SECURE - Securing Networks with Cisco Routers and Switches

$3,495.00


  • classroom

  • virtual

  • Onsite

← Continue Searching

Duration: 5 Days

In this class, you will learn the industry best practices for securing your Cisco routers and switches. You will learn to secure switches, including advanced Layer 2 security and Identity-Based Networking Services (IBNS) based on IEEE 802.1X. You will cover network platform security, VPN, Firewall, and IPS, and you will learn to secure a router's control, plane, and management planes.

You will spend a large portion of the class on advanced VPN topics, including:

  • Using digital certificates for VPN authentication
  • GRE over IPsec
  • Virtual Tunnel Interfaces
  • Dynamic Multipoint VPN (DMVPN)
  • Group Encryption Transport VPN (GET VPN)
  • Remote access IPsec VPN with the Easy VPN Server
  • Cisco VPN Client and Easy VPN Remote (hardware client)
  • SSL VPN

A Proven Impact Exclusive: Bonus Lab Credits

You'll receive five extra SECURE e-Lab credits (good for 30 Days ) to review a topic after class, refine your skills, or get in extra practice-whatever lab activities complete your training.

What You Will Learn

 

  • Advanced IOS security technologies for locking down routers and switches: 802.1X, COPP/COPr, and user-based authentication
  • Various VPN technologies and their use in production environments: DMVPN, GRE, GRE w/ IPSEC, IPSEC, GET, Ez-VPN, and SSL
  • IOS IPS exploration with IME and Cisco configuration professional
  • Launch live attacks against the network using BackTrack4 and learn mitigation techniques
  • Use Cisco IME software to monitor alerts from the IOS IPS process
  • Use the new Cisco Configuration Professional tool to configure IPS
  • Advanced IPS topics: event action overrides, event action filters, signature tuning, and custom signature creation

Audience

 

  • Internetwork professionals who want to ensure security of their network using IOS devices
  • Anyone seeking to learn the latest features in IOS 15.0 code to evaluate for their production environments
  • Internetwork professionals who seek CCNP Security certification

Prerequistes

 

Course Outline

 

1. Network Foundation Controls

  • Control, Data, and Management Planes

2. Advanced Switched Data Plane Security Controls

  • Common Layer 2 Attacks
  • PVLANs
  • DHCP Attacks
  • ARP Poisoning
  • IP Source Guard

3. Cisco Identity-Based Network Services

  • 802.1 Overview
  • ACS Integration with 802.1X
  • Cisco Secure Services Client
  • EAP Overview

4. Basic 802.1X Features

  • 802.1X Switch Configuration
  • ACS and EAP-FAST Configuration
  • CSSC as an 802.1X Supplicant

5. Advanced Routed Data Plane Security Controls

  • Unicast Reverse Path Forwarding
  • Flexible Packet Matching Configuration
  • Flexible Netflow

6. Advanced Control Plane Security Controls

  • Deploy Infrastructure ACLs
  • Control Plane Policing
  • Control Plane Protection
  • Routing Protocol Authentication
  • Routing Protocol Filtering

7. Advanced Management Plane Security Controls

  • Configure IOS Software Management Access Controls
  • Configure Role-Based Access Controls
  • Configure SNMP in IOS
  • Digitally Signed IOS Images
  • CPU and Memory Thresholding

8. Cisco IOS Software Network Address Translation

  • IOS Static NAT and PAT Configurations
  • IOS Dynamic NAT and PAT Configurations

9. Basic Zone-Based Policy Firewalls

  • Zone-Based Policy Firewalls Zone Pairs
  • Configure Layer 3/4 Inter-Zone Access Policies
  • Configure Layer 3/4 Intra-Zone Access Policies
  • ZBPFW Inspection of Control Plane and Management Plane Traffic
  • Tune ZBPFW Stateful Engine and Connection Settings
  • Configure ZBPFW Transparent Mode and VRF Support

10. Advanced Zone-Based Policy Firewalls

  • Configure Layer 7 Zone-Based Policy Firewalls
  • Configure Zone-Based Policy Firewalls with User Policies
  • Configure Zone-Based Policy Firewall URL Filtering

11. Cisco IOS Software IPS

  • IOS IPS Signature Policies
  • Tune Cisco IOS Software IPS Signature Policies
  • IPS Signature Auto Update
  • Select an IPS Monitoring Solution

12. Site-to-Site VPN Architectures and Technologies

  • Cryptographic Controls

13. VTI-Based Site-to-Site IPsec VPNs

  • Virtual Tunnel Interfaces
  • Pre-Shared Keys
  • Static VTIs
  • Dynamic VTIs

14. Scalable Authentication in Site-to-Site IPsec VPNs

  • PKI Overview
  • Configure the IOS Certificate Server
  • IOS CA and PKI enrollment

15. DMVPNs

  • Generic Routing Encapsulation (GRE)
  • NHRP Client and Server
  • DMVPN Hub and Spoke Configurations
  • Verify Dynamic Routing in a DMVPN Environment

16. High Availability in Tunnel-Based IPsec VPNs

  • IPsec High Availability Features
  • Routing Protocols for HA
  • Mitigating Failures in VTI Environments
  • Mitigating Failures in a DMVPN Environment

17. Group Encrypted Transport (GET) VPN

  • Configuring Key Servers
  • Configuring Group Members
  • High Availability

18. Remote Access VPN Architectures and Technologies

  • Cryptographic Controls

19. Remote Access Solutions Using SSL VPN

  • SSL VPN Overview
  • Configure SSL VPN Parameters
  • Configure Client Authentication Policies
  • Full VPN tunnels
  • AnyConnect Client
  • Clientless VPN Configuration

20. Remote Access Solutions Using EZVPN

  • EzVPN with Dynamic VTIs
  • Cisco IPsec VPN Client
  • Configure Advanced EzVPN Functionality
  • Configure PKI for EzVPN

Course Labs

 

Lab 0: Exclusive - Introduction to the Remote Lab System

  • Remote Labs Familiarity

Lab 1: Enhanced - Advanced L2 Security

  • Port ACLs
  • VACLs
  • PVLAN Edge
  • Proxy Router Attacks
  • DHCP Snooping
  • DAI
  • IP Source Guard

Lab 2: Enhanced - Network Foundation Protection

  • Routing Protocol Authentication (EIGRP & OSPF)
  • SNMPv3
  • Flexible Netflow
  • uRPF
  • Management Plane Protection
  • Data Plane Protection

Lab 3: Enhanced - IOS Zone Based Firewalls

  • Basic Zone Configuration
  • Attack Mitigation
  • URL Filtering
  • HTTP Deep Packet Inspection
  • Stateful Inspections

Lab 4: Enhanced - IOS IPS

  • Loading Signature Definition Files
  • Basic Configuration
  • De-Obfuscation
  • IPS Manager Express
  • Signature Actions

Lab 5: Enhanced - Site-to-Site VPN using PKI and VTIs

  • Using VTIs
  • IOS CA
  • Enrollments
  • VPN Configuration

Lab 6: Enhanced - DMVPN

  • Hub Site Configuration
  • Spoke Site One Configuration
  • Spoke Site Two Configuration
  • Routing Configuration
  • Test and Verify DMVPN Connectivity

Lab 7: Enhanced - GET VPNs

  • OSPF Configuration
  • NAT Configuration
  • Key Server Configuration
  • Group Memeber Configuration
  • Configuring other GMs

Lab 8: Enhanced - EzVPN

  • EZ-VPN Server Wizard in CCP
  • Ez-VPN Software Based Client
  • Ez-VPN Hardware Based Client
  • Interactive Authentication for Hardware Clients
  • Network Extension Mode

Additional Hands-On Labs Available as an Appendix to the Lab Guide

Lab A-1: Exclusive - AAA with 802.1X Security

  • RADIUS Configuration
  • Restricted VLANs
  • Guest VLANs
  • CSSC
  • Dynamic VLAN Assignment

Lab A-2: Exclusive - SSL Based VPNs

  • Configure Clientless SSL VPN Access
  • Configure and Test Port Forwarding
  • Configure and Test Full Tunnel AnyConnect SSL VPN
  • Configure and Test Cisco Secure Desktop

Lab A-3: IOS Best Practices

  • Work with the BOGON List
  • Securing the IOS with AutoSecure
  • Investigating an Attack
  • Beyond What the Auditors Expect

Lab A-4: Site-to-Site VPN Using VTIs and PKI

  • Configure an IOS PKI Server
  • Assign an SSL Trustpoint in CCP
  • Enroll the IOS-FW with the CA Server via CCP
  • Configure the IOS-FW for VPN via CCP
  • Enroll the Site1-Rtr with the CA via the CLI
  • Configure the Site1-Rtr for VPN via the CLI
  • Test and Verify the VPN