CCSP SNPA Official Exam Certification Guide, 3/e

Assessment, review, and practice for CCSP SNPA exam 642-522

 

The official study guide helps you master all the topics on the SNPA exam, including:

• Firewall technologies
• Cisco Security Appliance translation and connection
• Access control configuration
• Modular policy framework
• Security contexts
• Syslog
• Routing protocol support
• Failover
• Virtual private networks (VPN)
• Adaptive Security Device Manager (ASDM)
• Content filtering
• Authentication, authorization, and accounting (AAA) configuration
• Intrusion Prevention Systems (IPS) and advanced protocol handling

CCSP SNPA Official Exam Certification Guide, Third Edition, is a best-of-breed Cisco® exam study guide that focuses specifically on the objectives for the Securing Networks with PIX and ASA (SNPA) exam. Network security consultant, Michael Gibbs, shares preparation hints and test-taking tips, helping you identify areas of weakness and improve your knowledge of firewall and Adaptive Security Appliance (ASA) security. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

 

This guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section. Exam topic lists and Foundation Summary tables make referencing easy and give you a quick refresher whenever you need it. Challenging chapter-ending review questions help you assess your knowledge and reinforce key concepts.

 

The companion CD-ROM contains a powerful testing engine that allows you to focus on individual topic areas or take complete, timed exams. The assessment engine also tracks your performance and provides feedback on a module-by-module basis, presenting question-by-question remediation to the text.

 

Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this book helps you master the concepts and techniques that will enable you to succeed on the exam the first time.

 

CCSP SNPA Official Exam Certification Guide, Third Edition, is part of a recommended learning path from Cisco Systems® that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, visit www.cisco.com/go/authorizedtraining.

 

Companion CD-ROM

The CD-ROM contains an electronic copy of the book and more than 200 practice questions for the SNPA exam, all available in study mode, test mode, and flash card format.

 

This volume is part of the Exam Certification Guide Series from Cisco Press®. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.

 

 

 

Table of Contents

Chapter 1       Network Security

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation and Supplemental Topics

           Overview of Network Security

           Vulnerabilities, Threats, and Attacks

                     Vulnerabilities

                     Threats

                     Types of Attacks

           Security Policies

                     Step 1: Secure

                     Step 2: Monitor

                     Step 3: Test

                     Step 4: Improve

           Network Security as a “Legal Issue”

           Defense in Depth

           Cisco AVVID and Cisco SAFE

                     Cisco AVVID?

                     Cisco SAFE

           Foundation Summary

                     Network Security

                     Vulnerabilities, Threats, and Attacks

                     Vulnerabilities

                     Threats

                     Attacks

                     Security Policies

                     Network Security as a Process

                     Defense in Depth

                     Cisco AVVID

                     Cisco SAFE

                     Key Terms

           Q&A

Chapter 2       Firewall Technologies and‡the‡Cisco Security Appliance

            How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Firewall Technologies

                     Packet Filtering

                     Proxy

                     Stateful Packet Inspection

           Cisco PIX Firewall

                     Secure Real-Time Embedded System

                     Adaptive Security Algorithm

                   Cut-Through Proxy

                     Security Contexts (Virtual Firewall)

                     Redundancy

           Foundation Summary

                     Firewall Technologies

                     Cisco Security Appliance

           Q&A

Chapter 3       Cisco Security Appliance

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Overview of the Cisco Security Appliance

                     ASA

                     Cut-Through Proxy

           Cisco PIX Firewall Models and Features

                     Intrusion Protection

                     AAA Support

                     X.509 Certificate Support

                     Modular Policy Framework

                     Network Address Translation/Port Address Translation

                     Firewall Management

                     Simple Network Management Protocol

                     Syslog Support

                     Security Contexts

                     Transparent Firewalls

                     Virtual Private Networks

                     Optional Firewall Components

           PIX Firewall Model Capabilities

                     Cisco PIX 501

                     Cisco PIX 506E

                     Cisco PIX 515E

                     Cisco PIX 525

                     Cisco PIX 535

           Cisco ASA Security Model Capabilities

                     Cisco ASA 5510 Security Appliance

                     Cisco ASA 5520 Security Appliance

                     Cisco ASA 5540 Security Appliance

           Foundation Summary

                     Adaptive Security Algorithm

                     Cut-Through Proxy

                     Cisco PIX Firewall Models and Features

                     Cisco ASA Security Appliance Models and Features

                     Intrusion Protection

                     AAA Support

                     X.509 Certificate Support

                     Modular Policy Framework

                     NAT/PAT

                     Firewall Management

                     SNMP

                     Syslog Support

                     Virtual Private Networks

                     Security Context

                     Cisco Security Appliance Models

           Q&A

Chapter 4       System Management/Maintenance

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Accessing Cisco Security Appliance

                     Accessing a Cisco Security Appliance with Telnet

                     Accessing the Cisco Security Appliance with Secure Shell

           Command-Level Authorization

           Installing a New Operating System

                     Upgrading Your Activation Key

           Upgrading the Cisco Security Appliance Operating System

           Upgrading the Operating System Using the copy tftp flash‡Command

                     Upgrading the Operating System Using Monitor Mode

                     Upgrading the OS Using an HTTP Client

           Creating a Boothelper Disk Using a Windows PC

           Password Recovery

                     Cisco PIX Firewall Password Recovery: Getting Started

                     Password Recovery Procedure for a PIX Firewall with a Floppy Drive (PIX‡520)

                     Password Recovery Procedure for a Diskless PIX Firewall
(PIX 501, 506, 506E, 515E, 515, 525, and 535)

                           Password Recovery Procedure for the ASA Security Appliance

           Overview of Simple Network Management Protocol
on the PIX Firewall

           Configuring Simple Network Management Protocol
on Security Appliance

           Troubleshooting Commands

           Foundation Summary

           Q&A

Chapter 5       Understanding Cisco Security Appliance Translation and Connection

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           How the Cisco Security Appliance Handles Traffic

                     Interface Security Levels and the Default Security Policy

                     Transport Protocols

           Address Translation

                     Translation Commands

                     NAT

                     PAT

                     Static Translation

                     Using the static Command for Port Redirection

                     Configuring Multiple Translation Types on the Cisco Security Appliance

                     Bidirectional NAT

           Translation Versus Connection

           Configuring DNS Support

           Foundation Summary

           Q&A

Chapter 6       Getting Started with the Cisco Security Appliance Family of Firewalls

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Access Modes

           Configuring a Cisco Security Appliance

                     interface Command

                     security-level Command

                     nameif Command

                     ip address Command

                     nat Command

                     speed Command

                     duplex Command

                     nat-control Command

                     global Command

                     route Command

                     Routing Information Protocol

                     Testing Your Configuration

                     Saving Your Configuration

           Support for Domain Name System Messages

           Configuring Dynamic Host Configuration Protocol on the Cisco Security Appliance

                     Using the Cisco Security Appliance DHCP Server

                     Configuring the Security Appliance DHCP Client

           Configuring Time Settings on the Cisco Security Appliance

NTP

                     Cisco Security Appliance System Clock

           Configuring Login Banners on the Cisco Security Appliance

           Configuring Transparent Mode

                     Enabling Transparent Mode

                     Traffic Management in Transparent Mode

                     Monitoring in Transparent Mode

           Sample Security Appliance Configuration

           Foundation Summary

           Q&A

Chapter 7       Configuring Access

           How Best to Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Configuring Inbound Access Through a Cisco Security Appliance

                     Static NAT

                     Static PAT

                     TCP Intercept Feature

                     nat 0 Command

                     Policy NAT

                     Access Lists

           Object Grouping

                     network Object Type

                     protocol Object Type

                     service Object Type

                     icmp-type Object Type

                     Nesting Object Groups

                     ACL Logging

           Advanced Protocol Handling

                     FTP

                     DNS

                     Simple Mail Transfer Protocol

           Foundation Summary

           Q&A

Chapter 8       Modular Policy Framework

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Modular Policy Framework Overview

           Traffic Flow Matching

                     Step 1: Create a Class Map

                     Step 2: Define Class Map Matches

                     Viewing the Class Map Configuration

           Assigning Actions to a Traffic Class

                     Step 1: Create a Policy Map

                     Step 2: Assign Traffic Classes to the Policy Map

                     Step 3: Assign Policies for Each Class

           Viewing the Policy Map Configuration

           Assigning Policies to an Interface

                     Service Policy Matching Logic

                     Viewing the Service Policy Configuration

                     Viewing the Service Policy Statistics

           Foundation Summary

           Q&A

Chapter 9       Security Contexts

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Security Context Overview

                     Multiple Context Modes

                     Administration Context

           Configuring Security Contexts

                     Creating a New Context

                     Assigning Interfaces to a Context

                     Uploading a Configuration Using the config-url Command

           Managing Security Contexts

                     Deleting Contexts

                     Navigating Multiple Contexts

                     Viewing Context Information

           Step-by-Step Configuration of a Security Context

           Foundation Summary

           Q&A

Chapter 10     Syslog and the Cisco Security Appliance

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           How Syslog Works

                     Logging Facilities

                     Logging Levels

                     How Log Messages Are Organized

                     How to Read System Log Messages

           Configuring Syslog on a Cisco Security Appliance

           Configuring the ASDM to View Logging

                     Configuring Syslog Messages at the Console

                     Sending Syslog Messages to a Telnet Session

                     Configuring the Cisco Security Appliance to Send Syslog Messages to a Log Server

                     Configuring SNMP Traps and SNMP Requests

           Configuring a Syslogd Server

                     PIX Firewall Syslog Server

           Foundation Summary

           Q&A

Chapter 11     Routing and the Cisco Security Appliance

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics and Supplemental Topics

           General Routing Principles

           Ethernet VLAN Tagging

                     Understanding VLANs

                     Understanding Trunk Ports

                     Understanding Logical Interfaces

                     Managing VLANs

           IP Routing

                     Static Routes

                     Dynamic Routes

           Multicast Routing

     Multicast Commands

     Inbound Multicast Traffic

     Outbound Multicast Traffic

     Debugging Multicast

           Foundation Summary

           Q&A

Chapter 12     Cisco Security Appliance Failover

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           What Causes a Failover Event?

           What Is Required for a Failover Configuration?

           Failover Monitoring

           Configuration Replication

           Stateful Failover

           LAN-Based Failover

           Active-Active Failover

           Configuring Failover

           Foundation Summary

           Q&A

Chapter 13     Virtual Private Networks

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           Overview of Virtual Private Network Technologies

                     Internet Protocol Security

                     Internet Key Exchange

                     Perfect Forward Secrecy

                     Certification Authorities

           Overview of WebVPN

                     WebVPN Portal Interface

                     Port Forwarding

           Configuring the Security Appliance as a VPN Gateway

                     Selecting the Configuration

                     Configuring IKE

                     Configuring IPSec

                     Troubleshooting the VPN Connection

           Configuring the Security Appliance as a WebVPN Gateway

                     WebVPN Global Configuration

                     Configuring URLs and File Servers

                     Configuring Port Forwarding

                     Configuring E-Mail Proxies

                     Setting Up Filters and ACLs

           Configuring Security Appliances for Scalable VPNs

           Foundation Summary

           Q&A

           Scenario

                     VPN Configurations

                     Completed PIX Configurations

                     How the Configuration Lines Interact

Chapter 14     Configuring Access VPNs

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation and Supplemental Topics

           Introduction to Cisco Easy VPN

                     Easy VPN Server

                     Easy VPN Remote Feature

           Overview of the Easy VPN Server

                     Major Features

                     Server Functions

                     Supported Servers

           Overview of Easy VPN Remote Feature

                     Supported Clients

                     Easy VPN Remote Connection Process

                     Extended Authentication Configuration

           Easy VPN Remote Modes of Operation

                     Client Mode

                     Network Extension Mode

           Overview of Cisco VPN Software Client

                     Features

                     Specifications

                     Cisco VPN Client Manual Configuration Tasks

           Security Appliance Easy VPN Remote Configuration

                     Basic Configuration

                     Client Device Mode

                     Secure Unit Authentication

                     Individual User Authentication

           Point-to-Point Protocol over Ethernet and the Security Appliance

                     Configuring the VPDN Group

                     Configuring VPDN Group Authentication

                     Assigning the VPDN Group Username

                     Configuring the VPDN Username and Password

                     Enabling the Point-to-Point over Ethernet Client

                     Monitoring the Point-to-Point over Ethernet Client

           Dynamic Host Configuration Protocol Server Configuration

                     DHCP Overview

                     Configuring the Security Appliance DHCP Server

                     DHCP Server Auto Configuration

                     DHCP Debugging Commands

           Foundation Summary

           Q&A

Chapter 15     Adaptive Security Device Manager

           How to Best Use This Chapter

           “Do I Know This Already?” Quiz

           Foundation Topics

           ASDM Overview

           Security Appliance Requirements to Run ASDM

                     ASDM Workstation Requirement

                     ASDM Installation

                     Using ASDM to Configure the Cisco Security Appliance

                     Monitoring

           Using ASDM for VPN Configuration

                     Using ASDM to Create a Site-to-Site VPN

   &nbs