Overview
This course focuses on providing the skills to achieve the highest level of technical knowledge and expertise across a broad range of security and internetworking-related technologies. It would also solidify your existing knowledge, fortify any knowledge gaps that exist, and put your skills to the test in a hands-on environment designed explicitly for candidates of the CCIE Security Lab Exam.
Pre-Requisites
It is recommended to have a CCSP-level of knowledge.
Content
Day 1 - Cisco ASA
- Theory and basic configuration
- Routing protocols on ASA
- ASA management
- Network address translation
- Basic Modular Policy Framework (MPF)
- Advanced protocol inspection (FTP, HTTP, ICMP, SMTP, IM, DNS)
- ASA virtualization
- Failover (A/S, A/A)
- Interface redundancy
- Transparent firewall
- Quality of service (LLQ, Policing, Shaping)
- SLA
- IP Services on ASA
- URL filtering and ActiveX blocking
- ASA troubleshooting
Day 2
1) Site to Site VPN
- Site to Site VPN (IOS, ASA)
- IOS Certificate Authority
- Site to Site VPN using PKI
- VPN hairpinning
- Easy VPN (IOS, ASA)
- VPN using ISAKMP Profiles
- GRE over IPSec
- DMVPN Phase 1
- DMVPN Phase 2 (with EIGRP, OSPF)
- DMVPN Phase 3 (with EIGRP, OSPF)
- DMVPN Phase 2 Dual Hub (Single and Dual Cloud)
- GET VPN (PSK and PKI)
- GET VPN COOP
2) Remote Access VPN
- Easy VPN (IOS and ASA)
- Cisco VPN Client (PSK and PKI)
- IOS SSL VPN
- Clientless SSL VPN
- AnyConnect SSL VPN
- Cisco Secure Desktop
- L2TP
3) Advanced VPN Features
- High-Availability VPNs and VTI
- Reverse Route Injection (RRI)
- VPN Load Balancing
- Intra-Interface VPN Traffic
- NAT Transparency
- Split Tunneling
- QoS for VPNs
Day 3
1) IPS
- Sensor initialization and basic setup
- Promiscuous mode
- Inline mode
- Inline VLAN Pair mode
- VLAN Groups (Inline & Promisc)
- Traffic flow notification
- Signature tuning
- Building custom HTTP signature
- Building custom String signature
- Building custom ATOMIC IP signature
- Using META signatures
- IPS blocking
- IP Logging
- Application policy enforcement
- Configuring Rules
- Configuring Anomaly Detection
- Configuring Virtual Sensors
2)Identity Based Network Services
- Configure Cisco Secure ACS
- Configure RADIUS and TACACS+ security protocols (AAA)
- ASA Cut-thru Proxy
- Router Cut-thru Proxy
- Configure certificate-based authentication
- 802.1X Authentication
- Authentication without 802.1X
- Guest and Restricted VLANs
- MAC authentication bypass
- Web Authentication Proxy
- 802.1X Dynamic VLAN Assignments
Day 4
1) Securing the Control Plane
- Control Plane Policing (CoPP)
- CCPr and Port Filtering
- CPPr and Queue Thresholding
- Routing Protocol Protection
- CPU and Memory Threshold Notification
- Protect against fragmentation attacks
- Protect against malicious IP option usage
- Protect against network reconnaissance attacks
2) Securing the Management Plane
- Securing management services
- Role-Based Access Control
- Cisco IOS Management Plane Protection (MPP)
- SNMPv3
- NTP
- SYSLOG
3) Securing the Data Plane
- Traffic Filtering using Access-Lists
- Dynamic access lists
- Reflexive access lists
- Time-based access lists
- Packet filtering using MQC
- Implementing security RFCs (RFC1918/3330, RFC2827/3704)
- Black Hole and Sink Hole solutions
- RTBH filtering (Remote Triggered Black Hole)
- TCP Intercept
- Protect against Smurf attacks
- CAR
- NBAR
- NetFlow
- uRPF
- Cisco IOS Flexible Packet Matching (FPM)
- NAT and PAT
- IOS Classic Firewall (CBAC)
- Zone-Based Policy Firewall (ZPF)
- IOS IPS
3) Advanced L2 Security
- VLAN Access Lists
- Private VLANs
- Mitigating DHCP Server Attacks
- Mitigating ARP Spoofing Using DAI
- Examining IP Source Guard
- Port Security
- Preventing L2 packet storms
- Protect against VLAN hopping attac
Day 5
- 8+ hours mock lab with all technologies
Target Audience
- Candidates that need to acquire their CCIE Security certificate.
- Network engineers/designers that need to raise their knowledge to an expert-level.
