african safari 2009 1 security in the cisco academy gratitude kudyachete ea-catcafralti april 2009
TRANSCRIPT
African Safari 2009 1
Security in the Cisco Academy
Gratitude KudyacheteGratitude Kudyachete
EA-CATCEA-CATC
AFRALTIAFRALTI
April 2009April 2009
2Africa Academy Safari 2009
Agenda
Why Security?Why Security?
Security in IT E ISecurity in IT E I
Security in IT E IISecurity in IT E II
Security in CCNA-DiscoverySecurity in CCNA-Discovery
Security in CCNA-ExplorationSecurity in CCNA-Exploration
Security in CCNP – ISCWSecurity in CCNP – ISCW
Network Security I & IINetwork Security I & II
Major points - current currilla and securityMajor points - current currilla and security
CCNA-SecurityCCNA-Security
Q&AQ&A
3Africa Academy Safari 2009
Why Security??
If the security is compromised, serious consequences, such as loss of privacy, theft of information, legal liability… result
Types of potential threats to security are always evolving
E-business and Internet applications continue to grow- cannot avoid open networks
Security has moved to the forefront of network management and implementation – and this is evident in the Academy Curricula
4Africa Academy Safari 2009
Security in IT E I
Mainly in chapters 9 & 16
Major issues:
Security Threats – physical, data, internal vs external
Security procedures/techniques
Preventive maintenance techniques
Troubleshooting securityTroubleshooting security
IT Essentials
5Africa Academy Safari 2009
Security in IT E – Security procedures
Identify: assets, threats
Define:-incident handling,emergency ,allowed & prohibited behaviour,security framework, security techniques, ..
Access control, cable locks,security cages,RFID tags,lock rooms
Password protection,data encryption, port protection,backup, file system security
WEP, WPA, WPA2(802.11i),
LEAP, mac filtering, ssid broadcast, WTLS
6Africa Academy Safari 2009
Preventive maintenance on security
OS updates – automatic, notify, only download , off(no updates)
Antivirus & Antispyware – update signature files
Account maintenance Terminate employee access
Guest access
Group by job functions
Data backup & access
7Africa Academy Safari 2009
Security components & techniques The following techniques & components are discussed:
oPasswords - it is a minimum requirement
oLogging & auditing
oEncryption - encoding data for purposes such as
oHashing
oSymetric encryption
oAsymetric
oVirtual private networks
oFirewalls – hardware & software and could be
oPacket filter
oProxy firewall
oStateful packet inspection
oIDS
Security expense vs cost of loss help establish tradeoffs
8Africa Academy Safari 2009
IT E II - unsupported
Mainly in chapters 5, 8,9,10,14
Major issuesRemote Administration & Access Services
Firewalls
Directory & File permissions
Administrative accounts & login privileges
Security threats, Security implementation, patches & upgrades
IT Essentials
9Africa Academy Safari 2009
Security in CCNA Discovery
Module 1- chapters 2,7,8 Module 1- chapters 2,7,8
Module 2 – chapters 4,8 Module 2 – chapters 4,8
Module 3 - chapters 1,2,3,4,5,6,7,8 Module 3 - chapters 1,2,3,4,5,6,7,8
Module 4 chapters 1,5,7,8Module 4 chapters 1,5,7,8
Major issues are:Major issues are:Basic security – policy, threats, attacks, techniquesBasic security – policy, threats, attacks, techniquesPatching OS and applicationsPatching OS and applicationsWireless LAN SecurityWireless LAN SecurityISP SecurityISP SecurityVPNsVPNs, , NAT/PATNAT/PAT, ACLs, ACLsSwitch security, VLANsSwitch security, VLANsRouting updateRouting update and PPP authentication and PPP authenticationSecurity from a design perspectiveSecurity from a design perspective
CCNA Discovery
10Africa Academy Safari 2009
Security in CCNA Exploration
Module 1-chapt 1Module 1-chapt 1
Module 3- chapt 2,3,7Module 3- chapt 2,3,7
Module 4 – chapters 2,Module 4 – chapters 2,4,5,64,5,6,7,7
Issues covered includeIssues covered include
Network security -threats,mitigation,policyNetwork security -threats,mitigation,policySecurity goals & measuresSecurity goals & measuresSwitch security , Switch security , router securityrouter securityWireless LAN SecurityWireless LAN SecurityPpp authenticationPpp authentication ACLs , ACLs , VPNSVPNS , , SDM , NAT/PATSDM , NAT/PAT
CCNA Exploration
11Africa Academy Safari 2009
Proving security
Security measures taken in a network should:
• Prevent unauthorized disclosure or theft of information
• Prevent unauthorized modification of information
• Prevent Denial of Service
Means to achieve these goals include:
• Ensuring confidentiality
• Maintaining communication integrity
• Ensuring availability
12Africa Academy Safari 2009
Primary classes of attacks
Reconnaisance attacks – internet information queries, ping
sweeps, port scans, packet sniffers
Access Attacks -– password, trust exploitation,port redirection,
man in the middle attack
DOS – Ping of D, Syn flood, DDoS, …
Malicious Software – Virus, Worm, Trojan horse – worms
require containment, inoculation , quarantining & treatment
13Africa Academy Safari 2009
Securing Cisco Routers
routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks.
14Africa Academy Safari 2009
Secure Routing protocols Major attacks: disrupt peer , falsify information
Can configure passive int., authentication
R1(config)# router ripR1(config)# passive-interface defaultR1(config)#no passive-interface se0/0/0
R1(config)# key chain RIP_KEYR1(config-keychain)#key 1
R1(config-keychain-key)# key-string ciscoR1(config)#int se0/0/0R1(config-if)#ip rip authentication mode md5R1(config-if)#ip rip authentication key-chain RIP_KEY
Also EIGRP & OSPF
authentication
15Africa Academy Safari 2009
Security Device Manager – SDM An easy-to-use, web-based device-management tool designed for
configuring LAN, WAN, and security features on Cisco IOS software-based routers.
Firewall, VPN, IPS/IDS,NAT, router lockdown
16Africa Academy Safari 2009
VPNs
VPNs - enable transportation of information in a private network over a public network – encapsulation(tunneling) & encryption typically used
17Africa Academy Safari 2009
NAT/PAT
Adds a degree of privacy and security - hides internal IP addresses from outside networks.
ip nat inside source ..
ip nat inside
ip nat outside
18Africa Academy Safari 2009
Wireless Security protocols
In 802.11i - WPA uses TKIP and WPA2 employs AES
19Africa Academy Safari 2009
Security in CCNP ISCW
IPSec VPNsIPSec VPNs
MPLS VPN TechnologyMPLS VPN Technology
Cisco Device HardeningCisco Device Hardening
Cisco IOS threat defense featuresCisco IOS threat defense features
20Africa Academy Safari 2009
Network Security I - unsupported
Vulnerabilities, Threats and AttacksVulnerabilities, Threats and Attacks
Security Planning and PolicySecurity Planning and Policy
Security DevicesSecurity Devices
Trust and Identity TechnologyTrust and Identity Technology
Cisco Secure Access Control ServerCisco Secure Access Control Server
Configure Trust and Identity at Layer 2 and 3Configure Trust and Identity at Layer 2 and 3
Configuring Filtering on a RouterConfiguring Filtering on a Router
Configuring Filtering on a PIX Security ApplianceConfiguring Filtering on a PIX Security Appliance
Configuring Filtering on a SwitchConfiguring Filtering on a Switch
21Africa Academy Safari 2009
Network Security II - unsupported
Intrusion Detection and Prevention Technology and Intrusion Detection and Prevention Technology and ImplementationImplementation
Encryption and VPN TechnologyEncryption and VPN Technology
Site-to-site VPNs with pre-shared keysSite-to-site VPNs with pre-shared keys
Site-to-site VPNs with digital certificatesSite-to-site VPNs with digital certificates
Remote Access VPNRemote Access VPN
Security Network Architecture and ManagementSecurity Network Architecture and Management
PIX Contexts, Failovers and ManagementPIX Contexts, Failovers and Management
22Africa Academy Safari 2009
Major points about Security & current curricula
It is evident that a lot of security concepts are covered
Most of the treatment is introductory In Network Security I & II(unsupported) there is great depth &
breath of coverage
CCNP (ISCW) – less breath than NS 1 & 2 but still depth on specific issues
There is need for curricula to build on what IT Essentials and CCNA gives
23Africa Academy Safari 2009
CCNA Security Overview
24Africa Academy Safari 2009
Outline
CCNA Security OverviewCCNA Security Overview
Target AudienceTarget Audience
Course DetailsCourse Details
Equipment RequirementsEquipment Requirements
Enrollment, Training and SupportEnrollment, Training and Support
Release Dates and AvailabilityRelease Dates and Availability
Q&AQ&A
25Africa Academy Safari 2009
CCNA Security Overview
A new course that provides students with in-depth network security education and develop a comprehensive understanding of network security concepts
Provides students with knowledge and skills to design and support Network Security
Provides an experience-oriented course to prepare for entry-level specialist jobs in network security
Prepares students for CCNA Security certification (IINS 640-553 exam).
CCNA Security course IS NOT a replacement for the current Network Security 1 and Network Security 2 (NS1 and NS2) Courses
26Africa Academy Safari 2009
Cisco Networking Academy Curricula Portfolio
Student Networking Knowledge and Skills
Networking for Home and Small
Businesses
Working at a Small-to-Medium Business
or ISP
Introducing Routing and Switching in the
Enterprise
Designing and Supporting
Computer Networks
Building Scalable Internetworks
Implementing Secured Converged Wide-Area Networks
Building MultilayerSwitched Networks
Optimizing Converged Networks
Network Fundamentals
Routing Protocols and Concepts
LAN Switching and Wireless
Accessing the WAN
CCNP
CCNA Security
CCNA Exploration
IT Essentials: PC Hardware and Software CCNA
Discovery
IT Essentials
Network Professional
IT Technician
Security
Packet Tracer
27Africa Academy Safari 2009
Security Certifications
SND
Cisco Certified Security Professional (CCSP) Certification
IINS(640-553)
CCNA SecurityCertification
CCNA Security Course
SNRS
SNPA
IPS
Elective Exam
Network Security 1 & 2 (NS1/NS2) Courses
SNAF
IPS
SNRS
RevisedCCSP Certification
Professional-level Associate-level
CCNA certification is a pre-requisite for CCNA Security certification
Elective Exam
28Africa Academy Safari 2009
CCNA Security Target Audience
Career starters seeking career-oriented, entry-level Security specialist skills
Working professionals looking to enhance or change their careers
Students in degree programs at colleges or universities
Higher Education institutions and Universities
29Africa Academy Safari 2009
Course Details One semester long (~70-hr) course format Enabled for both ILT and Blended Distance Learning (BDL) Delivered in the same Graphical User Interface (GUI) as the CCNA
Discovery and CCNA Exploration curricula 9 Chapters One complex hands-on lab per chapter and Packet Tracer activities
Provided as separate .zip files downloaded from AC; not packaged within the GUI 9 end of chapter exams 1 final exam Available in English only, no translated versions are planned
30Africa Academy Safari 2009
Equipment Requirements Goal is to minimize equipment costs
Uses CCNA Discovery/Exploration equipment bundle and topology
NetLab compatible topology—enabled for remote operation
Additional investment required for memory upgrade and Advanced IOS imagesDescription Mfr. Part Number Qty.
Modular Router w/2xFE, 2 WAN slots, 32 FL/128 DR
Cisco CISCO1841 3
128 to 192MB SODIMM DRAM factory upgrade for the Cisco 1841
Cisco MEM1841-64D 2
64MB Cisco 1800 Compact Flash Memory
Cisco MEM1800-64CF 2
2-Port Async/Sync Serial WAN Interface Card
Cisco WIC-2A/S or WIC-2T 3
V.35 Cable, DTE Male to Smart Serial, 10 Feet
Cisco CAB-SS-V35MT 2
V.35 Cable, DCE Female to Smart Serial, 10 Feet
Cisco CAB-SS-V35FC 2
Catalyst 2960 24 10/100 + 2 1000BT LAN Base Image
Cisco WS-C2960-24TT-L 3
(Optional) Rackmount Kit for the 1841
Cisco ACS-1841-RM-19 3
Cisco IOS Release 12.4(20)T1Advanced IP Services
Cisco c1841-advipservicesk9-mz.124-20.T1.bin
2
31Africa Academy Safari 2009
CCNA Security Course Outline
Course Chapter Titles
Ch. 1Modern Network Security Threats
Goal: Explain network threats, mitigation techniques, and the basics of securing a network.
Ch. 2Securing Network Devices
Goal: Securing administrative access on Cisco routers, roles , ios , syslog, snmp , lockdown
Ch. 3Authentication, Authorization and Accounting
Goal: Securing administrative access with AAA.
Ch. 4Implementing Firewall Technologies
Goal: Implement firewall technologies to secure the network perimeter., acls, cbac ,zone-based pol fwall
Ch. 5Implementing Intrusion Prevention
Goal: Configure IPS to mitigate attacks on the network.
Ch. 6
Securing the Local Area NetworkGoal: Describe LAN security considerations and implement endpoint and Layer 2 security features.,-csa,wireless , voip
Ch. 7Cryptographic Systems
Goal: Describe methods for implementing data confidentiality and integrity.- encryption, hashing, pki, cert,
Ch. 8Implementing Virtual Private Networks
Goal: Implement secure virtual private networks.,gre, ipsec
Ch. 9
Managing A Secure NetworkGoal: Given the security needs of an enterprise, create and implement a comprehensive security policy.Stds guidles & procedures, Security Design , risk analysis, management, bcp , sdlc
32Africa Academy Safari 2009
Enrollment, Training & Support Student Enrollment Pre-requisite: CCNA-level knowledge required
Instructor Training GuidelinesCCNA-level knowledge required
Required for new CCNA Security instructors; Fast track possible with evidence of CCNA Security or higher certification or industry experience
Recommended for existing NS1, NS2 and CCNP: ISCW instructors
Existing NS1, NS2 and CCNP: ISCW instructors allowed to teach CCNA Security course
Instructor TrainingBDL format with 3-day in-person preferred; Can also be delivered 100% remote
BDL Best Practices guide developed to provide guidelines on how to deliver course in a BDL environment
Training Support Model – similar to CCNP model; Cisco Networking Academy Global Support Desk will provide day-to-day technical support
33Africa Academy Safari 2009
CCNA SecurityRelease Dates and Availability
End of July 2009General Availability (GA) Release—student and instructor materials:
• Released at same time with Packet Tracer v5.2 GA• Use for teaching student classes
JulJan
Mid-April 2009Beta Release of student course:
For instructor training and preview purposes
Apr
Early January 2009Draft Scope and Sequence
Mar
Mar 2009Virtual SMT for Beta
Release
Jun
End of Jun 2009Virtual SMT for GA Release
2009
34Africa Academy Safari 2009
Communications
Announcements sent via email to all instructors:
New CCNA Security Course announced – Sep 2008
Current NS1 and NS2 courses move to unsupported – Sep 2008
CCNA Security course availability announced – Oct 2008
Preliminary CCNA Security Scope & Sequence available – Jan 2009
FAQs
35Africa Academy Safari 2009
Q and A
36Africa Academy Safari 2009