In this task-oriented self
study course, you'll gain the knowledge and skills needed to
secure Cisco IOS router networks, expand the reach of your
enterprise network to teleworkers and remote sites, and explore
implementing a highly available network with connectivity options
such as VPN and wireless.
This package includes access to Self Test
Software's exam prep products and one FREE exam voucher.
This Self-Paced e-Learning course will prepare you for the
642-825 ISCW exam.
Course Outline
Module 1. Network
Requirements
- The IIN and the SONA framework
- Cisco conceptual network models, such as Cisco Enterprise
Architecture and Cisco hierarchical network model
- Requirements for establishing secure remote connections in a
converged network
Module 2. Connect
Teleworkers
Module 3. Implement Frame-Mode
MPLS
Module 4. IPsec VPNs
Module 5. Cisco Device
Hardening
Module 6. Cisco IOS Threat Defense
Features
Labs
Lab 1: Remote Lab
Environment
- Logging In
- The System Interfaces
- Understanding the Topology
- The PC Systems
- The Network Devices
Lab 2: Configuring DSL
(Simulation)
This lab uses a flash-based simulation that will provide
experience in the configuration of DSL at a teleworker premises.
Tasks include the configuration of a dialer interface, an ATM
interface, PPPoE with CHAP authentication, DHCP services, and Port
Address Translation.
Lab 3: Securing Administrative
Access
In this lab, you will configure the most basic
security levels for administrative access to the IOS-FW. You will
configure the passwords required to reach the command line and
privileged mode access. You will see how the passwords are stored
and transformed by default and how to encrypt the passwords that
default to clear text storage. Experiment with a password-cracking
tool to test the security of the encryption and transformation
methods. You will enable AAA and investigate the ramifications of
enabling AAA. Once AAA is enabled, you'll be able to work with
Enhanced Virtual Login, which is used to mitigate online password
attacks, and Role-Based CLI, which allows specific command sets to
be defined and made available to specific users.
Lab 4: Authentication, Authorization, and
Accounting (AAA)
This lab begins with access to the IOS-FW command
line protected with local AAA, and it will demonstrate the power of
using an AAA server while maintaining local AAA as a fallback.
You'll examine items such as users, groups, and command
authorization sets on a pre-configured AAA server, Cisco Secure
Access Control Server (ACS). Configuration of ACS is beyond the
scope of this class and this lab. You will use the TACACS+ protocol
between the IOS-FW and the ACS server. You will begin with the
configuration of AAA authentication, and you may be surprised with
the results. You will then configure AAA authorization for access
to the exec process (the CLI of the IOS-FW), followed by AAA
command authorization. You will then complete the third "Aof AAA by
configuring AAA accounting for both the exec process and privileged
mode and configuration mode commands. The final section of the lab
will demonstrate that if the AAA server is unavailable, the
fallback method of using the local database is still available.
Lab 5: IOS Device Security
In this lab, you will secure the IOS-FW itself.
You will configure SSH as a remote access protocol and disable
Telnet access to the IOS-FW. You will use the Security Audit
feature of SDM to disable many insecure services, while enabling
security-oriented services. You will configure NTP with
authentication and Syslog services to allow better management of
the IOS-FW. You will finish by applying access-classes to both the
VTY lines and the HTTP server, restricting access to trusted IP
addresses.
Lab 6: Exclusive - Perimeter Router
ACLs
You will configure and test an ACL on the Perimeter Router in
this lab. The Perimeter Router is used as a packet filtering
firewall. In a later lab, the IOS-FW will be configured as a
stateful firewall. This lab starts with the configuration of the
Syslog service on the Perimeter Router, allowing it to send Syslog
messages to the Sec-Server. It then moves on to the configuration
of an ACL that permits only expected valid traffic from the
Internet. After defining this ACL you will apply it to the outside
interface of the Perimeter Router. You will then test the results.
You will see that security is certainly enhanced by this packet
filtering, though some vulnerabilities still remain. These
vulnerabilities will be mitigated by the IOS-FW when stateful
firewalling is configured.
Lab 7: Stateful Firewall
In this lab, you will configure the IOS-FW to be
a true, stateful firewall. You will use the SDM interface to
configure the ACLs and Inspection Rules for the stateful firewall.
After configuring the stateful firewall you will confirm that the
expected connectivity is allowed. You will also demonstrate that
the vulnerabilities associated with simple packet filtering have
been mitigated and defense against SYN flood attacks is also
provided.
Lab 8: IOS IPS
In this lab, you will explore the use of the IOS
Intrusion Prevention System (IPS) feature. You will enable IOS IPS
with the IPS Rule Wizard in SDM. You will then generate some
suspicious traffic to test IOS IPS. You will also see that IOS IPS
is not easy to trick by attempting the IDS evasion technique known
as deobfuscation. After witnessing the standard IPS operation, you
will take a closer look at how some of the signatures are defined.
You will finish by configuring some signatures to react by blocking
the offending packets and demonstrate the reaction by generating
offending traffic.
Lab 9: Site to Site VPN
The goal of this lab is to configure a
site-to-site IPsec tunnel between your main network and the Site1
network. This will require some configuration modifications on the
Perimeter Router and L3-Switch. You will perform those
modifications from the CLI. You will then use SDM on the IOS-FW to
prepare that router for IPsec, and the use the Site-to-Site VPN
wizard to configure the tunnel. You will then configure the
Site1-Rtr from the CLI. To verify the tunnel functionality, you
will open an FTP session from the Admin PC to the Site1-PC.
Lab 10: GRE over IPsec with a Backup
Tunnel
The most obvious thing about this lab as you get
started is that it uses an alternate topology compared to previous
labs. You now have two routers. Each has two connections to the
simulated Internet. There is a GRE-over-IPsec tunnel already
configured between one set of interfaces on these two routers. Your
job during this lab will be to configure a second GRE-over-IPsec
tunnel using the other interface pair. You will verify that both
tunnels are functioning properly. The EIGRP routing protocol is
configured to select the optimal route between the sites. You will
modify the bandwidth parameters on the new tunnel to make the
original tunnel the preferred route. You will then confirm that
traffic uses the original tunnel. Then you will break the original
tunnel and show that traffic will now flow over the second
tunnel.
Lab 11: Remote Access VPN
In this lab you will use the Easy VPN Server Wizard in SDM to
configure the IOS-FW to accept connections from VPN clients. You
will use the Easy VPN Server Wizard in SDM to accomplish this. You
will also install and configure the Cisco VPN Client software on
the Outside PC. After configuration, you will use the VPN Client on
the Outside PC to provide secure access to resources on the
internal networks.
Lab 12: Frame Mode MPLS
This lab uses a unique topology to facilitate an
MPLS network. You have four full-fledged IOS routers at your
disposal (IOS-FW, Perimeter Router, Site1-Rtr and Site2-Rtr). The
four routers all have MPLS capabilities. You will configure the
Site1-Rtr and Site2-Rtr as P (Provider) routers. The IOS-FW and the
Perimeter Router will be configured as PE (Provider Edge) routers.
Connectivity will be provided from the main site (where the Admin
PC is located) to the remote site (where the Site1 PC is located)
via the MPLS network. You will see that the MPLS topology is
transparent to the PCs, which only use standard IP.
Lab 13 : Troubleshooting
(Optional)
The Scenario: When you left work yesterday, everything was
functioning normally. When you got in this morning you heard that
the night support engineer was "playing aroundwith some of the
configurations. Unfortunately you don't have AAA configured with
command authorization and command accounting, so you don't have a
record of exactly what was done. Some trouble tickets are coming
in, and it's up to you to determine the root causes and fix the
issues. The lab is broken into four sections. The first section
just describes the trouble tickets reported. Given the trouble
tickets' descriptions, you are to correct the problems with the
network. Should you need assistance, there are two additional
sections, Little Hints and Big Hints, that provide additional
details to the cause of the problems. The final fourth section will
provide the solutions to the trouble tickets.