CCIE Written Lab

1992-2012 Cisco Systems Inc. All Rights Reserved. Generated on 2012-06-09-06:001

CCIE Security Lab Exam v3.0 Checklist


Expansion of the Security Lab v3.0 Exam Topics

Detailed Checklist of Topics to Be Covered

Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Securitylab exam subjects. Instead, we provide this outline as a supplement to the existing labblueprint to help candidates prepare for their lab exams. Other relevant or related topics mayalso appear in the actual lab exam.

We would like to get your feedback please comment and/or rate this document.

1.0 Implementing Secure Networks UsingCisco ASA Firewalls

Configuring and Troubleshooting Cisco ASAFirewalls

1.01. Initializing the Basic Cisco ASA Firewall (IP Address,Mask, Default Route, etc.)

1.02. Understanding Security Levels (Same SecurityInterface)

1.03. Understanding Single vs. Multimode

1.04. Understanding Firewall vs. Transparent Mode

1.05. Understanding Multiple Security Contexts

1.06. Understanding Shared Resources for Multiple Contexts

1.07. Understanding Packet Classification in Multiple-ContextsMode

1.08. VLAN Subinterfaces Using 802.1Q Trunking

1.09. Multiple-Mode Firewall with Outside Access



1.10. Single-Mode Firewall Using the Same Security Level

1.11. Multiple-Mode, Transparent Firewall

1.12. Single-Mode, Transparent Firewall with NAT

1.13. ACLs in Transparent Firewall (for Pass-Through Traffic)1.14. Understanding How Routing Behaves on the Adaptive

Security Appliance (Egress and Next-Hop SelectionProcess)

1.15. Understanding Static vs. Dynamic Routing

1.16. Static Routes

1.17. RIP with Authentication

1.18. OSPF with Authentication

1.19. EIGRP with Authentication

1.20. Managing Multiple Routing Instances

1.21. Redistribution Between Protocols

1.22. Route Summarization

1.23. Route Filtering

1.24. Static Route Tracking Using an SLA

1.25. Dual ISP Support Using Static Route Tracking

1.26. Redundant Interface Pair

1.27. LAN-Based Active/Standby Failover (Routed Mode)1.28. LAN-Based Active/Active Failover (Routed Mode)1.29. LAN-Based Active/Standby Failover (Transparent Mode)1.30. LAN-Based Active/Active Failover (Transparent Mode)1.31. Stateful Failover Link

1.32. Device Access Management

1.33. Enabling Telnet

1.34. Enabling SSH

1.35. The nat-control Command vs. no nat-control Command

1.36. Enabling Address Translation (NAT, Global, and Static)1.37. Dynamic NAT

1.38. Dynamic PAT

1.39. Static NAT

1.40. Static PAT

1.41. Policy NAT



1.42. Destination NAT

1.43. Bypassing NAT When NAT Control Is Enabled UsingIdentity NAT

1.44. Bypassing NAT When NAT Control Is Enabled UsingNAT Exemption

1.45. Port Redirection Using NAT

1.46. Tuning Default Connection Limits and Timeouts

1.47. Basic Interface Access Lists and Access Group(Inbound and Outbound)

1.48. Time-Based Access Lists

1.49. ICMP Commands

1.50. Enabling Syslog and Parameters

1.51. NTP with Authentication

1.52. Object Groups (Network, Protocol, ICMP, and Services)1.53. Nested Object Groups1.54. URL Filtering

1.55. Java Filtering

1.56. ActiveX Filtering

1.57. ARP Inspection

1.58. Modular Policy Framework (MPF)1.59. Application-Aware Inspection

1.60. Identifying Injected Errors in Troubleshooting Scenarios1.61. Understanding and Interpreting Adaptive Security

Appliance show and debug Outputs

1.62. Understanding and Interpreting the packet-tracer andcapture Commands

2.0 Implementing Secure Networks UsingCisco IOS Firewalls

Configuring and Troubleshooting Cisco IOSFirewalls

2.01. Zone-Based Policy Firewall Using Multiple-ZoneScenarios

2.02. Transparent Cisco IOS Firewall (Layer 2)2.03. Context-Based Access Control (CBAC)2.04. Proxy Authentication (Auth Proxy)2.05. Port-to-Application Mapping (PAM) Usage with ACLs



2.06. Use of PAM to Change System Default Ports

2.07. PAM Custom Ports for Specific Applications

2.08. Mapping Nonstandard Ports to Standard Applications

2.09. Performance Tuning

2.10. Tuning Half-Open Connections

2.11. Understanding and Interpreting the show ip port-mapCommands

2.12. Understanding and Interpreting the show ip inspectCommands

2.13. Understanding and Interpreting the debug ip inspectCommands

2.14. Understanding and Interpreting the show zone|zone-pairCommands

2.15. Understanding and Interpreting the debug zoneCommands

3.0 Implementing Secure Networks UsingCisco VPN Solutions

Configuring and Troubleshooting Cisco VPNSolutions

3.01. Understanding Cryptographic Protocols (ISAKMP, IKE,ESP, Authentication Header, CA)

3.02. IPsec VPN Architecture on Cisco IOS Software andCisco ASA Security Appliance

3.03. Configuring VPNs Using ISAKMP Profiles

3.04. Configuring VPNs Using IPsec Profiles

3.05. GRE over IPsec Using IPsec Profiles

3.06. Router-to-Router Site-to-Site IPsec Using the ClassicalCommand Set (Using Preshared Keys and Certificates)

3.07. Router-to-Router Site-to-Site IPsec Using the New VTICommand Set (Using Preshared Keys and Certificates)

3.08. Router-to-ASA Site-to-Site IPsec (Using Preshared Keysand Certificates)

3.09. Understanding DMVPN architecture (NHRP, mGRE,IPsec, Routing)

3.10. DMVPN Using NHRP and mGRE (Hub-and-Spoke)3.11. DMVPN Using NHRP and mGRE (Full-Mesh)3.12. DMVPN Through Firewalls and NAT Devices



3.13. Understanding GET VPN Architecture (GDOI, KeyServer, Group Member, Header Preservation, Policy,Rekey, KEK, TEK, and COOP)

3.14. Implementing GET VPN (Using Preshared Keys andCertificates)

3.15. GET VPN Unicast Rekey

3.16. GET VPN Multicast Rekey

3.17. GET VPN Group Member Authorization List

3.18. GET VPN Key Server Redundancy

3.19. GET VPN Through Firewalls and NAT Devices

3.20. Integrating GET VPN with a DMVPN Solution

3.21. Basic VRF-Aware IPsec

3.22. Enabling the CA (PKI) Server (on the Router and CiscoASA Security Appliance)

3.23. CA Enrollment Process on a Router Client

3.24. CA Enrollment Process on a Cisco ASA SecurityAppliance Client

3.25. CA Enrollment Process on a PC Client

3.26. Clientless SSL VPN (Cisco IOS WebVPN) on the CiscoASA Security Appliance (URLs)

3.27. AnyConnect VPN Client on Cisco IOS Software

3.28. AnyConnect VPN Client on the Cisco ASA SecurityAppliance

3.29. Remote Access Using a Traditional Cisco VPNClient on a Cisco IOS Router

3.30. Remote Access Using a Traditional Cisco VPNClient on a Cisco ASA Security Appliance

3.31. Cisco Easy VPN Router Server and Router Client(Using DVTI)

3.32. Cisco Easy VPN Router Server and Router Client(Using Classical Style)

3.33. Cisco Easy VPN Cisco ASA Server and RouterClient

3.34. Cisco Easy VPN Remote Connection Modes (Client,Network, Network+)

3.35. Enabling Extended Authentication (XAUTH) on CiscoIOS Software and the Cisco ASA Security Appliance

3.36. Enabling Split Tunneling on Cisco IOS Software and theCisco ASA Security Appliance



3.37. Enabling Reverse Route Injection (RRI) on Cisco IOSSoftware and the Cisco ASA Security Appliance

3.38. Enabling NAT-T on Cisco IOS Software and the CiscoASA Security Appliance

3.39. High-Availability Stateful Failover for IPsec with StatefulSwitchover (SSO) and Hot Standby Router Protocol(HSRP)

3.40. High Availability Using Link Resiliency (with LoopbackInterface for Peering)

3.41. High Availability Using HSRP and RRI

3.42. High Availability Using IPsec Backup Peers

3.43. High Availability Using GRE over IPsec (DynamicRouting)

3.44. Basic QoS Features for VPN Traffic on Cisco IOSSoftware and the Cisco ASA Security Appliance

3.45. Identifying Injected Errors in Troubleshooting Scenarios(for Site-to-Site, DMVPN, GET VPN, and Cisco EasyVPN)

3.46. Understanding and Interpreting the show cryptoCommands

3.47. Understanding and Interpreting the debug cryptoCommands

4.0 Configuring Cisco IPS to MitigateNetwork Threats

Configuring and Troubleshooting Cisco IPS4.01. Understanding Cisco IPS System Architecture (System

Design, MainApp, SensorApp, EventStore)4.02. Understanding Cisco IPS User Roles (Administrator,

Operator, Viewer, Service)4.03. Understanding Cisco IPS Command Modes (Privileged,

Global, Service, Multi-Instance)4.04. Understanding Cisco IPS Interfaces (Command and

Control, Sensing, Alternate TCP Reset)4.05. Understanding Promiscuous (IDS) vs. Inline (IPS)

Monitoring

4.06. Initialization Basic Sensor (IP Address, Mask, DefaultRoute, etc.)

4.07. Troubleshooting Basic Connectivity Issues

4.08. Managing Sensor ACLs



4.09. Allowing Services Ping and Telnet from/to Cisco IPS

4.10. Enabling Physical Interfaces

4.11. Promiscuous Mode

4.12. Inline Interface Mode

4.13. Inline VLAN Pair Mode

4.14. VLAN Group Mode

4.15. Inline Bypass Mode

4.16. Interface Notifications

4.17. Understanding the Analysis Engine

4.18. Creating Multiple Security Policies and Applying Them toIndividual Virtual Sensors

4.19. Understanding and Configuring Virtual Sensors (vs0,vs1)

4.20. Assigning Interfaces to the Virtual Sensor

4.21. Understanding and Configuring Event Action Rules(rules0, rules1)

4.22. Understanding and Configuring Signatures (sig0, sig1)4.23. Adding Signatures to Multiple Virtual Sensors

4.24. Understanding and Configuring Anomaly Detection (ad0,ad1)

4.25. Using the Cisco IDM (IPS Device Manager)4.26. Using Cisco IDM Event Monitoring

4.27. Displaying Events Triggered Using the Cisco IPSConsole

4.28. Troubleshooting Events Not Triggering

4.29. Displaying and Capturing Live Traffic on the Cisco IPSConsole (Packet Display and Packet Capture)

4.30. SPAN and RSPAN

4.31. Rate Limiting

4.32. Configuring Event Action Variables

4.33. Target Value Ratings

4.34. Event Action Overrides

4.35. Event Action Filters

4.36. Configuring General Settings

4.37. General Signature Parameters

4.38. Alert Frequency



4.39. Alert Severity

4.40. Event Counter

4.41. Signature Fidelity Rating

4.42. Signature Status

4.43. Assigning Actions to Signatures

4.44. AIC Signatures

4.45. IP Fragment Reassembly

4.46. TCP Stream Reassembly

4.47. IP Logging

4.48. Configuring SNMP

4.49. Signature Tuning (Severity Levels, Throttle Parameters,Event Actions)

4.50. Creating Custom Signatures (Using the CLI and CiscoIDM)

4.51. Understanding Various Types of Signature Engines

4.52. Understanding Various Types of Signature Variables

4.53. Understanding Various Types of Event Actions

4.54. Understanding New Cisco IPS 6.0 Features (e.g., DenyPackets for High-Risk Events by Default)

4.55. Creating a Custom String TCP Signature

4.56. Creating a Custom Flood Engine Signature

4.57. Creating a Custom AIC MIME-Type Engine Signature

4.58. Creating a Custom Service HTTP Signature

4.59. Creating a Custom Service FTP Signature

4.60. Creating a Custom ATOMIC.ARP Engine Signature

4.61. Creating a Custom ATOMIC.IP Engine Signature

4.62. Creating a Custom TCP Sweep Signature

4.63. Creating a Custom ICMP Sweep Signature

4.64. Creating a Custom Trojan Engine Signature4.65. Enabling Shunning and Blocking (Enabling Blocking

Properties)4.66. Shunning on a Router

4.67. Shunning on the Cisco ASA Security Appliance

4.68. Enabling the TCP Reset Function



4.69. Cisco IOS IPS on a Router Using Version 5.x FormatSignatures

4.70. Loading a Version 5.x Signature File onto the Router

4.71. Understanding the Signature Engines for Cisco IOS IPS

4.72. Transparent Cisco IOS IPS

5.0 Implementing Identity Management

Configuring and Troubleshooting IdentityManagement

5.01 Understanding the AAA Framework

5.02 Understanding the RADIUS Protocol

5.03 Understanding RADIUS Attributes (Cisco AV-PAIRS)5.04 Understanding the TACACS+ Protocol

5.05 Understanding TACACS+ Attributes

5.06 Comparison of RADIUS and TACACS+

5.07 Configuring Basic LDAP Support

5.08 Overview of Cisco Secure ACS

5.09 How to Navigate Cisco Secure ACS

5.10. Cisco Secure ACS Network Settings Parameters

5.11. Cisco Secure ACS User Settings Parameters

5.12. Cisco Secure ACS Group Settings Parameters

5.13. Cisco Secure ACS Shared Profiles Components(802.1X, NAF, NAR, Command Author,Downloadable ACL, etc.)

5.14. Cisco Secure ACS Shell Command AuthorizationSets Using Both Per-Group Setup and SharedProfiles

5.15. Cisco Secure ACS System ConfigurationParameters

5.16. Cisco Secure ACS Posture Validation Policies forNAC Setup

5.17. Cisco Secure ACS Using Network Access Profiles(NAPs)

5.18. Cisco Secure ACS MAC Authentication Bypass(MAB) Using NAP

5.19. Enabling AAA on a Router for vty Lines

5.20. Enabling AAA on a Switch for vty Lines



5.21. Enabling AAA on a Router for HTTP

5.22. Enabling AAA on the Cisco ASA Security Appliance forTelnet and SSH Protocols

5.23. Using Default vs. Named Method Lists

5.24. Complex Command Authorization and Privilege Levels,and Relevant Cisco Secure ACS Profiles

5.25. Proxy Service Authentication and Authorization on theCisco ASA Security Appliance for Pass-Through Traffic(FTP, Telnet, and HTTP), and Relevant Cisco SecureACS Profiles

5.26. Using Virtual Telnet on the Cisco ASA SecurityAppliance

5.27. Using Virtual HTTP on the Cisco ASA SecurityAppliance

5.28. Downloadable ACLs

5.29. AAA 802.1X Authentication Using RADIUS on a Switch

5.30. NAC-L2-802.1X on a Switch

5.31. NAC-L2-IP on a Switch

5.32. Troubleshooting Failed AAA Authentication orAuthorization

5.33. Troubleshooting Using Cisco Secure ACS Logs

5.34. Using the test aaa Command on the Router, Switch, orCisco ASA Security Appliance

5.35. Understanding and Interpreting the debug radiusCommand

5.36. Understanding and Interpreting the debug tacacs+Command

5.37. Understanding and Interpreting the debug aaaauthentication Command

5.38. Understanding and Interpreting the debug aaaauthorization Command

5.39. Understanding and Interpreting the debug aaaaccounting Command

6.0 Implementing Control Plane andManagement Plane Security

Configuring and Troubleshooting RouterTraffic Plane Security

6.01 Understanding Four Types of Traffic Planes on a CiscoRouter (Control, Management, Data, and Services)



6.02 Understanding Control Plane Security Technologies andCore Concepts Covering Security Features Available toProtect the Control Plane

6.03 Understanding Management Plane SecurityTechnologies and Core Concepts Covering SecurityFeatures Available to Protect the Management Plane

6.04 Configuring Control Plane Policing (CoPP)6.05 Control Plane Rate Limiting

6.06 Disabling Unused Control Plane Services (IP SourceRouting, Proxy ARP, Gratuitous ARP, etc.)

6.07 Disabling Unused Management Plane Services (Finger,BOOTP, DHCP, Cisco Discovery Protocol, etc.)

6.08 MPP (Management Plane Protection) andUnderstanding OOB (Out-of-Band) ManagementInterfaces

6.09 Configuring Protocol Authentication

6.10 Route Filtering and Protocol-Specific Filters

6.11 ICMP Techniques to Reduce the Risk of ICMP-RelatedDoS Attacks (IP Unreachable, IP Redirect, IP MaskReply, etc.)

6.12 Selective Packet Discard (SPD)6.13 MQC and FPM Types of Service Policy on the CoPP

Interface

6.14 Broadcast Control on a Switch

6.15 Catalyst Switch Port Security

6.16 Cisco IOS Software-Based CPU Protection Mechanisms(Options Drop, Logging Interval, CPU Threshold)

6.17 The Generalized TTL Security Mechanism Knownas BGP TTL Security Hack (BTSH)

6.18 Device Access Control (vty ACL, HTTP ACL, SSHAccess, Privilege Levels)

6.19 SNMP Security

6.20 System Banners

6.21 Secure Cisco IOS File Systems

6.22 Understanding and Enabling Syslog

6.23 NTP with Authentication

6.24 Role-Based CLI Views and Cisco Secure ACS Setup

6.25 Service Authentication on Cisco IOS Software (FTP,Telnet, HTTP)



6.26 Network Telemetry Identification and Classificationof Security Events (IP Traffic Flow, NetFlow, SNMP,Syslog, RMON)

7.0 Configuring Advanced Security

Configuring and Troubleshooting AdvancedSecurity Features

7.01 Implementing RFC 1918 Antispoofing Filtering



7.04 Marking Packets Using DSCP and IP Precedence andOther Values

7.05 Unicast RPF (uRPF) With or Without an ACL (Strict andLoose Mode)

7.06 RTBH Filtering (Remote Triggered Black Hole)7.07 Basic Traffic Filtering Using Access Lists: SYN Flags,

Established, etc. (Named vs. Numbered ACLs)7.08 Managing Time-Based Access Lists

7.09 Enabling NAT and PAT on a Router

7.10 Conditional NAT on a Router

7.11 Multihome NAT on a Router

7.12 Enabling a TCP Intercept on a Router

7.13 Enabling a TCP Intercept on the Cisco ASA SecurityAppliance

7.14 FPM (Flexible Packet Matching) and Protocol HeaderDefinition File (PHDF) Files and Configuration of NestedPolicy Maps

7.15 CAR Rate Limiting with Traffic Classification Using ACLs

7.16 PBR (Policy-Based Routing) and Use of Route Maps7.17 Advanced MQC (Modular QoS CLI) on a Router7.18 Advanced Modular Policy Framework (MPF) on the

Cisco ASA Security Appliance

7.19. Classification Using NBAR

7.20. Understanding and Enabling NetFlow on a Router

7.21 Traffic Policing on a Router

7.22 Port Security on a Switch

7.23 Storm Control on a Switch



7.24 Private VLAN (PVLAN) on a Switch7.25 Port Blocking on a Switch

7.26 Port ACL on a Switch

7.27 MAC ACL on a Switch

7.28 VLAN ACL on a Switch

7.29 Spanning Tree Protocol (STP) Protection Using BPDUGuard and Loop Guard on a Switch

7.30 DHCP Snooping on a Switch

7.31 IP Source Guard on a Switch

7.32 Dynamic ARP Inspection (DAI) on a Switch7.33 Disabling DTP on All Nontrunking Access Ports

8.0 Identifying and Mitigating NetworkAttacks

Configuring and Troubleshooting NetworkAttacks

Note: This section uses the same productsand technologies discussed in all theprevious sections above particularly theConfiguring Advanced Security section, butwith greater focus and emphasis on reactivemeasures and attack mitigation

8.01 Concept of Proactive vs. Reactive Measures

8.02 Knowledge of Protocols: TCP, UDP, HTTP, SMTP,ICMP, FTP

8.03 Knowledge of Common Attacks: NetworkReconnaissance, IP Spoofing, DHCP Snooping, DNSSpoofing, MAC Spoofing, ARP Snooping, FragmentAttack, Smurf Attack, TCP SYN Attack

8.04 Understanding and Interpreting ARP Header Structure

8.05 Understanding and Interpreting IP Header Structure

8.06 Understanding and Interpreting TCP Header Structure

8.07 Understanding and Interpreting UDP Header Structure

8.08 Understanding and Interpreting HTTP Header Structure

8.09 Understanding and Interpreting ICMP Header structure

8.10 Understanding and Interpreting ICMP Type Name andCodes



8.11 Understanding and Interpreting Syslog Messages

8.12 Understanding and Interpreting Packet Capture Outputs(Sniffer, Ethereal, Wireshark, TCPDump)

8.13 Understanding Different Types of Attack Vectors

8.14 Interpreting Various show and debug Outputs

8.15 Traffic Characterization

8.16 Packet Classification

8.17 Packet-Marking Techniques

8.18 Classifying Attack Patterns Using FPM

8.19 Memorizing Common Protocol and Port Numbers

8.20 Preventing an ICMP Attack Using ACLs

8.21 Preventing an ICMP Attack Using NBAR

8.22 Preventing an ICMP Attack Using Policing

8.23 Preventing an ICMP Attack Using the Modular PolicyFramework (MPF) on the Cisco ASA Security Appliance

8.24 Preventing a SYN Attack Using ACLs

8.25 Preventing a SYN Attack Using NBAR

8.26 Preventing a SYN Attack Using Policing

8.27 Preventing a SYN Attack Using CBAC

8.28 Preventing a SYN Attack Using CAR

8.29 Preventing a SYN Attack Using a TCP Intercept

8.30 Preventing a SYN Attack Using the Modular PolicyFramework (MPF) on the Cisco ASA Security Appliance

8.31 Preventing Application ProtocolSpecific AttacksUsing FPM (e.g., HTTP, SMTP)

8.32 Preventing Application ProtocolSpecific AttacksUsing NBAR (e.g., HTTP, SMTP)

8.33 Preventing Application ProtocolSpecific AttacksUsing the Modular Policy Framework (MPF) on theCisco ASA Security Appliance (e.g., HTTP, SMTP)

8.34 Preventing IP Spoofing Attacks Using Antispoofing ACLs

8.35 Preventing IP Spoofing Attacks Using uRPF

8.36 Preventing IP Spoofing Attacks Using IP Source Guard

8.37 Preventing Fragment Attacks Using ACLs

8.38 Preventing MAC Spoofing Attacks Using Port Security

8.39 Preventing ARP Spoofing Attacks Using DAI



8.40 Preventing VLAN Hopping Attacks Using the switchportmode access Command

8.41 Preventing STP Attacks Using the Root Guard or BPDUGuard

8.42 Preventing DHCP Spoofing Attacks Using Port Security

8.43 Preventing DHCP Spoofing Attacks Using DAI

8.44 Preventing Port Redirection Attacks Using ACLs

Documents

CCIE Written Lab