Certification towards
CCSP and Cisco Firewall Specialist
Cisco PIX Firewall and Firewall Specialist Certification
Overview The Cisco Secure PIX Firewall
Courses Exam 642-523 is one of the exams associated
with the CCSP (Cisco Certified Security Professional)
Certification and the Cisco Firewall Specialist
certifications.
Cisco PIX Firewall Lecture, Hands-on lab and tests a candidate's knowledge and ability to describe, configure, verify and manage the PIX Firewall and ASA product family.
After the course, you will be able to describe the features, functions and benefits of Cisco PIX Firewall. Also, you will be able to perform basic configuration (like routing, send messages, DHCP, special protocol handling, AAA, shunning, VPN) and should be able to test and verify PIX Firewall operations.
The training is geared towards the following two examinations:
• Securing Networks with PIX and ASA (SNPA)
• Securing Cisco Network Devices with PIX (SND)
If you want to get training and specialize in Cisco PIX Firewall, then this is the course you should seriously consider. Your employability will increase as you can be a potential candidate for Cisco customers who have installed and are maintaining Cisco PIX Firewalls and Cisco Channel partners who sell, implement and maintain Cisco PIX Firewalls.
PIX and ASA Firewall Course Contents
Course Structure
Exam: 642-523 SNPA Securing Networks with PIX and ASA
Install and configure a Security Appliance for basic network connectivity
• Describe the Security Appliance hardware and software architecture
• Determine the Security Appliance hardware and software configuration and verify if it is correct
• Use setup or the CLI to configure basic network settings, including interface configurations
• Use appropriate show commands to verify initial configurations
• Configure NAT and global addressing to meet user requirements
• Configure DHCP client option
• Set default route
• Configure logging options
• Describe the firewall technology
• Explain the information contained in syslog files
• Configure static address translations
• Configure Network Address Translations: PAT
• Verify network address translation operation
Configure a Security Appliance to restrict inbound traffic from untrusted sources
• Configure access-lists to filter traffic based on address, time, and protocols
• Configure object-groups to optimize access-list processing
• Configure Network Address Translations: Nat0
• Configure Network Address Translations: Policy NAT
• Configure java/activeX filtering
• Configure URL filtering
• Verify inbound traffic restrictions
• Configure static port redirection
• Configure a net static
• Set embryonic and connection limits on the Security Appliance
Configure a Security Appliance to provide secure connectivity using site-to-site VPNs
• Explain the basic functionality of IPsec
• Configure IKE with preshared keys
• Differentiate between the types of encryption
• Configure IPsec parameters
• Configure crypto-maps and ACLs
Configure a Security Appliance to provide secure connectivity using remote access VPNs
• Explain the functions of EasyVPN
• Configure IPsec using EasyVPN Server/Client
• Configure the Cisco Secure VPN client
• Explain the purpose of SSL VPN
• Configure WebVPN services: Server/Client
• Verify VPN operations
• Install and Configure SVCs
• Install and Configure Cisco Secure Desktop
Configure transparent firewall, virtual firewall, and high availability firewall features on a Security Appliance
• Explain differences between L2 and L3 operating modes
• Configure Security Appliance for transparent mode (L2)
• Explain purpose of virtual firewalls
• Configure Security Appliance to support virtual firewall
• Monitor and maintain virtual firewall
• Explain the types, purpose and operation of fail-over
• Install appropriate topology to support cable-based or LAN-based fail-over
• Explain the hardware, software and licensing requirements for high-availability
• Configure the Security Appliance for active/standby fail-over
• Configure the Security Appliance for stateful fail-over
• Configure the Security Appliance for active-active fail-over
• Verify fail-over operation
• Recover from a fail-over
• Allocate resources to virtual firewalls
Configure AAA services for the Security Appliance
• Configure ACS for Security Appliance support
• Configure Security Appliance to use AAA feature
• Configure authentication using both local and external databases
• Configure authorization using an external database
• Configure the ACS server for downloadable ACLs
• Configure accounting of connection start/stop
• Verify AAA operation
Configure routing and switching on a Security Appliance
• Enable DHCP server and relay functionality
• Configure VLANs on a Security Appliance interface
• Configure Security Appliance to pass multi-cast traffic
Configure Security Appliance advanced application layer and modular policy features
• Configure a class-map
• Configure a policy-map
• Configure a service-policy
• Configure a ftp-map
• Configure a http-map
• Configure an inspection protocol
• Explain the function of protocol inspection
• Explain DNS guard feature
• Describe the AIP-SSM HW and SW
• Load IPS SW in the AIP-SSM
• Verify AIP-SSM
• Configure an IPS modular policy
• Describe the CSC-SSM HW and SW
• Configure a typed class map
• Configure a typed policy map
• Use typed policy maps to specify granular inspection parameters for a policy map
• Configure regex class maps
• Create regular expressions
• Load CSC SW on the SSM
• Verify the CSC-SSM
• Divert traffic to the CSC-SSM
• Initialize the CSC-SSM
Monitor and manage an installed Security Appliance
• Obtain and apply OS updates
• Backup and restore configurations and software
• Explain the Security Appliance file management system
• Perform password/lockout recovery procedures
• Obtain and upgrade license keys
• Configure passwords for various access methods: Telnet, serial, enable, SSH
• Configure various access methods: Telnet, SSH, ASDM
• Configure command authorization and privilege levels
• Configure local username database
• Verify access control methods
• Enable ASDM functionality
• Verify a Security Appliance configuration via ASDM
• Verify the licensing available on a Security Appliance
• Add, delete, and modify syslog messages
Exam: 642-552 SND Securing Cisco Network Devices with PIX
Security threats facing modern network infrastructures
• Mitigate the common threats to the physical installation
• Mitigation methods for common network attacks
• Mitigation methods for Worm, Virus, and Trojan Horse attacks
• Main activities in each phase of a secure network lifecycle
• Security needs of a typical enterprise with a comprehensive security policy
• Cisco Self Defending Network architecture
Secure Cisco routers
• Secure Cisco routers using the SDM Security Audit feature
• Use the One-Step Lockdown feature in SDM to secure a Cisco router
• Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login
failure rate and using IOS login enhancements
• Secure administrative access to Cisco routers by configuring multiple privilege levels
• Secure administrative access to Cisco routers by configuring role based CLI
• Secure the Cisco IOS image and configuration file
Implement basic AAA using Cisco routers
• Functions and importance of AAA
• Features of TACACS+ and RADIUS AAA protocols
• Authentication that are used to provide access through a router (packet mode)
• Provide access to the router (character mode)
Mitigate threats to Cisco routers and networks using ACLs
• Functionality of standard, extended, and named IP ACLs used by routers to filter packets
• Configure and verify IP ACLs to mitigate given threats
• Filter IP traffic destined for Telnet, SNMP, and DDoS attacks in a network using CLI
• Configure IP ACLs to prevent IP address spoofing using CLI
• Building ACLs
Implement secure network management and reporting
• Factors to be considered when planning for secure management and reporting of network devices
• Use CLI to configure SSH on Cisco routers to enable secured management access
• Use CLI to configure Cisco routers to send Syslog messages to a Syslog server
• SNMPv3 and NTPv3
Mitigate common Layer 2 attacks
• Common Layer 2 attacks and how to mitigate them
• VLAN hopping, STP attacks, ARP spoofing, MAC spoofing, CAM overflow
• Function and benefit of the security features in Cisco Catalyst switches
• IBNS, PVLAN, SPAN port
• Common threats to WLANs
• Security features of the 802.11 protocol
Implement the Cisco IOS firewall feature set using SDM
• Operational strengths and weaknesses of the different firewall technologies
• Stateful firewall operations and the function of the state table
• Types of NAT that can be implemented in a firewall
• Basic and advanced firewall on a Cisco router using SDM
Implement the Cisco IOS IPS feature set using SDM
• Network based vs. host based intrusion detection and prevention
• IPS technologies, attack responses, and monitoring options
• Enable and verify Cisco IOS IPS operations using SDM
Implement IPsec VPN on Cisco routers using SDM
• IKE protocol functionality and phases
• Building blocks of IPsec and the security functions it provides
• Hash-based message authentication code (HMAC) operations
• Different methods of encryption
• Purpose of the Diffie-Hellman key agreement protocol
• IPsec establishes origin authentication
• PKI environment at a high level
• Different types of IPsec VPN implementations
• Configure and verify an IPsec site-to-site VPN with pre-shared key authentication using SDM
• Cisco Easy VPN Server and Cisco Easy VPN Remote
• Remote access VPNs using the Cisco Easy VPN Server feature of Cisco SDM
|
