Why Security??
Download
Report
Transcript Why Security??
Security in the Cisco
Academy
Gratitude Kudyachete
EA-CATC
AFRALTI
April 2009
African Safari 2009
1
Agenda
Why Security?
Security in IT E I
Security in IT E II
Security in CCNA-Discovery
Security in CCNA-Exploration
Security in CCNP – ISCW
Network Security I & II
Major points - current currilla and security
CCNA-Security
Q&A
Africa Academy Safari 2009
2
Why Security??
If the security is compromised, serious consequences,
such as loss of privacy, theft of information, legal
liability… result
Types of potential threats to security are always
evolving
E-business and Internet applications continue to growcannot avoid open networks
Security has moved to the forefront of network
management and implementation – and this is
evident in the Academy Curricula
Africa Academy Safari 2009
3
Security in IT E I
Mainly in chapters 9 & 16
IT Essentials
Major issues:
Security Threats – physical, data, internal vs external
Security procedures/techniques
Preventive maintenance techniques
Troubleshooting security
Africa Academy Safari 2009
4
Security in IT E – Security procedures
WEP, WPA, WPA2(802.11i),
LEAP, mac filtering, ssid
broadcast, WTLS
Password protection,data
encryption, port
protection,backup, file system
security
Access control, cable
locks,security cages,RFID
tags,lock rooms
Identify: assets, threats
Define:-incident
handling,emergency ,allowed &
prohibited behaviour,security
framework, security techniques, ..
Africa Academy Safari 2009
5
Preventive maintenance on security
OS updates – automatic, notify, only download , off(no
updates)
Antivirus & Antispyware – update signature files
Account maintenance
Terminate employee access
Guest access
Group by job functions
Data backup & access
Africa Academy Safari 2009
6
Security components & techniques
The following techniques & components are discussed:
oPasswords - it is a minimum requirement
oLogging & auditing
oEncryption - encoding data for purposes such as
oHashing
oSymetric encryption
oAsymetric
oVirtual private networks
oFirewalls – hardware & software and could be
oPacket filter
oProxy firewall
oStateful packet inspection
oIDS
Security expense vs cost of loss help establish tradeoffs
Africa Academy Safari 2009
7
IT E II - unsupported
Mainly in chapters 5, 8,9,10,14
Major issues
Remote Administration & Access Services
IT Essentials
Firewalls
Directory & File permissions
Administrative accounts & login privileges
Security threats, Security implementation, patches &
upgrades
Africa Academy Safari 2009
8
Security in CCNA Discovery
Module 1- chapters 2,7,8
Module 2 – chapters 4,8
Module 3 - chapters 1,2,3,4,5,6,7,8
Module 4 chapters 1,5,7,8
CCNA
Discovery
Major issues are:
Basic security – policy, threats, attacks, techniques
Patching OS and applications
Wireless LAN Security
ISP Security
VPNs, NAT/PAT, ACLs
Switch security, VLANs
Routing update and PPP authentication
Security from a design perspective
Africa Academy Safari 2009
9
Security in CCNA Exploration
Module 1-chapt 1
Module 3- chapt 2,3,7
Module 4 – chapters 2,4,5,6,7
Issues covered include
CCNA
Exploration
Network security -threats,mitigation,policy
Security goals & measures
Switch security , router security
Wireless LAN Security
Ppp authentication
ACLs , VPNS , SDM , NAT/PAT
Africa Academy Safari 2009
10
Proving security
Security measures taken in a network
should:
• Prevent unauthorized disclosure or theft of
information
• Prevent unauthorized modification of
information
• Prevent Denial of Service
Means to achieve these goals include:
• Ensuring confidentiality
• Maintaining communication integrity
• Ensuring availability
Africa Academy Safari 2009
11
Primary classes of attacks
Reconnaisance attacks –
internet information queries, ping
sweeps, port scans, packet
sniffers
Access Attacks -– password,
trust exploitation,port redirection,
man in the middle attack
DOS – Ping of D, Syn flood,
DDoS, …
Malicious Software – Virus,
Worm, Trojan horse – worms
require containment, inoculation ,
quarantining & treatment
Africa Academy Safari 2009
12
Securing Cisco Routers
routers provide gateways to other networks, they are
obvious targets, and are subject to a variety of
attacks.
Africa Academy Safari 2009
13
Secure Routing protocols
Major attacks: disrupt peer , falsify information
Can configure passive int., authentication
R1(config)# router rip
R1(config)# passive-interface default
R1(config)#no passive-interface se0/0/0
R1(config)# key chain RIP_KEY
R1(config-keychain)#key 1
R1(config-keychain-key)# key-string cisco
R1(config)#int se0/0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain RIP_KEY
Africa Academy Safari 2009
Also EIGRP &
OSPF
authentication
14
Security Device Manager – SDM
An easy-to-use, web-based device-management tool designed for
configuring LAN, WAN, and security features on Cisco IOS
software-based routers.
Firewall, VPN, IPS/IDS,NAT, router lockdown
Africa Academy Safari 2009
15
VPNs
VPNs - enable transportation of information in a private network
over a public network – encapsulation(tunneling) & encryption
typically used
Africa Academy Safari 2009
16
NAT/PAT
Adds a degree of
privacy and security hides internal IP
addresses from
outside networks.
ip nat inside source ..
ip nat inside
ip nat outside
Africa Academy Safari 2009
17
Wireless Security protocols
In 802.11i - WPA uses TKIP and WPA2 employs AES
Africa Academy Safari 2009
18
Security in CCNP ISCW
IPSec VPNs
MPLS VPN Technology
Cisco Device Hardening
Cisco IOS threat defense features
Africa Academy Safari 2009
19
Network Security I - unsupported
Vulnerabilities, Threats and Attacks
Security Planning and Policy
Security Devices
Trust and Identity Technology
Cisco Secure Access Control Server
Configure Trust and Identity at Layer 2 and 3
Configuring Filtering on a Router
Configuring Filtering on a PIX Security Appliance
Configuring Filtering on a Switch
Africa Academy Safari 2009
20
Network Security II - unsupported
Intrusion Detection and Prevention Technology and
Implementation
Encryption and VPN Technology
Site-to-site VPNs with pre-shared keys
Site-to-site VPNs with digital certificates
Remote Access VPN
Security Network Architecture and Management
PIX Contexts, Failovers and Management
Africa Academy Safari 2009
21
Major points about Security & current
curricula
It is evident that a lot of security concepts
are covered
Most of the treatment is introductory
In Network Security I & II(unsupported) there is great depth &
breath of coverage
CCNP (ISCW) – less breath than NS 1 & 2 but still depth on
specific issues
There is need for curricula to build on what
IT Essentials and CCNA gives
Africa Academy Safari 2009
22
CCNA Security Overview
Africa Academy Safari 2009
23
Outline
CCNA Security Overview
Target Audience
Course Details
Equipment Requirements
Enrollment, Training and Support
Release Dates and Availability
Q&A
Africa Academy Safari 2009
24
CCNA Security Overview
A new course that provides students with in-depth network security
education and develop a comprehensive understanding of network
security concepts
Provides students with knowledge and skills to design and support
Network Security
Provides an experience-oriented course to prepare for entry-level
specialist jobs in network security
Prepares students for CCNA Security certification (IINS 640-553
exam).
CCNA Security course IS NOT a replacement for the current
Network Security 1 and Network Security 2 (NS1 and NS2)
Courses
Africa Academy Safari 2009
25
Cisco Networking Academy
Curricula Portfolio
Networking for
Home and Small
Businesses
Network
Fundamentals
Working at a Smallto-Medium Business
or ISP
Introducing Routing
and Switching in the
Enterprise
Network
Professional
Building Scalable
Internetworks
CCNA
Security
Routing Protocols
and Concepts
Implementing
Secured Converged
Wide-Area Networks
Building Multilayer
Switched Networks
Optimizing
Converged Networks
LAN Switching and
Wireless
Accessing the WAN
Designing and
Supporting
Computer Networks
CCNP
Security
IT Essentials:
PC Hardware
and Software
CCNA
Discovery
CCNA
Exploration
IT Essentials
IT Technician
Packet Tracer
Student Networking Knowledge and Skills
Africa Academy Safari 2009
26
Security Certifications
Associate-level
Professional-level
Cisco Certified Security
Professional (CCSP) Certification
Revised
CCSP Certification
CCNA Security
Certification
CCNA Security Course
SND
IINS
(640-553)
Network Security 1 & 2
(NS1/NS2) Courses
SNRS
SNRS
SNPA
SNAF
IPS
IPS
Elective Exam
Elective Exam
Africa Academy Safari 2009
CCNA certification is a
pre-requisite for CCNA
Security certification
27
CCNA Security Target Audience
Career starters seeking career-oriented, entry-level
Security specialist skills
Working professionals looking to enhance or change
their careers
Students in degree programs at colleges or universities
Higher Education institutions and Universities
Africa Academy Safari 2009
28
Course Details
One semester long (~70-hr) course format
Enabled for both ILT and Blended Distance Learning (BDL)
Delivered in the same Graphical User Interface (GUI) as the CCNA
Discovery and CCNA Exploration curricula
9 Chapters
One complex hands-on lab per chapter and Packet Tracer activities
Provided as separate .zip files downloaded from AC; not packaged within the GUI
9 end of chapter exams
1 final exam
Available in English only, no translated versions are planned
Africa Academy Safari 2009
29
Equipment Requirements
Goal is to minimize equipment costs
Uses CCNA Discovery/Exploration equipment bundle and topology
NetLab compatible topology—enabled for remote operation
Additional investment required for memory upgrade and Advanced IOS images
Description
Mfr.
Part Number
Qty.
Modular Router w/2xFE, 2 WAN
slots, 32 FL/128 DR
Cisco
CISCO1841
3
128 to 192MB SODIMM DRAM
factory upgrade for the Cisco 1841
Cisco
MEM1841-64D
2
64MB Cisco 1800 Compact Flash
Memory
Cisco
MEM1800-64CF
2
2-Port Async/Sync Serial WAN
Interface Card
Cisco
WIC-2A/S or WIC-2T
3
V.35 Cable, DTE Male to Smart
Serial, 10 Feet
Cisco
CAB-SS-V35MT
2
V.35 Cable, DCE Female to Smart
Serial, 10 Feet
Cisco
CAB-SS-V35FC
2
Catalyst 2960 24 10/100 + 2 1000BT
LAN Base Image
Cisco
WS-C2960-24TT-L
3
(Optional) Rackmount Kit for the
1841
Cisco
ACS-1841-RM-19
3
Cisco IOS Release 12.4(20)T1
Advanced IP Services
Cisco
c1841-advipservicesk9mz.124-20.T1.bin
2
Africa Academy Safari 2009
30
CCNA Security Course Outline
Course Chapter Titles
Ch. 1
Ch. 2
Ch. 3
Ch. 4
Ch. 5
Modern Network Security Threats
Goal: Explain network threats, mitigation techniques, and the basics of securing a network.
Securing Network Devices
Goal: Securing administrative access on Cisco routers, roles , ios , syslog, snmp , lockdown
Authentication, Authorization and Accounting
Goal: Securing administrative access with AAA.
Implementing Firewall Technologies
Goal: Implement firewall technologies to secure the network perimeter., acls, cbac ,zone-based pol fwall
Implementing Intrusion Prevention
Goal: Configure IPS to mitigate attacks on the network.
Securing the Local Area Network
Ch. 6
Ch. 7
Goal: Describe LAN security considerations and implement endpoint and Layer 2 security features.,csa,wireless , voip
Cryptographic Systems
Goal: Describe methods for implementing data confidentiality and integrity.- encryption, hashing, pki, cert,
Implementing Virtual Private Networks
Ch. 8
Goal: Implement secure virtual private networks.,gre, ipsec
Managing A Secure Network
Ch. 9
Goal: Given the security needs of an enterprise, create and implement a comprehensive security policy.
Stds guidles & procedures, Security Design , risk analysis, management, bcp , sdlc
Africa Academy Safari 2009
31
Enrollment, Training & Support
Student Enrollment Pre-requisite: CCNA-level knowledge required
Instructor Training Guidelines
CCNA-level knowledge required
Required for new CCNA Security instructors; Fast track possible with evidence of CCNA Security or
higher certification or industry experience
Recommended for existing NS1, NS2 and CCNP: ISCW instructors
Existing NS1, NS2 and CCNP: ISCW instructors allowed to teach CCNA Security course
Instructor Training
BDL format with 3-day in-person preferred; Can also be delivered 100% remote
BDL Best Practices guide developed to provide guidelines on how to deliver course in a BDL
environment
Training Support Model – similar to CCNP model; Cisco Networking Academy Global
Support Desk will provide day-to-day technical support
Africa Academy Safari 2009
32
CCNA Security
Release Dates and Availability
Early January 2009
Draft Scope and Sequence
Mid-April 2009
End of July 2009
Beta Release of student course:
For instructor training and preview purposes
End of Jun 2009
Mar 2009
Virtual SMT for GA
Release
Virtual SMT for Beta
Release
Jan
Mar
General Availability (GA) Release—student and
instructor materials:
• Released at same time with Packet Tracer v5.2 GA
• Use for teaching student classes
Apr
Jun
Jul
2009
Africa Academy Safari 2009
33
Communications
Announcements sent via email to all instructors:
New CCNA Security Course announced – Sep 2008
Current NS1 and NS2 courses move to unsupported – Sep 2008
CCNA Security course availability announced – Oct 2008
Preliminary CCNA Security Scope & Sequence available – Jan 2009
FAQs
Africa Academy Safari 2009
34
Q and A
Africa Academy Safari 2009
35
Africa Academy Safari 2009
36