Security in the Cisco
Academy
Gratitude Kudyachete
EA-CATC
AFRALTI
April 2009
African Safari 2009
1
Agenda
 Why Security?
 Security in IT E I
 Security in IT E II
 Security in CCNA-Discovery
 Security in CCNA-Exploration
 Security in CCNP – ISCW
 Network Security I & II
 Major points - current currilla and security
 CCNA-Security
 Q&A
Africa Academy Safari 2009
2
Why Security??
 If the security is compromised, serious consequences,
such as loss of privacy, theft of information, legal
liability… result
 Types of potential threats to security are always
evolving
 E-business and Internet applications continue to growcannot avoid open networks
 Security has moved to the forefront of network
management and implementation – and this is
evident in the Academy Curricula
Africa Academy Safari 2009
3
Security in IT E I
 Mainly in chapters 9 & 16
IT Essentials
 Major issues:
Security Threats – physical, data, internal vs external
Security procedures/techniques
Preventive maintenance techniques
Troubleshooting security
Africa Academy Safari 2009
4
Security in IT E – Security procedures
WEP, WPA, WPA2(802.11i),
LEAP, mac filtering, ssid
broadcast, WTLS
Password protection,data
encryption, port
protection,backup, file system
security
Access control, cable
locks,security cages,RFID
tags,lock rooms
Identify: assets, threats
Define:-incident
handling,emergency ,allowed &
prohibited behaviour,security
framework, security techniques, ..
Africa Academy Safari 2009
5
Preventive maintenance on security
 OS updates – automatic, notify, only download , off(no
updates)
 Antivirus & Antispyware – update signature files
 Account maintenance
Terminate employee access
Guest access
Group by job functions
 Data backup & access
Africa Academy Safari 2009
6
Security components & techniques
 The following techniques & components are discussed:
oPasswords - it is a minimum requirement
oLogging & auditing
oEncryption - encoding data for purposes such as
oHashing
oSymetric encryption
oAsymetric
oVirtual private networks
oFirewalls – hardware & software and could be
oPacket filter
oProxy firewall
oStateful packet inspection
oIDS
 Security expense vs cost of loss help establish tradeoffs
Africa Academy Safari 2009
7
IT E II - unsupported
 Mainly in chapters 5, 8,9,10,14
 Major issues
Remote Administration & Access Services
IT Essentials
Firewalls
Directory & File permissions
Administrative accounts & login privileges
Security threats, Security implementation, patches &
upgrades
Africa Academy Safari 2009
8
Security in CCNA Discovery
 Module 1- chapters 2,7,8
 Module 2 – chapters 4,8
 Module 3 - chapters 1,2,3,4,5,6,7,8
 Module 4 chapters 1,5,7,8
CCNA
Discovery
 Major issues are:
Basic security – policy, threats, attacks, techniques
Patching OS and applications
Wireless LAN Security
ISP Security
VPNs, NAT/PAT, ACLs
Switch security, VLANs
Routing update and PPP authentication
Security from a design perspective
Africa Academy Safari 2009
9
Security in CCNA Exploration
 Module 1-chapt 1
 Module 3- chapt 2,3,7
 Module 4 – chapters 2,4,5,6,7
 Issues covered include
CCNA
Exploration
 Network security -threats,mitigation,policy
Security goals & measures
Switch security , router security
Wireless LAN Security
Ppp authentication
ACLs , VPNS , SDM , NAT/PAT
Africa Academy Safari 2009
10
Proving security
 Security measures taken in a network
should:
• Prevent unauthorized disclosure or theft of
information
• Prevent unauthorized modification of
information
• Prevent Denial of Service
 Means to achieve these goals include:
• Ensuring confidentiality
• Maintaining communication integrity
• Ensuring availability
Africa Academy Safari 2009
11
Primary classes of attacks
Reconnaisance attacks –
internet information queries, ping
sweeps, port scans, packet
sniffers
Access Attacks -– password,
trust exploitation,port redirection,
man in the middle attack
DOS – Ping of D, Syn flood,
DDoS, …
Malicious Software – Virus,
Worm, Trojan horse – worms
require containment, inoculation ,
quarantining & treatment
Africa Academy Safari 2009
12
Securing Cisco Routers
 routers provide gateways to other networks, they are
obvious targets, and are subject to a variety of
attacks.
Africa Academy Safari 2009
13
Secure Routing protocols
 Major attacks: disrupt peer , falsify information
 Can configure passive int., authentication
R1(config)# router rip
R1(config)# passive-interface default
R1(config)#no passive-interface se0/0/0
R1(config)# key chain RIP_KEY
R1(config-keychain)#key 1
R1(config-keychain-key)# key-string cisco
R1(config)#int se0/0/0
R1(config-if)#ip rip authentication mode md5
R1(config-if)#ip rip authentication key-chain RIP_KEY
Africa Academy Safari 2009
Also EIGRP &
OSPF
authentication
14
Security Device Manager – SDM
 An easy-to-use, web-based device-management tool designed for
configuring LAN, WAN, and security features on Cisco IOS
software-based routers.
 Firewall, VPN, IPS/IDS,NAT, router lockdown
Africa Academy Safari 2009
15
VPNs
 VPNs - enable transportation of information in a private network
over a public network – encapsulation(tunneling) & encryption
typically used
Africa Academy Safari 2009
16
NAT/PAT
 Adds a degree of
privacy and security hides internal IP
addresses from
outside networks.
ip nat inside source ..
ip nat inside
ip nat outside
Africa Academy Safari 2009
17
Wireless Security protocols
 In 802.11i - WPA uses TKIP and WPA2 employs AES
Africa Academy Safari 2009
18
Security in CCNP ISCW
 IPSec VPNs
 MPLS VPN Technology
 Cisco Device Hardening
 Cisco IOS threat defense features
Africa Academy Safari 2009
19
Network Security I - unsupported
 Vulnerabilities, Threats and Attacks
 Security Planning and Policy
 Security Devices
 Trust and Identity Technology
 Cisco Secure Access Control Server
 Configure Trust and Identity at Layer 2 and 3
 Configuring Filtering on a Router
 Configuring Filtering on a PIX Security Appliance
 Configuring Filtering on a Switch
Africa Academy Safari 2009
20
Network Security II - unsupported
 Intrusion Detection and Prevention Technology and
Implementation
 Encryption and VPN Technology
 Site-to-site VPNs with pre-shared keys
 Site-to-site VPNs with digital certificates
 Remote Access VPN
 Security Network Architecture and Management
 PIX Contexts, Failovers and Management
Africa Academy Safari 2009
21
Major points about Security & current
curricula
 It is evident that a lot of security concepts
are covered
 Most of the treatment is introductory
 In Network Security I & II(unsupported) there is great depth &
breath of coverage
 CCNP (ISCW) – less breath than NS 1 & 2 but still depth on
specific issues
 There is need for curricula to build on what
IT Essentials and CCNA gives
Africa Academy Safari 2009
22
CCNA Security Overview
Africa Academy Safari 2009
23
Outline
 CCNA Security Overview
 Target Audience
 Course Details
 Equipment Requirements
 Enrollment, Training and Support
 Release Dates and Availability
 Q&A
Africa Academy Safari 2009
24
CCNA Security Overview
 A new course that provides students with in-depth network security
education and develop a comprehensive understanding of network
security concepts
 Provides students with knowledge and skills to design and support
Network Security
 Provides an experience-oriented course to prepare for entry-level
specialist jobs in network security
 Prepares students for CCNA Security certification (IINS 640-553
exam).
 CCNA Security course IS NOT a replacement for the current
Network Security 1 and Network Security 2 (NS1 and NS2)
Courses
Africa Academy Safari 2009
25
Cisco Networking Academy
Curricula Portfolio
Networking for
Home and Small
Businesses
Network
Fundamentals
Working at a Smallto-Medium Business
or ISP
Introducing Routing
and Switching in the
Enterprise
Network
Professional
Building Scalable
Internetworks
CCNA
Security
Routing Protocols
and Concepts
Implementing
Secured Converged
Wide-Area Networks
Building Multilayer
Switched Networks
Optimizing
Converged Networks
LAN Switching and
Wireless
Accessing the WAN
Designing and
Supporting
Computer Networks
CCNP
Security
IT Essentials:
PC Hardware
and Software
CCNA
Discovery
CCNA
Exploration
IT Essentials
IT Technician
Packet Tracer
Student Networking Knowledge and Skills
Africa Academy Safari 2009
26
Security Certifications
Associate-level
Professional-level
Cisco Certified Security
Professional (CCSP) Certification
Revised
CCSP Certification
CCNA Security
Certification
CCNA Security Course
SND
IINS
(640-553)
Network Security 1 & 2
(NS1/NS2) Courses
SNRS
SNRS
SNPA
SNAF
IPS
IPS
Elective Exam
Elective Exam
Africa Academy Safari 2009
CCNA certification is a
pre-requisite for CCNA
Security certification
27
CCNA Security Target Audience
 Career starters seeking career-oriented, entry-level
Security specialist skills
 Working professionals looking to enhance or change
their careers
 Students in degree programs at colleges or universities
 Higher Education institutions and Universities
Africa Academy Safari 2009
28
Course Details
 One semester long (~70-hr) course format
 Enabled for both ILT and Blended Distance Learning (BDL)
 Delivered in the same Graphical User Interface (GUI) as the CCNA
Discovery and CCNA Exploration curricula
 9 Chapters
 One complex hands-on lab per chapter and Packet Tracer activities
Provided as separate .zip files downloaded from AC; not packaged within the GUI
 9 end of chapter exams
 1 final exam
 Available in English only, no translated versions are planned
Africa Academy Safari 2009
29
Equipment Requirements
 Goal is to minimize equipment costs
Uses CCNA Discovery/Exploration equipment bundle and topology
NetLab compatible topology—enabled for remote operation
 Additional investment required for memory upgrade and Advanced IOS images
Description
Mfr.
Part Number
Qty.
Modular Router w/2xFE, 2 WAN
slots, 32 FL/128 DR
Cisco
CISCO1841
3
128 to 192MB SODIMM DRAM
factory upgrade for the Cisco 1841
Cisco
MEM1841-64D
2
64MB Cisco 1800 Compact Flash
Memory
Cisco
MEM1800-64CF
2
2-Port Async/Sync Serial WAN
Interface Card
Cisco
WIC-2A/S or WIC-2T
3
V.35 Cable, DTE Male to Smart
Serial, 10 Feet
Cisco
CAB-SS-V35MT
2
V.35 Cable, DCE Female to Smart
Serial, 10 Feet
Cisco
CAB-SS-V35FC
2
Catalyst 2960 24 10/100 + 2 1000BT
LAN Base Image
Cisco
WS-C2960-24TT-L
3
(Optional) Rackmount Kit for the
1841
Cisco
ACS-1841-RM-19
3
Cisco IOS Release 12.4(20)T1
Advanced IP Services
Cisco
c1841-advipservicesk9mz.124-20.T1.bin
2
Africa Academy Safari 2009
30
CCNA Security Course Outline
Course Chapter Titles
Ch. 1
Ch. 2
Ch. 3
Ch. 4
Ch. 5
Modern Network Security Threats
Goal: Explain network threats, mitigation techniques, and the basics of securing a network.
Securing Network Devices
Goal: Securing administrative access on Cisco routers, roles , ios , syslog, snmp , lockdown
Authentication, Authorization and Accounting
Goal: Securing administrative access with AAA.
Implementing Firewall Technologies
Goal: Implement firewall technologies to secure the network perimeter., acls, cbac ,zone-based pol fwall
Implementing Intrusion Prevention
Goal: Configure IPS to mitigate attacks on the network.
Securing the Local Area Network
Ch. 6
Ch. 7
Goal: Describe LAN security considerations and implement endpoint and Layer 2 security features.,csa,wireless , voip
Cryptographic Systems
Goal: Describe methods for implementing data confidentiality and integrity.- encryption, hashing, pki, cert,
Implementing Virtual Private Networks
Ch. 8
Goal: Implement secure virtual private networks.,gre, ipsec
Managing A Secure Network
Ch. 9
Goal: Given the security needs of an enterprise, create and implement a comprehensive security policy.
Stds guidles & procedures, Security Design , risk analysis, management, bcp , sdlc
Africa Academy Safari 2009
31
Enrollment, Training & Support
 Student Enrollment Pre-requisite: CCNA-level knowledge required
 Instructor Training Guidelines
CCNA-level knowledge required
Required for new CCNA Security instructors; Fast track possible with evidence of CCNA Security or
higher certification or industry experience
Recommended for existing NS1, NS2 and CCNP: ISCW instructors
Existing NS1, NS2 and CCNP: ISCW instructors allowed to teach CCNA Security course
 Instructor Training
BDL format with 3-day in-person preferred; Can also be delivered 100% remote
BDL Best Practices guide developed to provide guidelines on how to deliver course in a BDL
environment
 Training Support Model – similar to CCNP model; Cisco Networking Academy Global
Support Desk will provide day-to-day technical support
Africa Academy Safari 2009
32
CCNA Security
Release Dates and Availability
Early January 2009
Draft Scope and Sequence
Mid-April 2009
End of July 2009
Beta Release of student course:
 For instructor training and preview purposes
End of Jun 2009
Mar 2009
Virtual SMT for GA
Release
Virtual SMT for Beta
Release
Jan
Mar
General Availability (GA) Release—student and
instructor materials:
• Released at same time with Packet Tracer v5.2 GA
• Use for teaching student classes
Apr
Jun
Jul
2009
Africa Academy Safari 2009
33
Communications
 Announcements sent via email to all instructors:
New CCNA Security Course announced – Sep 2008
Current NS1 and NS2 courses move to unsupported – Sep 2008
CCNA Security course availability announced – Oct 2008
Preliminary CCNA Security Scope & Sequence available – Jan 2009
FAQs
Africa Academy Safari 2009
34
Q and A
Africa Academy Safari 2009
35
Africa Academy Safari 2009
36