Contents
Chapter 1 Cybersecurity Fundamentals
“Do I Know This Already?” Quiz
Cybersecurity vs. Information Security (InfoSec)
The NIST Cybersecurity Framework
Additional NIST Guidance and Documents
The International Organization for Standardization (ISO)
Defining What Are Threats, Vulnerabilities, and Exploits
Risk, Assets, Threats, and Vulnerabilities
Understanding What Threat Intelligence Is
Types and Transmission Methods
Trojan Ports and Communication Methods
Common Software and Hardware Vulnerabilities
Authentication-based Vulnerabilities
Credential Brute Force Attacks and Password Cracking
Insecure Direct Object Reference Vulnerabilities
Return-to-LibC Attacks and Buffer Overflows
Security Vulnerabilities in Open Source Software
Confidentiality, Integrity, and Availability
Talking About Availability, What Is a Denial-of-Service (DoS) Attack?
Cloud Computing Issues and Concerns
An Introduction to Digital Forensics and Incident Response
ISO/IEC 27002:2013 and NIST Incident Response Guidance
False Positives, False Negatives, True Positives, and True Negatives
What Is an Incident Response Program?
Tabletop Exercises and Playbooks
Information Sharing and Coordination
Computer Security Incident Response Teams
Product Security Incident Response Teams (PSIRTs)
The Common Vulnerability Scoring System (CVSS)
National CSIRTs and Computer Emergency Response Teams (CERTs)
Incident Response Providers and Managed Security Service Providers (MSSPs)
Key Incident Management Personnel
“Do I Know This Already?” Quiz
Symmetric and Asymmetric Algorithms
Hashed Message Authentication Code
Next-Generation Encryption Protocols
More About Keys and Digital Certificates
Authenticating and Enrolling with the CA
Public Key Cryptography Standards
Simple Certificate Enrollment Protocol
Digital Certificates in Practice
Hierarchical CA with Subordinate CAs
Chapter 3 Software-Defined Networking Security and Network Programmability
“Do I Know This Already?” Quiz
Introduction to Software-Defined Networking
Introduction to the Cisco ACI Solution
More About Network Function Virtualization
Cisco Digital Network Architecture (DNA)
Cisco DNA Group-Based Access Control Policy
Cisco DNA IP-Based Access Control Policy
Cisco DNA Application Policies
Cisco DNA Center Assurance Solution
Introduction to Network Programmability
Modern Programming Languages and Tools
Chapter 4 Authentication, Authorization, Accounting (AAA) and Identity Management
“Do I Know This Already?” Quiz
Introduction to Authentication, Authorization, and Accounting
The Principle of Least Privilege and Separation of Duties
Authentication by Ownership or Possession
Authentication by Characteristic
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control
Infrastructure Access Controls
Network Access Control List and Firewalling
Cisco Identity Services Engine (ISE)
Cisco Platform Exchange Grid (pxGrid)
Cisco ISE Context and Identity Services
Configuring RADIUS Authentication
Configuring 802.1X Authentication
Additional Cisco ISE Design Tips
Advice on Sizing a Cisco ISE Distributed Deployment
Chapter 5 Network Visibility and Segmentation
“Do I Know This Already?” Quiz
Introduction to Network Visibility
The Network as a Sensor and as an Enforcer
NetFlow for Network Security and Visibility
NetFlow for Anomaly Detection and DDoS Attack Mitigation
Data Leak Detection and Prevention
Incident Response, Threat Hunting, and Network Security Forensics
Traffic Engineering and Network Planning
IP Flow Information Export (IPFIX)
Understanding the Stream Control Transmission Protocol (SCTP)
Exploring Application Visibility and Control and NetFlow
Metrics Collection and Exporting
NetFlow Deployment Scenario: User Access Layer
NetFlow Deployment Scenario: Wireless LAN
NetFlow Deployment Scenario: Internet Edge
NetFlow Deployment Scenario: Data Center
NetFlow Deployment Scenario: NetFlow in Site-to-Site and Remote VPNs
On-Premises Monitoring with Cisco Stealthwatch Cloud
Cisco Stealthwatch Cloud Integration with Meraki and Cisco Umbrella
Exploring the Cisco Stealthwatch On-Premises Appliances
Threat Hunting with Cisco Stealthwatch
Cisco Cognitive Threat Analytics (CTA) and Encrypted Traffic Analytics (ETA)
What Is Cisco Cognitive Threat Analytics?
NetFlow Collection Considerations and Best Practices
Determining the Flows per Second and Scalability
Configuring NetFlow in Cisco IOS and Cisco IOS-XE
Simultaneous Application Tracking
Flexible NetFlow Non-Key Fields
Flexible NetFlow Configuration
Configure a Flow Monitor for IPv4 or IPv6
Configure a Flow Exporter for the Flow Monitor
Apply a Flow Monitor to an Interface
Flexible NetFlow IPFIX Export Format
Introduction to Network Segmentation
Application-Based Segmentation
Micro-Segmentation with Cisco ACI
The Scalable Group Tag Exchange Protocol (SXP)
Initially Deploying 802.1X and/or TrustSec in Monitor Mode
Cisco ISE TrustSec and Cisco ACI Integration
Chapter 6 Infrastructure Security
“Do I Know This Already?” Quiz
VLAN and Trunking Fundamentals
Let’s Follow the Frame, Step by Step
What Is the Native VLAN on a Trunk?
So, What Do You Want to Be? (Asks the Port)
Understanding Inter-VLAN Routing
What Is the Challenge of Only Using Physical Interfaces?
Using Virtual “Sub” Interfaces
The Solution to the Layer 2 Loop
Improving the Time Until Forwarding
Common Layer 2 Threats and How to Mitigate Them
The Importance of the Network Infrastructure
The Network Foundation Protection Framework
Understanding and Securing the Management Plane
Best Practices for Securing the Management Plane
Understanding the Control Plane
Best Practices for Securing the Control Plane
Understanding and Securing the Data Plane
Best Practices for Protecting the Data Plane
Additional Data Plane Protection Mechanisms
What Is Management Traffic and the Management Plane?
Management Plane Best Practices
Limiting the Administrator by Assigning a View
Encrypted Management Protocols
Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, and Cisco NX-OS Files
Implementing Security Measures to Protect the Management Plane
Using the CLI to Troubleshoot AAA for Cisco Routers
RBAC Privilege Level/Parser View
Securing the Network Infrastructure Device Image and Configuration Files
Securing the Data Plane in IPv6
Understanding and Configuring IPv6
Developing a Security Plan for IPv6
Best Practices Common to Both IPv4 and IPv6
Threats Common to Both IPv4 and IPv6
Securing Routing Protocols and the Control Plane
Minimizing the Impact of Control Plane Traffic on the CPU
Implementing Routing Update Authentication on OSPF
Implementing Routing Update Authentication on EIGRP
Implementing Routing Update Authentication on RIP
Implementing Routing Update Authentication on BGP
Chapter 7 Cisco Next-Generation Firewalls and Cisco Next-Generation Intrusion Prevention Systems
“Do I Know This Already?” Quiz
Cisco Firewall History and Legacy
The Cisco ASA FirePOWER Module
Cisco Firepower Threat Defense (FTD)
Cisco FTD for Cisco Integrated Services Routers (ISRs)
Surveying the Cisco Firepower Management Center (FMC)
Exploring the Cisco Firepower Device Manager (FDM)
Comparing Network Security Solutions That Provide Firewall Capabilities
Deployment Modes of Network Security Solutions and Architectures That Provide Firewall Capabilities
Routed vs. Transparent Firewalls
Single-Mode Transparent Firewalls
Surveying the Cisco FTD Deployment Modes
Additional Cisco FTD Deployment Design Considerations
High Availability and Clustering
Implementing Access Control Lists in Cisco ASA
Cisco ASA Application Inspection
To-the-Box Traffic Filtering in the Cisco ASA
Object Grouping and Other ACL Features
ICMP Filtering in the Cisco ASA
Network Address Translation in Cisco ASA
Implementing Access Control Policies in the Cisco Firepower Threat Defense
Cisco Firepower Intrusion Policies
Cisco Advanced Malware Protection (AMP)
Security Intelligence, Security Updates, and Keeping Firepower Software Up to Date
Chapter 8 Virtual Private Networks (VPNs)
“Do I Know This Already?” Quiz
Virtual Private Network (VPN) Fundamentals
Cisco AnyConnect Secure Mobility
Deploying and Configuring Site-to-Site VPNs in Cisco Routers
Traditional Site-to-Site VPNs in Cisco IOS and Cisco IOS-XE Devices
Debug and Show Commands to Verify and Troubleshoot IPsec Tunnels
Configuring Site-to-Site VPNs in Cisco ASA Firewalls
Step 1: Enable ISAKMP in the Cisco ASA
Step 2: Create the ISAKMP Policy
Step 3: Set Up the Tunnel Groups
Step 4: Define the IPsec Policy
Step 5: Create the Crypto Map in the Cisco ASA
Step 6: Configure Traffic Filtering (Optional)
Step 8: Enable Perfect Forward Secrecy (Optional)
Additional Attributes in Cisco Site-to-Site VPN Configurations
Configuring Remote Access VPNs in the Cisco ASA
Configuring IPsec Remote Access VPN in the Cisco ASA
Configuring Clientless Remote Access SSL VPNs in the Cisco ASA
Cisco ASA Remote-Access VPN Design Considerations
Pre-SSL VPN Configuration Steps
Understanding the Remote Access VPN Attributes and Policy Inheritance Model
Configuring Clientless SSL VPN Group Policies
Configuring the Tunnel Group for Clientless SSL VPN
Configuring User Authentication for Clientless SSL VPN
Configuring Application Access in Clientless SSL VPNs
Configuring Client-Based Remote-Access SSL VPNs in the Cisco ASA
Setting Up Tunnel and Group Policies
Deploying the AnyConnect Client
Configuring Remote Access VPNs in FTD
Using the Remote Access VPN Policy Wizard
Troubleshooting Cisco FTD Remote Access VPN Implementations
Configuring Site-to-Site VPNs in FTD
“Do I Know This Already?” Quiz
What Is Cloud and What Are the Cloud Service Models?
DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps
The Waterfall Development Methodology
A Quick Introduction to Containers and Docker
Microservices and Micro-Segmentation
Describing the Customer vs. Provider Security Responsibility for the Different Cloud Service Models
Security Assessment in the Cloud and Questions to Ask Your Cloud Service Provider
The Cisco Umbrella Architecture
Cisco Email Security in the Cloud
Cisco Email Security for Office 365
Application Dependency Mapping
“Do I Know This Already?” Quiz
Cisco Async Operating System (AsyncOS)
Cisco WSA in Explicit Forward Mode
Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco WSA
Configuring WCCP on a Cisco Switch
Configuring the Cisco WSA to Accept WCCP Redirection
Traffic Redirection with Policy-Based Routing
Deploying Web Proxy IP Spoofing
Configuring Policies in the Cisco WSA
Reviewing a Few Email Concepts
The Recipient Access Table (RAT)
Cisco ESA Data Loss Prevention
SMTP Authentication and Encryption
Domain Keys Identified Mail (DKIM)
Cisco Content Security Management Appliance (SMA)
Chapter 11 Endpoint Protection and Detection
“Do I Know This Already?” Quiz
Introduction to Endpoint Protection and Detection
Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR)
AMP for Endpoints Application Control
Suggested Plan for Final Review and Study
Appendix A Answers to the “Do I Know This Already?” Quizzes and Q&A Sections
Appendix B CCNP Security Core SCOR (350-701) Exam Updates
Online Element