CCIE-Security-lab-3.0.docx

CCIE Security Lab Exam v3.0 ChecklistExpansion of the Security Lab v3.0 Exam Topics (Blueprint)Detailed Checklist of Topics to Be CoveredPlease be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. Instead, we provide this outline as a supplement to the existing lab blueprint to help candidates prepare for their lab exams. Other relevant or related topics may also appear in the actual lab exam.We would like to get your feedback please comment and/or rate this document.1.0Implementing Secure Networks Using Cisco ASA FirewallsConfiguring and Troubleshooting Cisco ASA Firewalls1.01.Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.)1.02.Understanding Security Levels (Same Security Interface)1.03.Understanding Single vs. Multimode1.04.Understanding Firewall vs. Transparent Mode1.05.Understanding Multiple Security Contexts1.06.Understanding Shared Resources for Multiple Contexts1.07.Understanding Packet Classification in Multiple-Contexts Mode1.08.VLAN Subinterfaces Using 802.1Q Trunking1.09.Multiple-Mode Firewall with Outside Access1.10.Single-Mode Firewall Using the Same Security Level1.11.Multiple-Mode, Transparent Firewall1.12.Single-Mode, Transparent Firewall with NAT1.13.ACLs in Transparent Firewall (for Pass-Through Traffic)1.14.Understanding How Routing Behaves on the Adaptive Security Appliance (Egress and Next-Hop Selection Process)1.15.Understanding Static vs. Dynamic Routing1.16.Static Routes1.17.RIP with Authentication1.18.OSPF with Authentication1.19.EIGRP with Authentication1.20.Managing Multiple Routing Instances1.21.Redistribution Between Protocols1.22.Route Summarization1.23.Route Filtering1.24.Static Route Tracking Using an SLA1.25.Dual ISP Support Using Static Route Tracking1.26.Redundant Interface Pair1.27.LAN-Based Active/Standby Failover (Routed Mode)1.28.LAN-Based Active/Active Failover (Routed Mode)1.29.LAN-Based Active/Standby Failover (Transparent Mode)1.30.LAN-Based Active/Active Failover (Transparent Mode)1.31.Stateful Failover Link1.32.Device Access Management1.33.Enabling Telnet1.34.Enabling SSH1.35.The nat-control Command vs. no nat-control Command1.36.Enabling Address Translation (NAT, Global, and Static)1.37.Dynamic NAT1.38.Dynamic PAT1.39.Static NAT1.40.Static PAT1.41.Policy NAT1.42.Destination NAT1.43.Bypassing NAT When NAT Control Is Enabled Using Identity NAT1.44.Bypassing NAT When NAT Control Is Enabled Using NAT Exemption1.45.Port Redirection Using NAT1.46.Tuning Default Connection Limits and Timeouts1.47.Basic Interface Access Lists and Access Group (Inbound and Outbound)1.48.Time-Based Access Lists1.49.ICMP Commands1.50.Enabling Syslog and Parameters1.51.NTP with Authentication1.52.Object Groups (Network, Protocol, ICMP, and Services)1.53.Nested Object Groups1.54.URL Filtering1.55.Java Filtering1.56.ActiveX Filtering1.57.ARP Inspection1.58.Modular Policy Framework (MPF)1.59.Application-Aware Inspection1.60.Identifying Injected Errors in Troubleshooting Scenarios1.61.Understanding and Interpreting Adaptive Security Appliance show and debug Outputs1.62.Understanding and Interpreting the packet-tracer and capture Commands2.0Implementing Secure Networks Using Cisco IOS FirewallsConfiguring and Troubleshooting Cisco IOS Firewalls2.01.Zone-Based Policy Firewall Using Multiple-Zone Scenarios2.02.Transparent Cisco IOS Firewall (Layer 2)2.03.Context-Based Access Control (CBAC)2.04.Proxy Authentication (Auth Proxy)2.05.Port-to-Application Mapping (PAM) Usage with ACLs2.06.Use of PAM to Change System Default Ports2.07.PAM Custom Ports for Specific Applications2.08.Mapping Nonstandard Ports to Standard Applications2.09.Performance Tuning2.10.Tuning Half-Open Connections2.11.Understanding and Interpreting the show ip port-map Commands2.12.Understanding and Interpreting the show ip inspect Commands2.13.Understanding and Interpreting the debug ip inspect Commands2.14.Understanding and Interpreting the show zone|zone-pair Commands2.15.Understanding and Interpreting the debug zone Commands3.0Implementing Secure Networks Using Cisco VPN SolutionsConfiguring and Troubleshooting Cisco VPN Solutions3.01.Understanding Cryptographic Protocols (ISAKMP, IKE, ESP, Authentication Header, CA)3.02.IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance3.03.Configuring VPNs Using ISAKMP Profiles3.04.Configuring VPNs Using IPsec Profiles3.05.GRE over IPsec Using IPsec Profiles3.06.Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and Certificates)3.07.Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and Certificates)3.08.Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates)3.09.Understanding DMVPN architecture (NHRP, mGRE, IPsec, Routing)3.10.DMVPN Using NHRP and mGRE (Hub-and-Spoke)3.11.DMVPN Using NHRP and mGRE (Full-Mesh)3.12.DMVPN Through Firewalls and NAT Devices3.13.Understanding GET VPN Architecture (GDOI, Key Server, Group Member, Header Preservation, Policy, Rekey, KEK, TEK, and COOP)3.14.Implementing GET VPN (Using Preshared Keys and Certificates)3.15.GET VPN Unicast Rekey3.16.GET VPN Multicast Rekey3.17.GET VPN Group Member Authorization List3.18.GET VPN Key Server Redundancy3.19.GET VPN Through Firewalls and NAT Devices3.20.Integrating GET VPN with a DMVPN Solution3.21.Basic VRF-Aware IPsec3.22.Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance)3.23.CA Enrollment Process on a Router Client3.24.CA Enrollment Process on a Cisco ASA Security Appliance Client3.25.CA Enrollment Process on a PC Client3.26.Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs)3.27.AnyConnect VPN Client on Cisco IOS Software3.28.AnyConnect VPN Client on the Cisco ASA Security Appliance3.29.Remote Access Using a Traditional Cisco VPN Client on a Cisco IOS Router3.30.Remote Access Using a Traditional Cisco VPN Client on a Cisco ASA Security Appliance3.31.Cisco Easy VPN Router Server and Router Client (Using DVTI)3.32.Cisco Easy VPN Router Server and Router Client (Using Classical Style)3.33.Cisco Easy VPN Cisco ASA Server and Router Client3.34.Cisco Easy VPN Remote Connection Modes (Client, Network, Network+)3.35.Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security Appliance3.36.Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance3.37.Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security Appliance3.38.Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance3.39.High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP)3.40.High Availability Using Link Resiliency (with Loopback Interface for Peering)3.41.High Availability Using HSRP and RRI3.42.High Availability Using IPsec Backup Peers3.43.High Availability Using GRE over IPsec (Dynamic Routing)3.44.Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance3.45.Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN, and Cisco Easy VPN)3.46.Understanding and Interpreting the show crypto Commands3.47.Understanding and Interpreting the debug crypto Commands4.0Configuring Cisco IPS to Mitigate Network ThreatsConfiguring and Troubleshooting Cisco IPS4.01.Understanding Cisco IPS System Architecture (System Design, MainApp, SensorApp, EventStore)4.02.Understanding Cisco IPS User Roles (Administrator, Operator, Viewer, Service)4.03.Understanding Cisco IPS Command Modes (Privileged, Global, Service, Multi-Instance)4.04.Understanding Cisco IPS Interfaces (Command and Control, Sensing, Alternate TCP Reset)4.05.Understanding Promiscuous (IDS) vs. Inline (IPS) Monitoring4.06.Initialization Basic Sensor (IP Address, Mask, Default Route, etc.)4.07.Troubleshooting Basic Connectivity Issues4.08.Managing Sensor ACLs4.09.Allowing Services Ping and Telnet from/to Cisco IPS4.10.Enabling Physical Interfaces4.11.Promiscuous Mode4.12.Inline Interface Mode4.13.Inline VLAN Pair Mode4.14.VLAN Group Mode4.15.Inline Bypass Mode4.16.Interface Notifications4.17.Understanding the Analysis Engine4.18.Creating Multiple Security Policies and Applying Them to Individual Virtual Sensors4.19.Understanding and Configuring Virtual Sensors (vs0, vs1)4.20.Assigning Interfaces to the Virtual Sensor4.21.Understanding and Configuring Event Action Rules (rules0, rules1)4.22.Understanding and Configuring Signatures (sig0, sig1)4.23.Adding Signatures to Multiple Virtual Sensors4.24.Understanding and Configuring Anomaly Detection (ad0, ad1)4.25.Using the Cisco IDM (IPS Device Manager)4.26.Using Cisco IDM Event Monitoring4.27.Displaying Events Triggered Using the Cisco IPS Console4.28.Troubleshooting Events Not Triggering4.29.Displaying and Capturing Live Traffic on the Cisco IPS Console (Packet Display and Packet Capture)4.30.SPAN and RSPAN4.31.Rate Limiting4.32.Configuring Event Action Variables4.33.Target Value Ratings4.34.Event Action Overrides4.35.Event Action Filters4.36.Configuring General Settings4.37.General Signature Parameters4.38.Alert Frequency4.39.Alert Severity4.40.Event Counter4.41.Signature Fidelity Rating4.42.Signature Status4.43.Assigning Actions to Signatures4.44.AIC Signatures4.45.IP Fragment Reassembly4.46.TCP Stream Reassembly4.47.IP Logging4.48.Configuring SNMP4.49.Signature Tuning (Severity Levels, Throttle Parameters, Event Actions)4.50.Creating Custom Signatures (Using the CLI and Cisco IDM)4.51.Understanding Various Types of Signature Engines4.52.Understanding Various Types of Signature Variables4.53.Understanding Various Types of Event Actions4.54.Understanding New Cisco IPS 6.0 Features (e.g., Deny Packets for High-Risk Events by Default)4.55.Creating a Custom String TCP Signature4.56.Creating a Custom Flood Engine Signature4.57.Creating a Custom AIC MIME-Type Engine Signature4.58.Creating a Custom Service HTTP Signature4.59.Creating a Custom Service FTP Signature4.60.Creating a Custom ATOMIC.ARP Engine Signature4.61.Creating a Custom ATOMIC.IP Engine Signature4.62.Creating a Custom TCP Sweep Signature4.63.Creating a Custom ICMP Sweep Signature4.64.Creating a Custom Trojan Engine Signature4.65.Enabling Shunning and Blocking (Enabling Blocking Properties)4.66.Shunning on a Router4.67.Shunning on the Cisco ASA Security Appliance4.68.Enabling the TCP Reset Function4.69.Cisco IOS IPS on a Router Using Version 5.x Format Signatures4.70.Loading a Version 5.x Signature File onto the Router4.71.Understanding the Signature Engines for Cisco IOS IPS4.72.Transparent Cisco IOS IPS5.0Implementing Identity ManagementConfiguring and Troubleshooting Identity Management5.01Understanding the AAA Framework5.02Understanding the RADIUS Protocol5.03Understanding RADIUS Attributes (Cisco AV-PAIRS)5.04Understanding the TACACS+ Protocol5.05Understanding TACACS+ Attributes5.06Comparison of RADIUS and TACACS+5.07Configuring Basic LDAP Support5.08Overview of Cisco Secure ACS5.09How to Navigate Cisco Secure ACS5.10.Cisco Secure ACS Network Settings Parameters5.11.Cisco Secure ACS User Settings Parameters5.12.Cisco Secure ACS Group Settings Parameters5.13.Cisco Secure ACS Shared Profiles Components (802.1X, NAF, NAR, Command Author, Downloadable ACL, etc.)5.14.Cisco Secure ACS Shell Command Authorization Sets Using Both Per-Group Setup and Shared Profiles5.15.Cisco Secure ACS System Configuration Parameters5.16.Cisco Secure ACS Posture Validation Policies for NAC Setup5.17.Cisco Secure ACS Using Network Access Profiles (NAPs)5.18.Cisco Secure ACS MAC Authentication Bypass (MAB) Using NAP5.19.Enabling AAA on a Router for vty Lines5.20.Enabling AAA on a Switch for vty Lines5.21.Enabling AAA on a Router for HTTP5.22.Enabling AAA on the Cisco ASA Security Appliance for Telnet and SSH Protocols5.23.Using Default vs. Named Method Lists5.24.Complex Command Authorization and Privilege Levels, and Relevant Cisco Secure ACS Profiles5.25.Proxy Service Authentication and Authorization on the Cisco ASA Security Appliance for Pass-Through Traffic (FTP, Telnet, and HTTP), and Relevant Cisco Secure ACS Profiles5.26.Using Virtual Telnet on the Cisco ASA Security Appliance5.27.Using Virtual HTTP on the Cisco ASA Security Appliance5.28.Downloadable ACLs5.29.AAA 802.1X Authentication Using RADIUS on a Switch5.30.NAC-L2-802.1X on a Switch5.31.NAC-L2-IP on a Switch5.32.Troubleshooting Failed AAA Authentication or Authorization5.33.Troubleshooting Using Cisco Secure ACS Logs5.34.Using the test aaa Command on the Router, Switch, or Cisco ASA Security Appliance5.35.Understanding and Interpreting the debug radius Command5.36.Understanding and Interpreting the debug tacacs+ Command5.37.Understanding and Interpreting the debug aaa authentication Command5.38.Understanding and Interpreting the debug aaa authorization Command5.39.Understanding and Interpreting the debug aaa accounting Command6.0Implementing Control Plane and Management Plane SecurityConfiguring and Troubleshooting Router Traffic Plane Security6.01Understanding Four Types of Traffic Planes on a Cisco Router (Control, Management, Data, and Services)6.02Understanding Control Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Control Plane6.03Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane6.04Configuring Control Plane Policing (CoPP)6.05Control Plane Rate Limiting6.06Disabling Unused Control Plane Services (IP Source Routing, Proxy ARP, Gratuitous ARP, etc.)6.07Disabling Unused Management Plane Services (Finger, BOOTP, DHCP, Cisco Discovery Protocol, etc.)6.08MPP (Management Plane Protection) and Understanding OOB (Out-of-Band) Management Interfaces6.09Configuring Protocol Authentication6.10Route Filtering and Protocol-Specific Filters6.11ICMP Techniques to Reduce the Risk of ICMP-Related DoS Attacks (IP Unreachable, IP Redirect, IP Mask Reply, etc.)6.12Selective Packet Discard (SPD)6.13MQC and FPM Types of Service Policy on the CoPP Interface6.14Broadcast Control on a Switch6.15Catalyst Switch Port Security6.16Cisco IOS Software-Based CPU Protection Mechanisms (Options Drop, Logging Interval, CPU Threshold)6.17The Generalized TTL Security Mechanism Known as “BGP TTL Security Hack” (BTSH)6.18Device Access Control (vty ACL, HTTP ACL, SSH Access, Privilege Levels)6.19SNMP Security6.20System Banners6.21Secure Cisco IOS File Systems6.22Understanding and Enabling Syslog6.23NTP with Authentication6.24Role-Based CLI Views and Cisco Secure ACS Setup6.25Service Authentication on Cisco IOS Software (FTP, Telnet, HTTP)6.26Network Telemetry Identification and Classification of Security Events (IP Traffic Flow, NetFlow, SNMP, Syslog, RMON)7.0Configuring Advanced SecurityConfiguring and Troubleshooting Advanced Security Features7.01Implementing RFC 1918 Antispoofing Filtering7.02Implementing RFC 2827 Antispoofing Filtering7.03Implementing RFC 2401 Antispoofing Filtering7.04Marking Packets Using DSCP and IP Precedence and Other Values7.05Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)7.06RTBH Filtering (Remote Triggered Black Hole)7.07Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Named vs. Numbered ACLs)7.08Managing Time-Based Access Lists7.09Enabling NAT and PAT on a Router7.10Conditional NAT on a Router7.11Multihome NAT on a Router7.12Enabling a TCP Intercept on a Router7.13Enabling a TCP Intercept on the Cisco ASA Security Appliance7.14FPM (Flexible Packet Matching) and Protocol Header Definition File (PHDF) Files and Configuration of Nested Policy Maps7.15CAR Rate Limiting with Traffic Classification Using ACLs7.16PBR (Policy-Based Routing) and Use of Route Maps7.17Advanced MQC (Modular QoS CLI) on a Router7.18Advanced Modular Policy Framework (MPF) on the Cisco ASA Security Appliance7.19.Classification Using NBAR7.20.Understanding and Enabling NetFlow on a Router7.21Traffic Policing on a Router7.22Port Security on a Switch7.23Storm Control on a Switch7.24Private VLAN (PVLAN) on a Switch7.25Port Blocking on a Switch7.26Port ACL on a Switch7.27MAC ACL on a Switch7.28VLAN ACL on a Switch7.29Spanning Tree Protocol (STP) Protection Using BPDU Guard and Loop Guard on a Switch7.30DHCP Snooping on a Switch7.31IP Source Guard on a Switch7.32Dynamic ARP Inspection (DAI) on a Switch7.33Disabling DTP on All Nontrunking Access Ports8.0Identifying and Mitigating Network AttacksConfiguring and Troubleshooting Network AttacksNote: This section uses the same products and technologies discussed in all the previous sections above particularly the