From Our Students

"I just want to let you know that your professionalism, sense of caring, and listening to the needs of someone who lost their job is deeply appreciated. The job that I now have would not have been possible had I not passed the PMP exam."

-Hector A. Fundora

See more student testimonials

Training That Changes Your Life

We've helped hundreds of people just like you get back to work. Attend our seminar to learn how to get the grants to pay for training.
Register now for this free two-hour class

About MicroTrain

MicroTrain Technologies gives you the computer skills and knowledge you need by applying the perfect combination of expert hands-on instruction, superior customer service and convenient training locations.

Find your classes now:

IINS - Implementing Cisco IOS Network Security

Course Schedule | Information

Price: Instructor Led $3095 | Virtual Classroom $2795

Details: *This is a 5 day course

Description

In this course, you'll focus on the necessity of a comprehensive security policy and how it affects the posture of the network. You will learn to perform basic tasks to secure a small branch type office network using Cisco IOS security features available through web-based GUIs (Cisco Router and Security Device Manager [SDM]) and the command-line interface (CLI) on the Cisco routers and switches.

Highlights

Develop a comprehensive network security policy to counter threats against information security

Configure routers with Cisco IOS Software security features

Configure a Cisco IOS zone-based firewall to perform basic security operations on a network

Configure site-to-site VPNs using Cisco IOS features

Configure IPS on Cisco network routers

Configure security features on IOS switches to mitigate various Layer 2 attacks

Audience

Network Designers

Network Administrators

Network Engineers

Network Managers

Systems Engineers

Prerequisites

ICND1 and ICND2 or CCNA Boot Camp

Working knowledge of the Windows operating system

Outline

1. Exclusive - NAT and PAT

Basics of NAT and PAT

Configuring NAT and PAT

Maintaining NAT and PAT

Advanced Concepts in NAT and PAT

2. Introduction to Network Security Principles

Network Security Fundamentals

Network Attack Methodologies

Operations Security

Security Policy

Building Cisco Self-Defending Networks

Cryptographic Services

Symmetric Encryption

Cryptographic Hashes and Digital Signatures

Asymmetric Encryption and PKI

3. Perimeter Security

Securing Administrative Access to Cisco Routers

Cisco SDM

Configuring AAA on a Cisco Router Using the Local Database

Configuring AAA on a Cisco Router to Use Cisco Secure ACS

Implementing Secure Management and Reporting

Locking Down the Router

4. Network Security Using Cisco IOS Firewalls

Firewall Technologies

Creating Static Packet Filters Using ACLs

Configuring Cisco IOS Zone-Based Policy Firewall

5. Site-to-Site VPNs

IPsec Fundamentals

Building a Site-to-Site IPsec VPN

Configuring IPsec on a Site-to-Site VPN Using Cisco SDM

Exclusive - IPsec over GRE

6. Network Security Using Cisco IOS IPS

IPS Technologies

Configuring Cisco IOS IPS Using Cisco SDM

7. LAN, SAN, Voice, and Endpoint Security Overview

Endpoint Security

SAN Security

Voice Security

Mitigating Layer 2 Attacks

Labs

We have enhanced our IINS labs beyond what you'll find in the standard IINS labs. Instead of using the same equipment and topology that is used for the ICND courses, as standard Cisco IINS labs do, our IINS labs use the same equipment and topology that is used for the CCSP family of classes. Every pod has two 2811 routers, one 1841 router, one 3560 switch, and a VMware server with 10 Virtual Machines (VMs.) Our topology is designed to replicate what is commonly found in small- to mid-sized business environments, with meaningful, realistic scenarios.

Lab 1: Exclusive - Network Address Translation

The network equipment starts in a generally configured state. Routing works within the internal network and within the external network. However, the internal network uses RFC 1918 private address space, which is not routable in the external network. Therefore, Network Address Translation (NAT) must be configured at the perimeter to allow connectivity from the internal network to the external network.

Configure NAT

Test and Verify NAT

Verify the Configurations

Lab 2: Ethical Hacking

There is now IP connectivity throughout the network, but no security features have been enabled. In this lab you will see that without proper configuration of security features, the network can be compromised in many ways using freely available tools. The attacks demonstrated in this lab will be mitigated in later IINS labs.

Use Nmap to Scan the Network

Exclusive - Perform Vulnerability Analysis with Nessus

Exclusive - Execute a Buffer Overflow Attack with Metasploit

Exclusive - Perform a Port Forwarding Attack with Fpipe

Exclusive - Launch a SYN Flood Attack with Hping

Exclusive - Simulate Worm Propagation

Exclusive - Perform an ARP Cache Poisoning Attack with Cain

Lab 3: Securing IOS Administrative Access

Protecting access to the IOS command line is a basic security requirement. In this lab, you will implement line passwords and enable passwords and secrets. You will also use the service password encryption. To provide a reality check on password security, password-cracking attacks are demonstrated. You will also be introduced to the authorization mechanism of privilege levels.

Set Passwords on the Physical Lines

Configure Enable and Enable Secret Passwords

Set VTY Line Passwords

Use Service Password Encryption

Exclusive - How Secure are Encrypted Passwords?

Exclusive - How Secure are Hashed Passwords?

Password Min-Length

Line Timeouts

Exclusive - Privilege Levels

Configure Banner Messages

Verify the IOS-FW Configuration

Lab 4: Exclusive - Preparing Cisco SDM

SDM is a web-based Graphical User Interface for the configuration of routing and security features on IOS routers. Since it's web-based, it can be accessed via HTTP and HTTPS. From a security perspective, HTTPS is preferred. Using HTTPS will prevent the login credentials from passing the network in clear text. HTTPS requires an SSL identity certificate to reside on the HTTPS server (the IOS router in this case). This lab will demonstrate how to maintain public/private key pairs and self-signed digital certificates on IOS routers to make the use of HTTPS more manageable.

Prepare the Admin PC for SDM

Prepare the IOS-FW for SDM

Install SDM on the Admin PC

Launch SDM

Manage IOS-FW Keys and Certificates

Launch SDM again

Verify Router Configuration

Lab 5: Configuring IOS AAA with the Local Database

In this lab, you will examine Authentication, Authorization, and Accounting (AAA) features using the local database. Users will be defined in the local database for authentication. They will be linked to privilege levels defined in the previous lab for authorization. Also, role-based CLI will be introduced where command sets can be assigned to groups of users. Interaction between SDM and role-based CLI will also be demonstrated.

Enable AAA

Test AAA

Define and Test other Usernames

Configure Role-Based CLI

Exclusive - Role-Based CLI and AAA Authorization

Exclusive - SDM's Built-In Roles

Enhanced Login Features

Verify the Router Configuration

Lab 6: Configuring IOS AAA with ACS

In this lab, you will examine AAA concepts using Cisco Secure Access Control Server (ACS) as an AAA server. Our version of this lab goes a step further than standard Cisco labs in most aspects. For example, instead of simply linking ACS to the Windows database for authentication, you will integrate with Active Directory and perform group matching for authorization. Instead of simply authorizing for privilege level, you will perform command authorization using command authorization sets. Instead of simply accounting for login/logout, you will perform command-level accounting. You will also test what happens in the event of an AAA server failure.

Connect to ACS

Set Up IOS-FW to ACS Communication

Define a New Group and User in ACS

Configure ACS-Based Authentication and Authorization

Test ACS-Based Authentication and Authorization

Configure ACS and Active Directory Integration

Exclusive - Test the Fallback Method

Exclusive - Command Authorization Sets

AAA Accounting

Verify the Router Configuration

Lab 7: IOS Secure Management and Reporting

In this lab, you will configure some management and reporting functions on the router, and you will configure various other security features. You will configure SSH to provide secure connections to the CLI. You will configure authenticated NTP to keep the router's clock in sync. You will configure Syslog, which can report on various security events to a Syslog server. You will also configure Unicast Reverse Path Forwarding checks to limit IP spoofing and Route Authentication to mitigate route table poisoning by attackers.

Configure SSH Server

Configure NTP on the IOS-FW and Perimeter Router

Configure Syslog on the IOS-FW

Configure Syslog on the Perimeter Router

Exclusive - Configure Unicast-RPF Verification

Exclusive - Configure Route Authentication

Verify the Router Configuration

Lab 8: Securing IOS Router Services

SDM offers a security audit which can help identify potential security issues with the router's configuration. For the problems it identifies, it can also propose solutions. In this lab, you will run an SDM security audit, analyze the results, and carefully choose which issues you would like to have it correct for you.

Run a Mock Security Audit

Run a Real Security Audit

Perform Configuration Adjustments

Verify the Router Configuration

Lab 9: Packet Filtering Using ACLs

Packet filtering is not as powerful as stateful inspection, but it has its place. In this lab, you will configure packet filtering on the Perimeter Router. This will allow the Perimeter Router to take care of the "easy stuff", leaving the more difficult to defend against issues for the IOS-FW. To illustrate the limitations of packet filtering, you will demonstrate the attack known as an ACK scan, and you will manipulate TCP ports used by applications to gain access to internal systems.

Limit VTY Access

Filter Bogon Packets, Allow Outbound Connections

Exclusive - Understand Packet Filter Limitations

Allow Expected Traffic to the DMZ Server

Allow Other Services from the Inside

Test ACL Policy

Exclusive - Insert Lines into an Existing ACL

Verify Router Configuration

Lab 10: IOS Zone-Based Firewall

Zone-Based Firewall (ZBF) is a new paradigm for configuring stateful inspection on IOS Firewalls. Instead of applying ACLs to interfaces, interfaces are assigned to zones, and inter-zone policies are defined. Unless traffic is explicitly permitted between zones, it will be denied. In this lab, you will use ZBF to implement stateful inspection on the IOS-FW. You will demonstrate that the vulnerabilities left by the packet filters on the Perimeter Router are now mitigated. You will also configure and demonstrate protection against SYN flood attacks.

Basic Firewall Wizard

Exclusive - Implement the DMZ Inbound

Exclusive - Implement the DMZ Outbound

Exclusive - Allow Perimeter Router Management

Exclusive - Demonstrate Attack Mitigation

Verify the Router Configuration

Lab 11: Site-to-Site VPN: Traditional IPsec

In this lab, you will configure a Site-to-Site VPN connection between the main site and the Site1 network. You will use SDM's Site-to-Site VPN wizard to accomplish the configuration. Before you can use the wizard, some prep must be completed on the Perimeter Router and the IOS Firewall to allow the tunnel to properly establish. One such task is the removal of the Zone-Based Firewall, which is not compatible with traditional IPsec VPN. This incompatibility is the motivation behind the next lab, which you'll find only at Global Knowledge.

Verify No Tunnel/No Connectivity

Exclusive - Prepare the Perimeter Router for the Tunnel

Prepare the IOS-FW for the Tunnel

Use the Site to Site VPN Wizard

Verify VPN Status

Verify the Router Configuration

Lab 12: Exclusive - Site-to-Site VPN: GRE and IPsec

As mentioned in the previous lab, traditional IPsec VPN is not compatible with ZBF. That is because the outside interface is used for both untrusted Internet traffic and trusted VPN traffic. Hence, it can't properly be put in a single zone. Using GRE with IPsec provides a solution. With GRE, a virtual tunnel interface is defined. This virtual interface can be put in a separate VPN zone, so policy is easily enforced appropriately for Internet traffic vs. VPN traffic.

Prepare the Perimeter Router for the Tunnel

Use the VPN Wizard

Review the Updated Firewall Policy

Generate, Update and Apply the Mirror Configuration

Troubleshoot the Tunnel

Verify the Router Configuration

Lab 13: IOS Intrusion Prevention System

Much of the same technology that is in place in Cisco's 4200 Series IPS sensors has been ported to IOS so it's available in integrated services routers (ISRs) with the Advanced Security image. This lab provides an overview of IOS IPS functionality. You will enable IOS IPS and demonstrate its function. You will also delve deeper to examine signature definitions. You will use the application IPS Manager Express (which Cisco provides for free for small-scale IPS installations) to monitor IPS events. And you will work with advanced IOS IPS features such as event action overrides and event filters.

IOS IPS Wizard

Exclusive - Deobfuscation

Signature Definitions

Exclusive - IPS Manager Express

Signature Actions

Exclusive - Event Action Overrides

Exclusive - Event Action Filters

Verify the Router Configuration

Lab 14: Layer 2 Security

If an attacker is connected to the same switching fabric as the victim, even if both are assigned to different VLANS, proper use of security features on the switch are required to protect the victim from the attacker. If the attacker is on the same subnet as the victim, regardless of physical switch topology, security features on the switch are required to protect the victim. This lab mixes some ethical hacking and security configuration. Attacks will be demonstrated, security features will be configured, and then the attacks will be attempted again to demonstrate that the attacks no longer succeed.

Exclusive - Perform Port Based Attacks

Configure Port Security

Exclusive - Demonstrate Attack Mitigation

Exclusive - Perform an ARP Cache Poisoning Attack

Exclusive - Configure Private VLAN Edge

Verify the Switch Configuration


Location	Date
Virtual Classroom e-Learning	10/04-10/08/2010	[Information]
Virtual Classroom e-Learning	11/29-12/03/2010	[Information]
Phoenix, AZ	09/27-10/01/2010	[Information]
Vancouver, BC	10/25-10/29/2010	[Information]
Santa Clara, CA	11/29-12/03/2010	[Information]
Atlanta, GA	12/06-12/10/2010	[Information]
Schaumburg, IL	09/13-09/17/2010	[Information]
Schaumburg, IL	11/01-11/05/2010	[Information]
Burlington, MA	10/18-10/22/2010	[Information]
Potomac, MD	11/08-11/12/2010	[Information]
Cary, NC	09/20-09/24/2010	[Information]
Morristown, NJ	11/15-11/19/2010	[Information]
New York, NY	10/11-10/15/2010	[Information]
Kanata, Ontario	10/25-10/29/2010	[Information]
Toronto, Ontario	11/15-11/19/2010	[Information]
Montreal, Quebec	12/06-12/10/2010	[Information]
Irving, TX	10/25-10/29/2010	[Information]
Arlington, VA	10/04-10/08/2010	[Information]
Arlington, VA	12/13-12/17/2010	[Information]