african safari 2009 1 security in the cisco academy gratitude kudyachete ea-catcafralti april 2009

African Safari 2009 1

Security in the Cisco Academy

Gratitude KudyacheteGratitude Kudyachete

EA-CATCEA-CATC

AFRALTIAFRALTI

April 2009April 2009

2Africa Academy Safari 2009

Agenda

Why Security?Why Security?

Security in IT E ISecurity in IT E I

Security in IT E IISecurity in IT E II

Security in CCNA-DiscoverySecurity in CCNA-Discovery

Security in CCNA-ExplorationSecurity in CCNA-Exploration

Security in CCNP – ISCWSecurity in CCNP – ISCW

Network Security I & IINetwork Security I & II

Major points - current currilla and securityMajor points - current currilla and security

CCNA-SecurityCCNA-Security

Q&AQ&A


Why Security??

If the security is compromised, serious consequences, such as loss of privacy, theft of information, legal liability… result

Types of potential threats to security are always evolving

E-business and Internet applications continue to grow- cannot avoid open networks

Security has moved to the forefront of network management and implementation – and this is evident in the Academy Curricula


Security in IT E I

Mainly in chapters 9 & 16

Major issues:

Security Threats – physical, data, internal vs external

Security procedures/techniques

Preventive maintenance techniques

Troubleshooting securityTroubleshooting security

IT Essentials


Security in IT E – Security procedures

Identify: assets, threats

Define:-incident handling,emergency ,allowed & prohibited behaviour,security framework, security techniques, ..

Access control, cable locks,security cages,RFID tags,lock rooms

Password protection,data encryption, port protection,backup, file system security

WEP, WPA, WPA2(802.11i),

LEAP, mac filtering, ssid broadcast, WTLS


Preventive maintenance on security

OS updates – automatic, notify, only download , off(no updates)

Antivirus & Antispyware – update signature files

Account maintenance Terminate employee access

Guest access

Group by job functions

Data backup & access


Security components & techniques The following techniques & components are discussed:

oPasswords - it is a minimum requirement

oLogging & auditing

oEncryption - encoding data for purposes such as

oHashing

oSymetric encryption

oAsymetric

oVirtual private networks

oFirewalls – hardware & software and could be

oPacket filter

oProxy firewall

oStateful packet inspection

oIDS

Security expense vs cost of loss help establish tradeoffs


IT E II - unsupported

Mainly in chapters 5, 8,9,10,14

Major issuesRemote Administration & Access Services

Firewalls

Directory & File permissions

Administrative accounts & login privileges

Security threats, Security implementation, patches & upgrades

IT Essentials


Security in CCNA Discovery

Module 1- chapters 2,7,8 Module 1- chapters 2,7,8

Module 2 – chapters 4,8 Module 2 – chapters 4,8

Module 3 - chapters 1,2,3,4,5,6,7,8 Module 3 - chapters 1,2,3,4,5,6,7,8

Module 4 chapters 1,5,7,8Module 4 chapters 1,5,7,8

Major issues are:Major issues are:Basic security – policy, threats, attacks, techniquesBasic security – policy, threats, attacks, techniquesPatching OS and applicationsPatching OS and applicationsWireless LAN SecurityWireless LAN SecurityISP SecurityISP SecurityVPNsVPNs, , NAT/PATNAT/PAT, ACLs, ACLsSwitch security, VLANsSwitch security, VLANsRouting updateRouting update and PPP authentication and PPP authenticationSecurity from a design perspectiveSecurity from a design perspective

CCNA Discovery


Security in CCNA Exploration

Module 1-chapt 1Module 1-chapt 1

Module 3- chapt 2,3,7Module 3- chapt 2,3,7

Module 4 – chapters 2,Module 4 – chapters 2,4,5,64,5,6,7,7

Issues covered includeIssues covered include

Network security -threats,mitigation,policyNetwork security -threats,mitigation,policySecurity goals & measuresSecurity goals & measuresSwitch security , Switch security , router securityrouter securityWireless LAN SecurityWireless LAN SecurityPpp authenticationPpp authentication ACLs , ACLs , VPNSVPNS , , SDM , NAT/PATSDM , NAT/PAT

CCNA Exploration


Proving security

Security measures taken in a network should:

• Prevent unauthorized disclosure or theft of information

• Prevent unauthorized modification of information

• Prevent Denial of Service

Means to achieve these goals include:

• Ensuring confidentiality

• Maintaining communication integrity

• Ensuring availability


Primary classes of attacks

Reconnaisance attacks – internet information queries, ping

sweeps, port scans, packet sniffers

Access Attacks -– password, trust exploitation,port redirection,

man in the middle attack

DOS – Ping of D, Syn flood, DDoS, …

Malicious Software – Virus, Worm, Trojan horse – worms

require containment, inoculation , quarantining & treatment


Securing Cisco Routers

routers provide gateways to other networks, they are obvious targets, and are subject to a variety of attacks.


Secure Routing protocols Major attacks: disrupt peer , falsify information

Can configure passive int., authentication

R1(config)# router ripR1(config)# passive-interface defaultR1(config)#no passive-interface se0/0/0

R1(config)# key chain RIP_KEYR1(config-keychain)#key 1

R1(config-keychain-key)# key-string ciscoR1(config)#int se0/0/0R1(config-if)#ip rip authentication mode md5R1(config-if)#ip rip authentication key-chain RIP_KEY

Also EIGRP & OSPF

authentication


Security Device Manager – SDM An easy-to-use, web-based device-management tool designed for

configuring LAN, WAN, and security features on Cisco IOS software-based routers.

Firewall, VPN, IPS/IDS,NAT, router lockdown


VPNs

VPNs - enable transportation of information in a private network over a public network – encapsulation(tunneling) & encryption typically used


NAT/PAT

Adds a degree of privacy and security - hides internal IP addresses from outside networks.

ip nat inside source ..

ip nat inside

ip nat outside


Wireless Security protocols

In 802.11i - WPA uses TKIP and WPA2 employs AES


Security in CCNP ISCW

IPSec VPNsIPSec VPNs

MPLS VPN TechnologyMPLS VPN Technology

Cisco Device HardeningCisco Device Hardening

Cisco IOS threat defense featuresCisco IOS threat defense features


Network Security I - unsupported

Vulnerabilities, Threats and AttacksVulnerabilities, Threats and Attacks

Security Planning and PolicySecurity Planning and Policy

Security DevicesSecurity Devices

Trust and Identity TechnologyTrust and Identity Technology

Cisco Secure Access Control ServerCisco Secure Access Control Server

Configure Trust and Identity at Layer 2 and 3Configure Trust and Identity at Layer 2 and 3

Configuring Filtering on a RouterConfiguring Filtering on a Router

Configuring Filtering on a PIX Security ApplianceConfiguring Filtering on a PIX Security Appliance

Configuring Filtering on a SwitchConfiguring Filtering on a Switch


Network Security II - unsupported

Intrusion Detection and Prevention Technology and Intrusion Detection and Prevention Technology and ImplementationImplementation

Encryption and VPN TechnologyEncryption and VPN Technology

Site-to-site VPNs with pre-shared keysSite-to-site VPNs with pre-shared keys

Site-to-site VPNs with digital certificatesSite-to-site VPNs with digital certificates

Remote Access VPNRemote Access VPN

Security Network Architecture and ManagementSecurity Network Architecture and Management

PIX Contexts, Failovers and ManagementPIX Contexts, Failovers and Management


Major points about Security & current curricula

It is evident that a lot of security concepts are covered

Most of the treatment is introductory In Network Security I & II(unsupported) there is great depth &

breath of coverage

CCNP (ISCW) – less breath than NS 1 & 2 but still depth on specific issues

There is need for curricula to build on what IT Essentials and CCNA gives


CCNA Security Overview


Outline

CCNA Security OverviewCCNA Security Overview

Target AudienceTarget Audience

Course DetailsCourse Details

Equipment RequirementsEquipment Requirements

Enrollment, Training and SupportEnrollment, Training and Support

Release Dates and AvailabilityRelease Dates and Availability

Q&AQ&A


CCNA Security Overview

A new course that provides students with in-depth network security education and develop a comprehensive understanding of network security concepts

Provides students with knowledge and skills to design and support Network Security

Provides an experience-oriented course to prepare for entry-level specialist jobs in network security

Prepares students for CCNA Security certification (IINS 640-553 exam).

CCNA Security course IS NOT a replacement for the current Network Security 1 and Network Security 2 (NS1 and NS2) Courses


Cisco Networking Academy Curricula Portfolio

Student Networking Knowledge and Skills

Networking for Home and Small

Businesses

Working at a Small-to-Medium Business

or ISP

Introducing Routing and Switching in the

Enterprise

Designing and Supporting

Computer Networks

Building Scalable Internetworks

Implementing Secured Converged Wide-Area Networks

Building MultilayerSwitched Networks

Optimizing Converged Networks

Network Fundamentals

Routing Protocols and Concepts

LAN Switching and Wireless

Accessing the WAN

CCNP

CCNA Security

CCNA Exploration

IT Essentials: PC Hardware and Software CCNA

Discovery

IT Essentials

Network Professional

IT Technician

Security

Packet Tracer


Security Certifications

SND

Cisco Certified Security Professional (CCSP) Certification

IINS(640-553)

CCNA SecurityCertification

CCNA Security Course

SNRS

SNPA

IPS

Elective Exam

Network Security 1 & 2 (NS1/NS2) Courses

SNAF

IPS

SNRS

RevisedCCSP Certification

Professional-level Associate-level

CCNA certification is a pre-requisite for CCNA Security certification

Elective Exam


CCNA Security Target Audience

Career starters seeking career-oriented, entry-level Security specialist skills

Working professionals looking to enhance or change their careers

Students in degree programs at colleges or universities

Higher Education institutions and Universities


Course Details One semester long (~70-hr) course format Enabled for both ILT and Blended Distance Learning (BDL) Delivered in the same Graphical User Interface (GUI) as the CCNA

Discovery and CCNA Exploration curricula 9 Chapters One complex hands-on lab per chapter and Packet Tracer activities

Provided as separate .zip files downloaded from AC; not packaged within the GUI 9 end of chapter exams 1 final exam Available in English only, no translated versions are planned


Equipment Requirements Goal is to minimize equipment costs

Uses CCNA Discovery/Exploration equipment bundle and topology

NetLab compatible topology—enabled for remote operation

Additional investment required for memory upgrade and Advanced IOS imagesDescription Mfr. Part Number Qty.

Modular Router w/2xFE, 2 WAN slots, 32 FL/128 DR

Cisco CISCO1841 3

128 to 192MB SODIMM DRAM factory upgrade for the Cisco 1841

Cisco MEM1841-64D 2

64MB Cisco 1800 Compact Flash Memory

Cisco MEM1800-64CF 2

2-Port Async/Sync Serial WAN Interface Card

Cisco WIC-2A/S or WIC-2T 3

V.35 Cable, DTE Male to Smart Serial, 10 Feet

Cisco CAB-SS-V35MT 2

V.35 Cable, DCE Female to Smart Serial, 10 Feet

Cisco CAB-SS-V35FC 2

Catalyst 2960 24 10/100 + 2 1000BT LAN Base Image

Cisco WS-C2960-24TT-L 3

(Optional) Rackmount Kit for the 1841

Cisco ACS-1841-RM-19 3

Cisco IOS Release 12.4(20)T1Advanced IP Services

Cisco c1841-advipservicesk9-mz.124-20.T1.bin

2


CCNA Security Course Outline

Course Chapter Titles

Ch. 1Modern Network Security Threats

Goal: Explain network threats, mitigation techniques, and the basics of securing a network.

Ch. 2Securing Network Devices

Goal: Securing administrative access on Cisco routers, roles , ios , syslog, snmp , lockdown

Ch. 3Authentication, Authorization and Accounting

Goal: Securing administrative access with AAA.

Ch. 4Implementing Firewall Technologies

Goal: Implement firewall technologies to secure the network perimeter., acls, cbac ,zone-based pol fwall

Ch. 5Implementing Intrusion Prevention

Goal: Configure IPS to mitigate attacks on the network.

Ch. 6

Securing the Local Area NetworkGoal: Describe LAN security considerations and implement endpoint and Layer 2 security features.,-csa,wireless , voip

Ch. 7Cryptographic Systems

Goal: Describe methods for implementing data confidentiality and integrity.- encryption, hashing, pki, cert,

Ch. 8Implementing Virtual Private Networks

Goal: Implement secure virtual private networks.,gre, ipsec

Ch. 9

Managing A Secure NetworkGoal: Given the security needs of an enterprise, create and implement a comprehensive security policy.Stds guidles & procedures, Security Design , risk analysis, management, bcp , sdlc


Enrollment, Training & Support Student Enrollment Pre-requisite: CCNA-level knowledge required

Instructor Training GuidelinesCCNA-level knowledge required

Required for new CCNA Security instructors; Fast track possible with evidence of CCNA Security or higher certification or industry experience

Recommended for existing NS1, NS2 and CCNP: ISCW instructors

Existing NS1, NS2 and CCNP: ISCW instructors allowed to teach CCNA Security course

Instructor TrainingBDL format with 3-day in-person preferred; Can also be delivered 100% remote

BDL Best Practices guide developed to provide guidelines on how to deliver course in a BDL environment

Training Support Model – similar to CCNP model; Cisco Networking Academy Global Support Desk will provide day-to-day technical support


CCNA SecurityRelease Dates and Availability

End of July 2009General Availability (GA) Release—student and instructor materials:

• Released at same time with Packet Tracer v5.2 GA• Use for teaching student classes

JulJan

Mid-April 2009Beta Release of student course:

For instructor training and preview purposes

Apr

Early January 2009Draft Scope and Sequence

Mar

Mar 2009Virtual SMT for Beta

Release

Jun

End of Jun 2009Virtual SMT for GA Release

2009


Communications

Announcements sent via email to all instructors:

New CCNA Security Course announced – Sep 2008

Current NS1 and NS2 courses move to unsupported – Sep 2008

CCNA Security course availability announced – Oct 2008

Preliminary CCNA Security Scope & Sequence available – Jan 2009

FAQs


Q and A

african safari 2009 1 security in the cisco academy gratitude kudyachete ea-catcafralti april 2009

Documents