Official Cisco Training - Implementing Secure Converged Wide Area Networks 1.0 (ISCW)

Course Overview

Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions. This five-day course focuses on using one or more of the available WAN connection technologies for remote access between enterprise sites.
This course includes cable modems and DSL with Network Address Translation (NAT), Multiprotocol Label Switching (MPLS) virtual private networks (VPNs), and network security using VPNs with IPsec encryption and Internet Key Exchange (IKE) keys. Successful graduates will be able to secure the network environment using existing Cisco IOS security features, and configure the three primary components of the Cisco IOS Firewall feature set (firewall, intrusion prevention system [IPS], and authentication, authorization, and accounting [AAA]). This task-oriented course teaches the knowledge and skills needed to secure Cisco IOS router networks using features and commands in Cisco IOS software, and using a router configuration application. This course is part of the recommended learning path for learners seeking the Cisco CCNP.

Who will benefit from this course?

This course is intended for those engineers who are candidates for Cisco CCNP, CCDP®, and CCIP® certifications as well as those who are candidates for Cisco CCIE® Routing and Switching and CCIE Communications and Services certifications. Others who will benefit from this course are:

• Network administrators and technicians who are responsible for implementing and troubleshooting complex routed network environments.
• Network administrators and technicians who are responsible for implementing security.
• Customers or channel resellers who are experienced with Cisco products or who have a broad knowledge of the internetworking industry.
• Network technicians who are experienced with Cisco products and services.
• Network administrators who are responsible for implementing and managing medium-to-large business networks.
• Senior network support staff who perform a help-desk role in a medium- or enterprise-sized company that has internal network support-escalation staff.
• Network support staffs who design, implement, and troubleshoot Layer 3 connectivity issues.

Prerequisites

To fully benefit from this course, students should have the following prerequisite skills and knowledge:

• Describe and configure a site-to-site IPsec VPN
• Describe and configure Cisco device hardening
• Describe and configure IOS firewall features
• Implement and verify frame mode MPLS
• Describe the remote connectivity requirements for secured access and explain the alignment of these requirements with Cisco network architectures
• Describe and implement teleworker broadband connectivity

Module 1: Network Connectivity Requirements

Lesson 1: Describing Network Requirements

• Describe the IIN and the SONA framework
• Describe the requirements for establishing secure remote connections in a converged network
• Explain the Cisco conceptual network models, such as Cisco Enterprise Architecture and Cisco hierarchical network model

Module 2: Teleworker Connectivity

Lesson 1: Describing Topologies for Facilitating Remote Connections

• Explain the typical remote connections that an enterprise network has to support
• Describe the challenges faced in connecting teleworkers to the enterprise network, and the solutions that exist to address these challenges

Lesson 2: Describing Cable Technology

• Define basic terminology and standards organizations that are relevant to cable
technology
• Describe the components of a cable system that provide data services
• Explain how digital cable systems use RF bands for signal transmission
• Describe the features of cable technology
• Describe how data services can be delivered over a cable network using an HFC architecture
• Explain the combination of technologies and components that make a cable system work
• Explain the process for provisioning a cable modem in a TCP/IP based customer network

Lesson 3: Describing DSL Technology

• Describe features of DSL
• Describe the variants of DSL
• Explain the distance limitations of DSL
• Explain the basic facts of ADSL technology
• Explain how ADSL coexists with telephony service
• Explain CAP and DMT, the competing modulation standards for ADSL signaling
• Explain how data is transmitted over ADSL infrastructure with PPPoE
• Explain how data is transmitted over ADSL infrastructure with PPPoA

Lesson 4: Configuring the CPE as the PPPoE or PPPoA Client

• Configure a Cisco router as a PPPoE client
• Configure an ATM interface for PPPoE client operations
• Configure the PPPoE DSL dialer interface
• Describe how to configure a DHCP server to allocate IP address to the users behind
the client DSL router
• Configure PAT
• Configure a static route
• Review the output of various debug and show commands to verify the PPPoE operations
• Describe the step-by-step procedure to configure a PPPoA on the CPE router
• Configure the DSL ATM interface

Lesson 5: Verifying Broadband ADSL Configurations

• Explain the bottom-up approach to troubleshoot a DSL connection problem
• Explain the procedure to isolate problems to Layer 1
• Explain the procedure to confirm an Administratively Down state
• Explain the procedure to confirm the CPE router is powered on
• Explain the procedure to confirm the correct DSL operating mode on the CPE router ATM interface
• Explain the procedure to isolate problems to Layer 2
• Explain how to determine if data is being received from the ISP
• Explain how to determine if PPP is negotiating successfully

Module 3: Frame Mode MPLS Implementation

Lesson 1: Introducing MPLS Networks

• Identify the elements of the MPLS conceptual model
• Describe the router switching mechanisms
• Describe the MPLS data and control planes
• Identify the structure of an MPLS label and its format
• Explain the function of different types of LSRs in MPLS networks
• Explain the interactions between the control plane and the data plane in an LSR that enable the basic functions of label switching and forwarding of labeled packets to occur

Lesson 2: Assigning MPLS Labels to Packets

• Identify how label allocation is performed in a frame mode MPLS network
• Identify how labels are distributed in a frame mode MPLS network
• Explain how the LFIB table is populated
• Identify packet propagation across an MPLS network
• Describe how PHP improves MPLS performance by eliminating routing lookups on egress LSRs
• Populating the LFIB Table
• Packet Propagation Across an MPLS Network
• Penultimate Hop Popping

Lesson 3: Implementing Frame Mode MPLS

• Describe the procedure for configuring frame mode MPLS on a Cisco IOS router
• Enable IP CEF on a router as a step in implementing frame mode MPLS
• Enable MPLS on a frame mode interface as a step in implementing frame mode MPLS
• Configure the MTU size in label switching as a step in implementing frame mode MPLS

Lesson 4: Describing MPLS VPN Technology

• Identify how routing information is propagated across the P-network
• Identify the end-to-end flow of routing updates in an MPLS VPN
• Describe MPLS VPN packet forwarding
• Explain MPLS VPN architecture, and how it improves on the traditional methods of overlay and peer-to-peer VPN
• Describe the components of an MPLS VPN and how they are interconnected to enable enterprise network connectivity between sites

Module 4: IPsec VPNs

Lesson 1: Understanding IPsec Components and IPsec VPN Features

• Describe the IPsec protocol, its basic functions, and advantages of IPsec VPNs
versus other types of VPNs
• Explain the IKE protocols
• Describe IKE functionality
• Describe the two protocols that are used for IPsec
• Describe message authentication and integrity check
• Explain the differences and the functionality between symmetric and asymmetric encryption algorithms
• Describe the PKI

Lesson 2: Implementing Site-to-Site IPsec VPN Operations

• Describe the five steps of IPsec operation
• Explain the procedure to configure IPsec
• Describe the configuration of the ISAKMP parameters
• Describe the configuration to define the IPsec transform set, the crypto ACL, and the crypto map
• Describe the configuration to apply the crypto map to the interface
• Describe the configuration of the interface ACL for IPsec

Lesson 3: Configuring IPsec Site-to-Site VPN Using SDM

• Describe how to navigate the site-to-site VPN wizard interface
• Describe the components that will be configured by the SDM site-to-site VPN
wizard
• Explain how to set the parameters of the site-to-site VPN tunnel
• Explain how to launch the site-to-site VPN wizard
• Explain how SDM sets IKE policies
• Explain how to select a transform set and associate additional transform sets as required
• Explain how to define the traffic that the VPN protects
• Explain how to complete the configuration by viewing the settings in the Summary window

Lesson 4: Configuring GRE Tunnels over IPsec

• Describe GRE
• Explain the purpose of a secure GRE tunnel
• Describe the components that will be configured by the SDM site-to-site VPN
secure GRE tunnel wizard
• Explain how to configure a backup GREover-IPsec tunnel that the router can use
when the primary tunnel fails
• Explain how to select the authentication method to be used on the VPN
• Explain how to configure IKE using the SDM wizard
• Explain how to configure the IPsec transform set using the SDM wizard
• Explain how to configure dynamic or static routing over the GRE and IPsec tunnel
• Explain how to complete the configuration by viewing the
settings in the Summary window

Lesson 5: Configuring High-Availability Options

• Explain how high availability of IPsec VPNs is achieved
• Explain the failover option of backup IPsec peers
• Explain the use of HSRP for IOS IPsec VPN resiliency
• Explain IPsec stateful failover
• Explain how a WAN connection can be backed up by using an IPsec VPN

Lesson 6: Configuring Cisco Easy VPN and Easy VPN Server Using SDM

• Explain the general operation of Cisco Easy VPN including its benefits and the
role of each of its components
• Describe the functionality provided by Cisco Easy VPN Server, explain the
concept of dynamic crypto maps, and describe the functionality provided by Easy VPN Remote
• List the steps required to configure Cisco Easy VPN Server using SDM
• Configure local group policies
• Describe each of the steps required to configure Cisco Easy VPN Server using SDM
• Explain how to configure IKE using the SDM wizard
• Explain how to configure the IPsec transform set using the SDM wizard
• Describe the locations where Easy VPN group policies can be stored
• Describe the locations where user records for Xauth can be stored
• Explain how to complete the configuration by viewing thesettings in the Summary window

Lesson 7: Configuring Cisco Easy VPN and Easy VPN Server Using SDM

• List the steps required to configure the software VPN client on a PC
• Describe each of the steps required to configure Cisco VPN Client

Module 5: Cisco Device Hardening

Lesson 1: Mitigating Network Attacks

• Describe the Cisco Self-Defending Network strategy
• List the types of attacks that enterprise networks must defend against
• Describe how to mitigate reconnaissance attacks including packet sniffers, port
scans, ping sweeps, and Internet information queries
• Describe how to mitigate access attacks including password attacks, trust
exploitation, buffer overflow, port redirection, and man-in-the-middle
attacks
• Describe how to mitigate DoS attacks including IP spoofing and DDoS
• Describe how to mitigate worm, virus, and Trojan horse attacks
• Describe how to mitigate application layer attacks
• Describe vulnerabilities in configuration management protocols, and recommendations for mitigating these vulnerabilities
• Describe how to use open source tools to discover network vulnerabilities and threats

Lesson 2: Disabling Unused Cisco Router Network Services and Interfaces

• Identify router services and interfaces that are vulnerable to network attack
• Explain how the process of locking down a Cisco router can be automated with the
auto secure command
• Explain how to configure AutoSecure on a Cisco router
• Compare the process of locking down a Cisco router with the CLI auto secure command and the One-Step Lockdown mode of the Security Audit wizard available in SDM

Lesson 3: Securing Cisco Router Installations and Administrative Access

• Describe how to configure secure administrative access to Cisco routers by
configuring passwords
• Describe how to secure administrative access to Cisco routers by setting a login
failure rate and using IOS login enhancements
• Describe how to secure administrative access to Cisco routers by setting timeouts
• Describe how to secure administrative access to Cisco routers by setting multiple privilege levels
• Describe how to secure administrative access to Cisco routers by configuring banner messages
• Explain what role-based CLI is, and the commands required to configure basic CLI views
• Explain how to secure the Cisco IOS boot image and configuration files

Lesson 4: Mitigating Threats and Attacks with Access Lists

• Identify the types and formats of IP ACLs that are used by routers to restrict access
and filter packets
• Describe how to apply ACLs to router interfaces
• Explain the use of traffic filtering with ACLs to mitigate threats in a network
• Explain how to implement ACLs to filter IP traffic destined for Telnet, SNMP, and
RIP services
• Explain how to implement ACLs to mitigate threats
• Explain how to configure router ACLs to help reduce the effects of DDoS attacks
• Describe how to combine many ACL functions into two or three larger ACLs
• Explain some of the caveats to be considered when building ACLs

Lesson 5: Securing Management and Reporting Features

• Describe the factors you must consider when planning the secure management
and reporting configuration of network devices
• Describe the factors that affect the architecture of secure management and
reporting in terms of in-band and OOB information paths
• Describe the steps used to configure an SSH server for secure management and
reporting
• Describe how the syslog function plays a key role in network security
• Describe how to configure syslog on Cisco routers using syslog router commands
• Describe the security features of SNMPv3
• Describe how to configure SNMPv3 on a Cisco IOS router or a switch
• Configure an NTP client including authentication in client mode
• Configure a Cisco router as an NTP server

Lesson 6: Configuring AAA on Cisco Routers

• Describe the three components of AAA
• Describe the AAA access modes
• Describe the AAA RADIUS and TACACS+ protocols
• Configure AAA login authentication on Cisco routers using CLI
• Configure AAA login authentication on Cisco routers using SDM
• Troubleshoot AAA on a Cisco perimeter router using the debug aaa command
• Explain AAA authorization and the commands that are required to configure it on Cisco routers
• Explain AAA accounting and the commands that are required to configure it on Cisco routers

Module 6: Cisco IOS Threat Defense Features

Lesson 1: Introducing the Cisco IOS Firewall

• Explain the basic structure of a layered defense
• Describe the operational strengths and weaknesses of the three firewall
technologies
• Explain the basic operation of a stateful firewall
• Describe the features of the Cisco IOS Firewall
• Describe how the Cisco IOS Firewall combines the features of packet inspection and proxy firewalls to provide an optimal security solution
• Explain the Cisco IOS Firewall process

Lesson 2: Implementing Cisco IOS Firewalls

• Explain the procedure to configure Cisco IOS Firewall from the Cisco IOS CLI
• Explain when and how to use the Basic and Advanced Firewall Configuration
wizards in SDM
• Explain how to configure a basic firewall using SDM
• Explain how to configure the interfaces on an advanced firewall using SDM
• Explain how to configure a DMZ on an advanced firewall
• Explain how to configure inspection rules
• Explain how to complete the Advanced Firewall wizard
configuration by viewing the settings in the Summary window
• Explain how to use the SDM logging function to monitor firewall activity

Lesson 3: Introducing Cisco IOS IPS

• Describe the functions and operations of IDS and IPS systems, and the difference
between IDS and IPS
• Describe the types of IDS and IPS systems
• Describe the four types of IDS and IPS signatures
• Explain how SDFs and SMEs work together
• Describe what happens when a signature is matched

Lesson 4: Configuring Cisco IOS IPS

• Configure and verify IOS IPS using the CLI interface
• Describe the Cisco IOS IPS tasks you can complete with SDM
• Select interfaces and configure SDF locations within the SDM IPS Policies
wizard
• View the IPS policy summary and deliver the IPS configuration to the router using the SDM IPS Policies wizard
• Configure IPS policies and global settings using the SDM
• View SDEE messages in the SDM
• Tune signatures using the SDM

Implementing Secure Converged Wide Area Networks 1.0 (ISCW) 5 days Instructor-Led

Implementing Secure Converged Wide Area Networks 1.0 (ISCW)
5 days Instructor-Led