Introduction xxi Part I: Networking Security Fundamentals Chapter 1 Networking Security Concepts 1 Basic Security Concepts 2 Security Terminology 2 Confidentiality, Integrity, and Availability (CIA) 2 Data Classification Criteria 2 Data Classification Levels 3 Classification Roles 3 Threat Classification 3 Trends in Information Security Threats 4 Preventive, Detective, and Corrective Controls 4 Risk Avoidance, Transfer, and Retention 4 Drivers for Network Security 5 Evolution of Threats 5 Data Loss and Exfiltration 5 Tracking Threats 6 Malware 6 Anatomy of a Worm 7 Mitigating Malware and Worms 7 Threats in Borderless Networks 8 Hacker Titles 8 Thinking Like a Hacker 9 Reconnaissance Attacks 9 Access Attacks 10 Password Cracking 11 Denial-of-Service Attacks 11 Distributed Denial-of-Service Attacks 12 Tools Used by Attackers 13 Principles of Secure Network Design 13 Defense in Depth 14 Chapter 2 Implementing Security Policies 15 Managing Risk 15 Quantitative Risk Analysis Formula 16 Quantitative Risk Analysis Example 17 Regulatory Compliance 17 Security Policy 19 Standards, Guidelines, and Procedures 20 Security Policy Audience Responsibilities 21 Security Awareness 21 Secure Network Lifecycle Management 22 Models and Frameworks 23 Assessing and Monitoring the Network Security Posture 23 Testing the Security Architecture 24 Incident Response 24 Incident Response Phases 24 Computer Crime Investigation 25 Collection of Evidence and Forensics 25 Law Enforcement and Liability 25 Ethics 25 Disaster-Recovery and Business-Continuity Planning 26 Chapter 3 Building a Security Strategy 27 Cisco Borderless Network Architecture 27 Borderless Security Products 28 Cisco SecureX Architecture and Context-Aware Security 28 Cisco TrustSec 30 TrustSec Confidentiality 30 Cisco AnyConnect 31 Cisco Talos 31 Threat Control and Containment 31 Cloud Security and Data-Loss Prevention 32 Secure Connectivity Through VPNs 32 Security Management 33 Part II: Protecting the Network Infrastructure Chapter 4 Network Foundation Protection 35 Threats Against the Network Infrastructure 35 Cisco Network Foundation Protection Framework 36 Control Plane Security 37 Control Plane Policing 37 Management Plane Security 38 Role-Based Access Control 39 Secure Management and Reporting 39 Data Plane Security 39 ACLs 40 Antispoofing 40 Layer 2 Data Plane Protection 40 Chapter 5 Securing the Management Plane 41 Planning a Secure Management and Reporting Strategy 42 Securing the Management Plane 42 Securing Passwords 43 Securing the Console Line and Disabling the Auxiliary Line 43 Securing VTY Access with SSH 44 Securing VTY Access with SSH Example 45 Securing Configuration and IOS Files 46 Restoring Bootset Files 47 Implementing Role-Based Access Control on Cisco Routers 47 Configuring Privilege Levels 47 Configuring Privilege Levels Example 47 Configuring RBAC 48 Configuring RBAC via the CLI Example 49 Configuring Superviews 49 Configuring a Superview Example 50 Network Monitoring 51 Configuring a Network Time Protocol Master Clock 51 Configuring an NTP Client 52 Configuring an NTP Master and Client Example 52 Configuring Syslog 53 Configuring Syslog Example 54 Configuring SNMPv3 54 Configuring SNMPv3 Example 55 Chapter 6 Securing Management Access with AAA 57 Authenticating Administrative Access 57 Local Authentication 57 Server-Based Authentication 58 Authentication, Authorization, and Accounting Framework 58 Local AAA Authentication 58 Configuring Local AAA Authentication Example 60 Server-Based AAA Authentication 61 TACACS+ Versus RADIUS 61 Configuring Server-Based AAA Authentication 62 Configuring Server-Based AAA Authentication Example 63 AAA Authorization 64 Configuring AAA Authorization Example 64 AAA Accounting 65 Configuring AAA Accounting Example 65 802.1X Port-Based Authentication 65 Configuring 802.1X Port-Based Authentication 66 Configuring 802.1X Port-Based Authentication Example 68 Chapter 7 Securing the Data Plane on Catalyst Switches 69 Common Threats to the Switching Infrastructure 70 Layer 2 Attacks 70 Layer 2 Security Guidelines 71 MAC Address Attacks 72 Configuring Port Security 72 Fine-Tuning Port Security 73 Configuring Optional Port Security Settings 74 Configuring Port Security Example 75 VLAN Hopping Attacks 76 Mitigating VLAN Attacks 76 Mitigating VLAN Attacks Example 77 DHCP Attacks 78 Mitigating DHCP Attacks 78 Mitigating DHCP Attacks Example 80 ARP Attacks 80 Mitigating ARP Attacks 80 Mitigating ARP Attacks Example 82 Address Spoofing Attacks 83 Mitigating Address Spoofing Attacks 83 Mitigating Address Spoofing Attacks Example 83 Spanning Tree Protocol Attacks 84 STP Stability Mechanisms 84 Configuring STP Stability Mechanisms 85 Configuring STP Stability Mechanisms Example 86 LAN Storm Attacks 87 Configuring Storm Control 88 Configuring Storm Control Example 88 Advanced Layer 2 Security Features 88 ACLs and Private VLANs 89 Secure the Switch Management Plane 89 Chapter 8 Securing the Data Plane in IPv6 Environments 91 Overview of IPv6 91 Comparison Between IPv4 and IPv6 91 The IPv6 Header 92 ICMPv6 93 Stateless Autoconfiguration 94 IPv4-to-IPv6 Transition Solutions 94 IPv6 Routing Solutions 94 IPv6 Threats 95 IPv6 Vulnerabilities 96 IPv6 Security Strategy 96 Configuring Ingress Filtering 96 Secure Transition Mechanisms 97 Future Security Enhancements 97 Part III: Threat Control and Containment Chapter 9 Endpoint and Content Protection 99 Protecting Endpoints 99 Endpoint Security 99 Data Loss Prevention 100 Endpoint Posture Assessment 100 Cisco Advanced Malware Protection (AMP) 101 Cisco AMP Elements 101 Cisco AMP for Endpoint 102 Cisco AMP for Endpoint Products 102 Content Security 103 Email Threats 103 Cisco Email Security Appliance (ESA) 103 Cisco Email Security Virtual Appliance (ESAV) 104 Cisco Web Security Appliance (WSA) 104 Cisco Web Security Virtual Appliance (WSAV) 105 Cisco Cloud Web Security (CWS) 105 Chapter 10 Configuring ACLs for Threat Mitigation 107 Access Control List 108 Mitigating Threats Using ACLs 108 ACL Design Guidelines 108 ACL Operation 108 Configuring ACLs 110 ACL Configuration Guidelines 110 Filtering with Numbered Extended ACLs 110 Configuring a Numbered Extended ACL Example 111 Filtering with Named Extended ACLs 111 Configuring a Named Extended ACL Example 112 Mitigating Attacks with ACLs 112 Antispoofing ACLs Example 112 Permitting Necessary Traffic through a Firewall Example 114 Mitigating ICMP Abuse Example 115 Enhancing ACL Protection with Object Groups 117 Network Object Groups 117 Service Object Groups 118 Using Object Groups in Extended ACLs 119 Configuring Object Groups in ACLs Example 119 ACLs in IPv6 121 Mitigating IPv6 Attacks Using ACLs 121 IPv6 ACLs Implicit Entries 122 Filtering with IPv6 ACLs 122 Configuring an IPv6 ACL Example 123 Chapter 11 Configuring Zone-Based Firewalls 125 Firewall Fundamentals 125 Types of Firewalls 125 Firewall Design 126 Security Architectures 127 Firewall Policies 127 Firewall Rule Design Guidelines 128 Cisco IOS Firewall Evolution 128 Cisco IOS Zone-Based Policy Firewall 129 Cisco Common Classification Policy Language 129 ZPF Design Considerations 129 Default Policies, Traffic Flows, and Zone Interaction 130 Configuring an IOS ZPF 131 Configuring an IOS ZPF Example 132 Chapter 12 Configuring Cisco IOS IPS 135 IDS and IPS Fundamentals 135 Types of IPS Sensors 136 Types of Signatures 136 Types of Alarms 136 Intrusion Prevention Technologies 137 IPS Attack Responses 137 IPS Anti-Evasion Techniques 138 Managing Signatures 140 Cisco IOS IPS Signature Files 140 Implementing Alarms in Signatures 140 IOS IPS Severity Levels 141 Event Monitoring and Management 141 IPS Recommended Practices 142 Configuring IOS IPS 142 Creating an IOS IPS Rule and Specifying the IPS Signature File Location 143 Tuning Signatures per Category 144 Configuring IOS IPS Example 147 Part IV: Secure Connectivity Chapter 13 VPNs and Cryptology 149 Virtual Private Networks 149 VPN Deployment Modes 150 Cryptology = Cryptography + Cryptanalysis 151 Historical Cryptographic Ciphers 151 Modern Substitution Ciphers 152 Encryption Algorithms 152 Cryptanalysis 153 Cryptographic Processes in VPNs 154 Classes of Encryption Algorithms 155 Symmetric Encryption Algorithms 155 Asymmetric Encry.