Assessment, review, and practice for CCSP SNPA exam 642-522
The official study guide helps you master all the topics on the SNPA exam, including:
Firewall technologies Cisco Security Appliance translation and connection Access control configuration Modular policy framework Security contexts Syslog Routing protocol support Failover Virtual private networks (VPN) Adaptive Security Device Manager (ASDM) Content filtering Authentication, authorization, and accounting (AAA) configuration Intrusion Prevention Systems (IPS) and advanced protocol handling
CCSP SNPA Official Exam Certification Guide, Third Edition, is a best-of-breed Cisco® exam study guide that focuses specifically on the objectives for the Securing Networks with PIX and ASA (SNPA) exam. Network security consultant, Michael Gibbs, shares preparation hints and test-taking tips, helping you identify areas of weakness and improve your knowledge of firewall and Adaptive Security Appliance (ASA) security. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.
This guide presents you with an organized test preparation routine through the use of proven series elements and techniques. Do I Know This Already? quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and Foundation Summary tables make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts.
The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, presenting question-by-question remediation to the text.
Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time.
CCSP SNPA Official Exam Certification Guide, Third Edition, is part of a recommended learning path from Cisco Systems® that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, visit www.cisco.com/go/authorizedtraining.
Companion CD-ROM
The CD-ROM contains an electronic copy of the book and more than 200 practice questions for the SNPA exam, all available in study mode, test mode, and flash card format.
This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.
Daugiau informacijos
CCSP SNPA Offficial Exam Certification Guide, Third Edition, is a comprehensive study tool that prepares readers for the new CCSP SNPA 642-522 Exam (announced by Cisco in fall 2005). Complete coverage of major exam topics allows readers to practice the skills critical for everyday administration and troubleshooting of the Cisco ASA and PIX Firewall. Included are practical explanations of the various functions of the Cisco ASA and PIX Firewall as well as a description of installation, configuration, and advanced functionality. CCSP SNPA Official Exam Certification Guide, Third Edition, follows a logical organization of CCSP SNPA exam objectives. Material is presented in a concise manner, focusing on increasing readers' retention and recall of exam topics. Readers will organize their exam preparation through the use of consistent, best-of-breed features included in every chapter: --Pre-Chapter Quizzes help readers determine their depth of study for each chapter. --Foundation Review sections provide concise tables and lists for readers who need only review the objectives in a given chapter. --Chapter-Ending Quizzes test readers' retention of chapter topics. --Scenario-based exercises help readers think about exam objectives in real-world situations, thus increasing recall during exam time. This new edition is thoroughly updated for PIX 7.0 and Cisco ASA, preparing certification candidates with review of all the key skills called for from a CCSP-certified professional.
Chapter 1 Network Security
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation and Supplemental Topics
Overview of Network Security
Vulnerabilities, Threats, and Attacks
Vulnerabilities
Threats
Types of Attacks
Security Policies
Step 1: Secure
Step 2: Monitor
Step 3: Test
Step 4: Improve
Network Security as a Legal Issue
Defense in Depth
Cisco AVVID and Cisco SAFE
Cisco AVVID?
Cisco SAFE
Foundation Summary
Network Security
Vulnerabilities, Threats, and Attacks
Vulnerabilities
Threats
Attacks
Security Policies
Network Security as a Process
Defense in Depth
Cisco AVVID
Cisco SAFE
Key Terms
Q&A
Chapter 2 Firewall Technologies andtheCisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Firewall Technologies
Packet Filtering
Proxy
Stateful Packet Inspection
Cisco PIX Firewall
Secure Real-Time Embedded System
Adaptive Security Algorithm
Cut-Through Proxy
Security Contexts (Virtual Firewall)
Redundancy
Foundation Summary
Firewall Technologies
Cisco Security Appliance
Q&A
Chapter 3 Cisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Overview of the Cisco Security Appliance
ASA
Cut-Through Proxy
Cisco PIX Firewall Models and Features
Intrusion Protection
AAA Support
X.509 Certificate Support
Modular Policy Framework
Network Address Translation/Port Address Translation
Firewall Management
Simple Network Management Protocol
Syslog Support
Security Contexts
Transparent Firewalls
Virtual Private Networks
Optional Firewall Components
PIX Firewall Model Capabilities
Cisco PIX 501
Cisco PIX 506E
Cisco PIX 515E
Cisco PIX 525
Cisco PIX 535
Cisco ASA Security Model Capabilities
Cisco ASA 5510 Security Appliance
Cisco ASA 5520 Security Appliance
Cisco ASA 5540 Security Appliance
Foundation Summary
Adaptive Security Algorithm
Cut-Through Proxy
Cisco PIX Firewall Models and Features
Cisco ASA Security Appliance Models and Features
Intrusion Protection
AAA Support
X.509 Certificate Support
Modular Policy Framework
NAT/PAT
Firewall Management
SNMP
Syslog Support
Virtual Private Networks
Security Context
Cisco Security Appliance Models
Q&A
Chapter 4 System Management/Maintenance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Accessing Cisco Security Appliance
Accessing a Cisco Security Appliance with Telnet
Accessing the Cisco Security Appliance with Secure
Shell
Command-Level Authorization
Installing a New Operating System
Upgrading Your Activation Key
Upgrading the Cisco Security Appliance Operating System
Upgrading the Operating System Using the copy tftp flashCommand
Upgrading the Operating System Using Monitor Mode
Upgrading the OS Using an HTTP Client
Creating a Boothelper Disk Using a Windows PC
Password Recovery
Cisco PIX Firewall Password Recovery: Getting Started
Password Recovery Procedure for a PIX Firewall with a
Floppy Drive (PIX520)
Password Recovery Procedure for a Diskless PIX Firewall
(PIX 501, 506, 506E, 515E, 515, 525, and 535)
Password Recovery Procedure for the ASA Security
Appliance
Overview of Simple Network Management Protocol
on the PIX Firewall
Configuring Simple Network Management Protocol
on Security Appliance
Troubleshooting Commands
Foundation Summary
Q&A
Chapter 5 Understanding Cisco Security Appliance Translation and
Connection
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
How the Cisco Security Appliance Handles Traffic
Interface Security Levels and the Default Security
Policy
Transport Protocols
Address Translation
Translation Commands
NAT
PAT
Static Translation
Using the static Command for Port Redirection
Configuring Multiple Translation Types on the Cisco
Security Appliance
Bidirectional NAT
Translation Versus Connection
Configuring DNS Support
Foundation Summary
Q&A
Chapter 6 Getting Started with the Cisco Security Appliance Family of
Firewalls
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Access Modes
Configuring a Cisco Security Appliance
interface Command
security-level Command
nameif Command
ip address Command
nat Command
speed Command
duplex Command
nat-control Command
global Command
route Command
Routing Information Protocol
Testing Your Configuration
Saving Your Configuration
Support for Domain Name System Messages
Configuring Dynamic Host Configuration Protocol on the Cisco
Security Appliance
Using the Cisco Security Appliance DHCP Server
Configuring the Security Appliance DHCP Client
Configuring Time Settings on the Cisco Security Appliance
NTP
Cisco Security Appliance System Clock
Configuring Login Banners on the Cisco Security Appliance
Configuring Transparent Mode
Enabling Transparent Mode
Traffic Management in Transparent Mode
Monitoring in Transparent Mode
Sample Security Appliance Configuration
Foundation Summary
Q&A
Chapter 7 Configuring Access
How Best to Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Configuring Inbound Access Through a Cisco Security Appliance
Static NAT
Static PAT
TCP Intercept Feature
nat 0 Command
Policy NAT
Access Lists
Object Grouping
network Object Type
protocol Object Type
service Object Type
icmp-type Object Type
Nesting Object Groups
ACL Logging
Advanced Protocol Handling
FTP
DNS
Simple Mail Transfer Protocol
Foundation Summary
Q&A
Chapter 8 Modular Policy Framework
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Modular Policy Framework Overview
Traffic Flow Matching
Step 1: Create a Class Map
Step 2: Define Class Map Matches
Viewing the Class Map Configuration
Assigning Actions to a Traffic Class
Step 1: Create a Policy Map
Step 2: Assign Traffic Classes to the Policy Map
Step 3: Assign Policies for Each Class
Viewing the Policy Map Configuration
Assigning Policies to an Interface
Service Policy Matching Logic
Viewing the Service Policy Configuration
Viewing the Service Policy Statistics
Foundation Summary
Q&A
Chapter 9 Security Contexts
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Security Context Overview
Multiple Context Modes
Administration Context
Configuring Security Contexts
Creating a New Context
Assigning Interfaces to a Context
Uploading a Configuration Using the config-url Command
Managing Security Contexts
Deleting Contexts
Navigating Multiple Contexts
Viewing Context Information
Step-by-Step Configuration of a Security Context
Foundation Summary
Q&A
Chapter 10 Syslog and the Cisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
How Syslog Works
Logging Facilities
Logging Levels
How Log Messages Are Organized
How to Read System Log Messages
Configuring Syslog on a Cisco Security Appliance
Configuring the ASDM to View Logging
Configuring Syslog Messages at the Console
Sending Syslog Messages to a Telnet Session
Configuring the Cisco Security Appliance to Send Syslog
Messages to a Log Server
Configuring SNMP Traps and SNMP Requests
Configuring a Syslogd Server
PIX Firewall Syslog Server
Foundation Summary
Q&A
Chapter 11 Routing and the Cisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics and Supplemental Topics
General Routing Principles
Ethernet VLAN Tagging
Understanding VLANs
Understanding Trunk Ports
Understanding Logical Interfaces
Managing VLANs
IP Routing
Static Routes
Dynamic Routes
Multicast Routing
Multicast Commands
Inbound Multicast Traffic
Outbound Multicast Traffic
Debugging Multicast
Foundation Summary
Q&A
Chapter 12 Cisco Security Appliance Failover
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
What Causes a Failover Event?
What Is Required for a Failover Configuration?
Failover Monitoring
Configuration Replication
Stateful Failover
LAN-Based Failover
Active-Active Failover
Configuring Failover
Foundation Summary
Q&A
Chapter 13 Virtual Private Networks
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Overview of Virtual Private Network Technologies
Internet Protocol Security
Internet Key Exchange
Perfect Forward Secrecy
Certification Authorities
Overview of WebVPN
WebVPN Portal Interface
Port Forwarding
Configuring the Security Appliance as a VPN Gateway
Selecting the Configuration
Configuring IKE
Configuring IPSec
Troubleshooting the VPN Connection
Configuring the Security Appliance as a WebVPN Gateway
WebVPN Global Configuration
Configuring URLs and File Servers
Configuring Port Forwarding
Configuring E-Mail Proxies
Setting Up Filters and ACLs
Configuring Security Appliances for Scalable VPNs
Foundation Summary
Q&A
Scenario
VPN Configurations
Completed PIX Configurations
How the Configuration Lines Interact
Chapter 14 Configuring Access VPNs
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation and Supplemental Topics
Introduction to Cisco Easy VPN
Easy VPN Server
Easy VPN Remote Feature
Overview of the Easy VPN Server
Major Features
Server Functions
Supported Servers
Overview of Easy VPN Remote Feature
Supported Clients
Easy VPN Remote Connection Process
Extended Authentication Configuration
Easy VPN Remote Modes of Operation
Client Mode
Network Extension Mode
Overview of Cisco VPN Software Client
Features
Specifications
Cisco VPN Client Manual Configuration Tasks
Security Appliance Easy VPN Remote Configuration
Basic Configuration
Client Device Mode
Secure Unit Authentication
Individual User Authentication
Point-to-Point Protocol over Ethernet and the Security Appliance
Configuring the VPDN Group
Configuring VPDN Group Authentication
Assigning the VPDN Group Username
Configuring the VPDN Username and Password
Enabling the Point-to-Point over Ethernet Client
Monitoring the Point-to-Point over Ethernet Client
Dynamic Host Configuration Protocol Server Configuration
DHCP Overview
Configuring the Security Appliance DHCP Server
DHCP Server Auto Configuration
DHCP Debugging Commands
Foundation Summary
Q&A
Chapter 15 Adaptive Security Device Manager
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
ASDM Overview
Security Appliance Requirements to Run ASDM
ASDM Workstation Requirement
ASDM Installation
Using ASDM to Configure the Cisco Security Appliance
Monitoring
Using ASDM for VPN Configuration
Using ASDM to Create a Site-to-Site VPN
Using ASDM to Create a Remote-Access VPN
Foundation Summary
Q&A
Chapter 16 Content Filtering on the Cisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Filtering ActiveX Objects and Java Applets
Filtering Java Applets
Filtering ActiveX Objects
Filtering URLs
Identifying the URL-Filtering Server
Configuring URL-Filtering Policy
Filtering HTTPS and FTP
Filtering Long URLs
Viewing Filtering Statistics and Configuration
Foundation Summary
Q&A
Chapter 17 Overview of AAA and theCisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Overview of AAA and the Cisco Security Appliance
Definition of AAA
AAA and the Cisco Security Appliance
Cut-Through Proxy
Supported AAA Server Technologies
Cisco Secure Access Control Server
Minimum Hardware and Operating System Requirements
for Cisco Secure ACS
Installing Cisco Secure ACS Version 3.3 on Windows
Server
Foundation Summary
Q&A
Chapter 18 Configuration of AAA ontheCisco Security Appliance
How to Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Specifying Your AAA Servers
Configuring AAA on the Cisco Security Appliance
Step 1: Identifying the AAA Server and NAS
Step 2: Configuring Authentication
Step 3: Configuring Authorization
Step 4: Configuring Accounting
Cisco Secure and Cut-Through Configuration
Configuring Downloadable Security Appliance ACLs
Troubleshooting Your AAA Setup
Checking the Security Appliance
Checking the Cisco Secure ACS
Foundation Summary
Q&A
Chapter 19 IPS and Advanced Protocol Handling
How To Best Use This
Chapter
Do I Know This Already? Quiz
Foundation Topics
Multimedia Support on the Cisco Security Appliance
RTSP
Application Inspection Support for Voice over IP
CTIQBE
H.323
MGCP
SCCP
SIP
Application Inspection
FTP Inspection
HTTP Inspection
Domain Name Inspection
Mail Inspection
ICMP Inspection
Remote Shell Inspections
SNMP Inspection
SQL*Net Inspection
Security Appliance Intrusion Protection Feature
AIP-SSM Module
Configuring IPS Through ASDM
Foundation Summary
Q&A
Chapter 20 Case Study and Sample Configuration
Remote Offices
Firewall
Growth Expectation
Task 1: Basic Configuration for the Cisco Security Appliance
Basic Configuration Information for HQ-PIX
Basic Configuration Information for MN-PIX
Basic Configuration Information for HOU-PIX
Task 2: Configuring Access Rules on HQ
Task 3: Configuring Authentication
Task 4: Configuring Logging
Task 5: Configuring a VPN Between HQ and Remote Sites
Configuring the Central PIX Firewall, HQ-PIX, for VPN
Tunneling
Configuring the Houston PIX Firewall, HOU-PIX, for VPN
Tunneling
Configuring the Minneapolis PIX Firewall, MN-PIX, for
VPN Tunneling
Verifying and Troubleshooting
Task 6: Configuring a Remote-Access VPN to HQ
Create an IP Address Pool
Define a Group Policy for Mode Configuration Push
Enable IKE Dead Peer Detection
Task 7: Configuring Failover
What Is Wrong with This Picture?
Foundation Summary
Q&A
Appendix a Answers to the Do I Know This Already? Quizzes and Q&A
Sections
1587201526toc041806
Michael Gibbs is the CTO for Security Evolutions, Inc., (SEI) where he is responsible for the overall technical management of SEIs Cisco IT security consulting services.
Greg Bastien, CCNP®, CCSP, CISSP®, is the chief technical officer of Virtue Technologies, Inc., and directs the actions of the engineering staff that supports several federal agencies.
Earl Carter is a member of the Security Technologies Assessment Team (STAT) at Cisco Systems where he performs security evaluations on numerous Cisco products.
Christian Abera Degu, CCNP, CCDP®, CCSP, currently works for Veridian Networks/General Dynamics as a consulting engineer to the Federal Energy Regulatory Commission.
