 9P7s Using I&($P Proiles
Coniguring 9P7s Using IPse! Proiles
+"8 over IPse! Using IPse! Proiles
"outerto"outer &iteto&ite IPse! Using the Classi!al Command &et #Using Preshared eys and
Certii!ates'
"outerto"outer &iteto&ite IPse! Using the 7e3 9TI Command &et #Using Preshared eys and
Certii!ates'
"outerto(&( &iteto&ite IPse! #Using Preshared eys and Certii!ates'
Understanding %$9P7 ar!hite!ture #7."P, m+"8, IPse!, "outing'
%$9P7 Using 7."P and m+"8 #.uband&po1e'
%$9P7 Using 7."P and m+"8 #Full$esh'
%$9P7 Through Fire3alls and 7(T %evi!es
Understanding +8T9P7 (r!hite!ture #+%OI, ey &erver, +roup $ember, .eader Preservation,Poli!y, "e1ey, 8, T8, and COOP'
Implementing +8T9P7 #Using Preshared eys and Certii!ates'
+8T9P7 Uni!ast "e1ey
+8T9P7 $ulti!ast "e1ey
+8T9P7 +roup $ember (uthorization )ist
+8T9P7 ey &erver "edundan!y
+8T9P7 Through Fire3alls and 7(T %evi!es
Integrating +8T 9P7 3ith a %$9P7 &olution
-asi! 9"F(3are IPse!
8nabling the C( #PI' &erver #on the "outer and Cis!o (&( &e!urity (pplian!e'
C( 8nrollment Pro!ess on a "outer Client
C( 8nrollment Pro!ess on a Cis!o (&( &e!urity (pplian!e Client
C( 8nrollment Pro!ess on a PC Client
Clientless &&) 9P7 #Cis!o IO& Beb9P7' on the Cis!o (&( &e!urity (pplian!e #U")s'
(nyConne!t 9P7 Client on Cis!o IO& &ot3are
(nyConne!t 9P7 Client on the Cis!o (&( &e!urity (pplian!e
"emote (!!ess Using a Traditional Cis!o 9P7 Client on a Cis!o IO& "outer
"emote (!!ess Using a Traditional Cis!o 9P7 Client on a Cis!o (&( &e!urity (pplian!e
Cis!o 8asy 9P7 "outer &erver and "outer Client #Using %9TI'
-
8/9/2019 Ccie Security Lab Checklist
12/12
Cis!o 8asy 9P7 "outer &erver and "outer Client #Using Classi!al &tyle'
Cis!o 8asy 9P7 Cis!o (&( &erver and "outer Client
Cis!o 8asy 9P7 "emote Conne!tion $odes #Client, 7et3or1, 7et3or1E'
8nabling 8*tended (uthenti!ation #(UT.' on Cis!o IO& &ot3are and the Cis!o (&( &e!urity(pplian!e
8nabling &plit Tunneling on Cis!o IO& &ot3are and the Cis!o (&( &e!urity (pplian!e
8nabling "everse "oute InDe!tion #""I' on Cis!o IO& &ot3are and the Cis!o (&( &e!urity
(pplian!e
8nabling 7(TT on Cis!o IO& &ot3are and the Cis!o (&( &e!urity (pplian!e
.igh(vailability &tateul Failover or IPse! 3ith &tateul &3it!hover #&&O' and .ot &tandby
"outer Proto!ol #.&"P'
.igh (vailability Using )in1 "esilien!y #3ith )oopba!1 Intera!e or Peering'
.igh (vailability Using .&"P and ""I
.igh (vailability Using IPse! -a!1up Peers
.igh (vailability Using +"8 over IPse! #%ynami! "outing'
-asi! 2o& Features or 9P7 Trai! on Cis!o IO& &ot3are and the Cis!o (&( &e!urity (pplian!e
Identiying InDe!ted 8rrors in Troubleshooting &!enarios #or &iteto&ite, %$9P7, +8T 9P7,and Cis!o 8asy 9P7'
Understanding and Interpreting the sho3 !rypto Commands
Understanding and Interpreting the debug !rypto Commands
(ny!onne!t 9P7 in!luding %(P support
$a!&e! #s3it!hs3it!h, .osts3it!h'
Bireless &e!urity on (P and B)C
8(P methods
BP(/BP(=
BIP&