certification

June 15, 2011

Ccna Security

Earning your CCNA Security certification is a tremendous boost to your career and your career prospects! To help you prepare for total success on exam day, here are 10 complimentary questions on the IOS Firewall set. Answers are at the end of the article. Enjoy!

1. Define the term "DMZ" as it pertains to network security, and name three different common network devices that are typically found there.

2. Identify the true statements.

A. Stateless packet filtering considers the TCP connection state.

B. Stateful packet filtering considers the TCP connection state.

C. Neither stateless nor stateful packet filtering monitor the TCP connection state.

D. Both stateless and stateful packet filtering monitor the TCP connection state, and keep a state table containing that information.

3. Does the Cisco IOS Firewall feature set act as a stateful or stateless packet filter?

4. Which of the following are considered parts of the IOS Firewall feature set?

A. IOS Firewall

B. Intrusion Prevention System

C. RADIUS

D. Authentication Proxy

E. Password Encryption

5. Identify the true statements regarding the Authentication Proxy.

A. It's part of the IOS Firewall Feature Set.

B. It allows creation of per-user security profiles, rather than more general profiles.

C. It allows creation of general security profiles, but not per-user profiles.

D. Profiles can be stored locally, but not remotely.

E. Profiles can be stored on a RADIUS server.

F. Profiles can be stored on a TACACS+ server.

6. Configuring ACLs is an important part of working with the IOS Firewall. What wildcard masks are replaced in ACLs by the words host and any?

7. What does the dollar sign in the following ACL line indicate?

R1(config)#$ 150 deny ip 172.50.50.0 0.0.0.255 172.50.100.0 0.0.0.255

8. Basically, how does an IOS Firewall prevent a TCP SYN attack?

9. What does the term "punch a hole in the firewall" refer to? (Logically, that is, not physically.)

10. What exactly does the router-traffic option in the following configuration do?

R4(config)#ip inspect name PASSCCNASECURITY tcp router-traffic

R4(config)#ip inspect name PASSCCNASECURITY udp router-traffic

R4(config)#ip inspect name PASSCCNASECURITY icmp router-traffic

Here are the answers!

1. It's easy to think of your network as the "inside", and everything else as "outside". However, we've got a third area when it comes to firewalls - the DMZ.

From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It's common to find the following devices in a DMZ:

FTP server

Email server

E-commerce server

DNS servers

Web servers

2. (B.) Stateful packet filtering does monitor the connection state, and that's particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.

3. The Cisco IOS Firewall is a stateful filter.

4. (A, B, D.) There are three major components to the IOS Firewall feature set - the IOS Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5. (A, B, E, F. T he Authentication Proxy allows us to create security profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept on either of the following:

RADIUS server

TACACS+ server

Upon successful authentication, that particular user's security policy is downloaded from the RADIUS or TACACS+ server and applied by the IOS Firewall router.

6. We have the option of using the word host to represent a wildcard mask of 0.0.0.0. Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that.

R3#conf t

R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0

R3(config)#conf t

R3(config)#access-list 7 permit host 10.1.1.1

The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit all traffic.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There's no "right" or "wrong" decision to make when you're configuring ACLs in the real world. For your exam, though, I'd be very familiar with the proper use of host and any.

7. The dollar sign simply indicates that part of the command you're entering or viewing can't be shown because the entry is so long. It does not mean the command is illegal.

8. The IOS Firewall can use any or all of the following values to detect when a TCP SYN attack is underway:

Overall total of incomplete TCP sessions

Number of incomplete TCP sessions in a certain amount of time

Number of incomplete TCP sessions on a per-host basis

When any of these thresholds are reached, either of the following actions can be taken:

Block all incoming SYN packets for a certain period of time

Transmit a RST to both parties in the oldest incomplete session

We'll look at specific instances in future tutorials.

9. That term simply refers to configuring the firewall to open a port that was previously closed. Don't forget to close it when you no longer need it to be open!

10. If you're going to inspect traffic that is actually generated on the router, you need to include the router-traffic option at the end of that particular ip inspect statement.

Look for more Cisco certification practice exams and fully-illustrated tutorials on my website!

Ccna Security

CCNA Security

Official Exam Certification Guide

Master the IINS 640-553 exam with this official study guide
Assess your knowledge with chapter-opening quizzes
Review key concepts with Exam Preparation Tasks
Practice with realistic exam questions on the CD-ROM

CCNA Security Official Exam Certification Guide is a best of breed Cisco® exam study guide that focuses specifically on the objectives for the CCNA® Security IINS exam. Senior security instructors Michael Watkins and Kevin Wallace share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

CCNA Security Official Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks sections help drill you on key concepts you must know thoroughly.

The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a topic-by-topic basis, presenting question-by-question remediation to the text and laying out a complete study plan for review.

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

CCNA Security Official Exam Certification Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.

Michael Watkins, CCNA/CCNP®/CCVP®/CCSP®, is a full-time senior technical instructor with SkillSoft Corporation. With 13 years of network management, training, and consulting experience, Michael has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the United States Air Force to help them implement and learn the latest network technologies.

Kevin Wallace, CCIE® No. 7945, is a certified Cisco instructor working full time for SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19 years of Cisco networking experience, Kevin has been a network design specialist for the Walt Disney World Resort and a network manager for Eastern Kentucky University. Kevin also is a CCVP, CCSP, CCNP, and CCDP with multiple Cisco security and IP communications specializations.

The official study guide helps you master all the topics on the IINS exam, including

Network security threats

Security policies

Network perimeter defense
AAA configuration

Router security

Switch security

Endpoint security

SAN security

VoIP security

IOS firewalls

Cisco IOS® IPS

Cryptography

Digital signatures

PKI and asymmetric encryption

IPsec VPNs

This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

Category: Cisco Press—Cisco Certification

Covers: IINS exam 640-553

About the Author

Michael Watkins, CCNA/CCNP/CCVP/CCSP, is a full-time senior technical instructor with SkillSoft Corporation. With 13 years of network management, training, and consulting experience, he has worked with organizations such as Kraft Foods, Johnson and Johnson, Raytheon, and the U.S. Air Force to help them implement and learn about the latest network technologies. In addition to holding more than 20 industry certifications in the areas of networking and programming technologies, he holds a bachelor of arts degree from Wabash College.

Kevin Wallace, CCIE No. 7945, is a certified Cisco instructor working full time for SkillSoft, where he teaches courses in the Cisco CCSP, CCVP, and CCNP tracks. With 19 years of Cisco networking experience, he has been a network design specialist for the Walt Disney World Resort and a network manager for Eastern Kentucky University. He holds a bachelor of science degree in electrical engineering from the University of Kentucky. He is also a CCVP, CCSP, CCNP, and CCDP, with multiple Cisco security and IP communications specializations.

Introduction

Congratulations on your decision to pursue a Cisco Certification! If you're reading far enough to look at the introduction to this book, you likely already have a sense of what you ultimately would like to achieve—the Cisco CCNA Security certification. Achieving Cisco CCNA Security certification requires that you pass the Cisco IINS (640-553) exam. Cisco certifications are recognized throughout the networking industry as a rigorous test of a candidate's knowledge of and ability to work with Cisco technology. Through its quality technologies, Cisco has garnered a significant market share in the router and switch marketplace, with more than 80 percent market share in some markets. For many industries and markets around the world, networking equals Cisco. Cisco certification will set you apart from the crowd and allow you to display your knowledge as a networking security professional.

Historically speaking, the first entry-level Cisco certification is the Cisco Certified Network Associate (CCNA) certification, first offered in 1998.

With the introduction of the CCNA Security certification, Cisco has for the first time provided an area of focus at the associate level. The CCNA Security certification is for networking professionals who work with Cisco security technologies and who want to demonstrate their mastery of core network security principles and technologies.

Format of the IINS Exam

The 640-553 IINS exam follows the same general format of other Cisco exams. When you get to the testing center and check in, the proctor gives you some general instructions and then takes you into a quiet room with a PC. When you're at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take a sample quiz, just to get accustomed to the PC and the testing engine. If you have user-level PC skills, you should have no problems with the testing environment. Additionally, Chapter 16 points to a Cisco website where you can see a demo of the actual Cisco test engine.

When you start the exam, you are asked a series of questions. You answer the question and then move on to the next question. The exam engine does not let you go back and change your answer. When you move on to the next question, that's it for the earlier question.

The exam questions can be in one of the following formats:

Multiple-choice (MC)
Testlet
Drag-and-drop (DND)
Simulated lab (Sim)
Simlet

The first three types of questions are relatively common in many testing environments. The multiple-choice format simply requires that you point and click a circle beside the correct answer(s). Cisco traditionally tells you how many answers you need to choose, and the testing software prevents you from choosing too many answers. Testlets are questions with one general scenario, with multiple MC questions about the overall scenario. Drag-and-drop questions require you to click and hold, move a button or icon to another area, and release the mouse button to place the object somewhere else—typically in a list. For example, to get the question correct, you might need to put a list of five things in the proper order.

The last two types both use a network simulator to ask questions. Interestingly, these two types allow Cisco to assess two very different skills. Sim questions generally describe a problem, and your task is to configure one or more routers and switches to fix the problem. The exam then grades the question based on the configuration you changed or added. Interestingly, Sim questions are the only questions that Cisco (to date) has openly confirmed that partial credit is given for.

The Simlet questions may well be the most difficult style of question on the exams. Simlet questions also use a network simulator, but instead of answering the question by changing the configuration, the question includes one or more MC questions. The questions require that you use the simulator to examine the current behavior of a network, interpreting the output of any show commands that you can remember to answer the question. Whereas Sim questions require you to troubleshoot problems related to a configuration, Simlets require you to analyze both working networks and networks with problems, correlating show command output with your knowledge of networking theory and configuration commands.

What's on the IINS Exam?

Cisco wants the public to know both the variety of topics and the kinds of knowledge and skills that are required for each topic, for every Cisco certification exam. To that end, Cisco publishes a set of exam topics for each exam. The topics list the specific subjects, such as ACLs, PKI, and AAA, that you will see on the exam. The wording of the topics also implies the kinds of skills required for that topic. For example, one topic might start with "Describe...", and another might begin with "Describe, configure, and troubleshoot...". The second objective clearly states that you need a thorough and deep understanding of that topic. By listing the topics and skill level, Cisco helps you prepare for the exam.

Although the exam topics are helpful, keep in mind that Cisco adds a disclaimer that the posted exam topics for all its certification exams are guidelines. Cisco makes an effort to keep the exam questions within the confines of the stated exam topics. I know from talking to those involved that every question is analyzed to ensure that it fits within the stated exam topics.

IINS Exam Topics

Table I-1 lists the exam topics for the 640-553 IINS exam. Although the posted exam topics are not numbered at Cisco.com, Cisco Press does number the exam topics for easier reference. Notice that the topics are divided among nine major topic areas. The table also notes the part of this book in which each exam topic is covered. Because it is possible that the exam topics may change over time, it may be worthwhile to double-check the exam topics as listed on Cisco.com (http://www.cisco.com/go/certification). If Cisco later adds exam topics, you may go to http://www.ciscopress.com and download additional information about the newly added topics.

Table I-1Å@640-553 IINS Exam Topics

Reference Number	Exam Topic	Book Part(s) Where Topic Is Covered
1.0	Describe the security threats facing modern network infrastructures
1.1	Describe and mitigate the common threats to the physical installation	I
1.2	Describe and list mitigation methods for common network attacks	I
1.3	Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks	II
1.4	Describe the main activities in each phase of a secure network lifecycle	I
1.5	Explain how to meet the security needs of a typical enterprise with a comprehensive security policy	I
1.6	Describe the Cisco Self Defending Network architecture	I
1.7	Describe the Cisco security family of products and their interactions	I, II, III
2.0	Secure Cisco routers
2.1	Secure Cisco routers using the SDM Security Audit feature	I
2.2	Use the One-Step Lockdown feature in SDM to secure a Cisco router	I
2.3	Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements	I
2.4	Secure administrative access to Cisco routers by configuring multiple privilege levels	I
2.5	Secure administrative access to Cisco routers by configuring role based CLI	I
2.6	Secure the Cisco IOS image and configuration file	I
3.0	Implement AAA on Cisco routers using local router database and external ACS
3.1	Explain the functions and importance of AAA	I
3.2	Describe the features of TACACS+ and RADIUS AAA protocols	I
3.3	Configure AAA authentication	I
3.4	Configure AAA authorization	I
3.5	Configure AAA accounting	I
4.0	Mitigate threats to Cisco routers and networks using ACLs
4.1	Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets	II
4.2	Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI	II
4.3	Configure IP ACLs to prevent IP address spoofing using CLI	II
4.4	Discuss the caveats to be considered when building ACLs	II
5.0</...

Ccna Security Picture

Ccna Security Photo

Ccna Security Picture

Ccna Security Photo

Most helpful customer reviews

10 of 10 people found the following review helpful.
USE FOR PRIMER ONLY
By Quinlan Rakin
DON'T BUY! ABSOLUTELY WORTHLESS FOR THE EXAM. This book should be billed as a primer only. It contains good introductory-level information but was nowhere near the level of depth of information required on the actual exam. The cover says it has "realistic exam questions." Not so. I passed all practice exams with ease, but on the actual exam, the level of granularity on the questions was much more in-depth than anything covered in the book. This book in no way, shape, or form prepares you for the exam. Like I said, good as an intro to the subject but definitely NOT good for exam preparation. Sorry to disappoint, but either they changed the exam to make it harder, or whoever advertised the book over-reached on their claims for how the book would prepare you. In any case, if it ever was good, it is NOT good for this exam any longer. DON'T BUY!

3 of 3 people found the following review helpful.
Redundant, all over the place, typos
By Worldmac1
Let me just say this....This book is overkill. It is just words. It has redundant information in all the wrong areas, misspellings, incorrect IP addresses, and one other pet peeve of mine is this. When you have illustrations, try to have them on the same layout as the description. It is so difficult to read about an example and have to turn the page to view it back and forth - back and forth. I also found that most of the time the descriptions of the illustrated examples were vague as well. I have read Wendell Odom's Intro and ICND set as well as the ICND1 ICND2 set. I have read Jeremy Cioara's (CBT Nuggets Trainer) CCNA-Voice book about halfway and all of these Cisco Press books were well written. My head hurts from trying to obtain the CCNA-Sec knowledge in this one. I am very disappointed. I have started reading Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide) by Catherine Paquet, and it is a much better written book. Visit [...] for others commenting on this book. I am very surprised Cisco allowed this book through.

I give it 2 stars because of the Boson Testing sim on CD...

2 of 2 people found the following review helpful.
Uneven presentation
By Netwiz49
Network Security is a very broad topic. Any book that attempts so cover its many aspects is certainly taking on a very difficult task. That being said, how does this book fair? Not thrilling, but not exceptionally bad either. Let's face it, Cisco exams have become very difficult, and its nearly impossible to pass their exams without arduous effort. One needs good resources (and a good lab). On many of the topics, this book does a reasonable job. My biggest complaint is that its firewall coverage is just terrible. That chapter is confusing, uneven, disorganized, lacking in proper examples and should be completely redone.

I retired a year ago as a network engineer with 30 years experience, the last 10 as a network security specialist. I've decided to do a little consulting work and figured I'd refresh my Cisco certifications to insure I was current. I previously had a CCNP and CCSP (with firewall, VPN, and IDS specializations). I've worked on PIX, ASA, Checkpoint, Netscreen, Sonicwall and Fortinet firewalls. I've also worked on F5 and IBM application layer gateways (proxies). I've taught Information Systems Security at the university level. Needless to say, I felt my background qualifies me to deal with a basic, entry level exam. However, after reading the firewall chapter in this book, I felt totally lost and confused. The Paquet book ("Implementing Cisco IOS Network Security") does a much better job on all the topics related to firewalls. Read both books and the supporting Cisco documentation on selected topics (like Zone Based Firewalls and CBAC) if you expect to pass this exam. I'll sit this exam in about two weeks. Hope my experience doesn't hinder my success.

See all 16 customer reviews...