Virtual Lab Software to build the CCNA Security certification requirements

Reconocimientos adicionales logrando la certificacion CCNA Security

DoD Approved 8570 Baseline Certifications

CNSS 4011 Recognition

No solo se logra la certificacion CCNA Security de CISCO, tambien se logra en reconocimiento de otros estandares de calidad en la seguridad de la informacion

Passed CCNA Security 640-554

Hola a todos,

quiero compartir con ustedes este logro, el dia de ayer 31 marzo de 2014 presente el examen de CCNA Security logrando pasar con un puntaje de 918, esta super alto el puntaje para pasar 898. :D logrando la certificacion automaticamente se renueva las anteriores certificaciones de nivel bajo. el siguiente paso es CCNP R&S pero descanzare un tiempo iniciare en 2015 con el favor de Dios.

passed Untitled


Cisco ISRs provide IPsec and SSL VPN capabilities. Specifically, ISRs are capable of supporting as many as 200 concurrent users. The Cisco ASA 5500 series provides

IPsec and SSL VPN capabilities as well. However, they are Cisco’s most advanced SSL VPN solution capable of supporting concurrent user scalability from 10 to 10,000

sessions per device. ! The ASA supports three types of remote-access VPNs: !!! Clientless SSL VPN Remote Access (using a web browser) SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client) IPsec (IKEv1) VPN Remote Access (using Cisco VPN client) ! The ASA supports IKEv1 for connections from the legacy Cisco VPN client. IKEv2 is required for the AnyConnect VPN client. For IKEv2, it is possible to configure

multiple encryption and authentication types, and multiple integrity algorithms for a single policy. With IKEv1 for each parameter, only one value can be set per

security policy. ! The ASA provides two main deployment modes that are found in Cisco SSL VPN solutions: !!!!! Clientless SSL VPN – Clientless, browser-based VPN that lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. After authentication,

users access a portal page and can access specific, supported internal resources. Client-Based SSL VPN – Provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host. ! When the AnyConnect client is pre-installed on the host, the VPN connection can be initiated by starting the application. Once the user authenticates, the ASA examines

the revision of the client and upgrades it as necessary. ! Depending on the ASA SSL VPN policy configured, when the connection terminates the AnyConnect client application will either remain installed on the host or it will

uninstall itself. ! !!!!!!!!!! If NAT is configured on the ASA, then a NAT exemption rule must be for the configured IP address pool. Like IPsec, SSL client address pools must be exempt from the NAT

process because NAT translation occurs before encryption functions. Click Next to continue. !

Chapter10 – ASA – Basic config

write erase ! route outside ! help reload ! The ASA can be restored to its factory default configuration by using the configure factory-default global configuration command. ! !!!!!!!!!!! BASIC SETTINGS! !!!!!!!!!!!!!!! clock set 8:05:00 3 October 2011 clock timezone BOG/CO -5 console timeout 2 ! passwd terminal@2014 enable password console@2014 domain lab.local hostname CISCO-ASA ! ! The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. ! key config-key password-encryption password encryption aes ! As soon as password encryption is turned on and the master passphrase is available, all the user passwords will be encrypted. ! show password encryption ! interface g0  nameif OUTSIDE  security-level 0  ip address dhcp setroute ! interface g1  nameif INSIDE  security-level 100  ip address ! CAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created. However, a third “limited” VLAN interface can be created

if it is first configured with the no forward interface vlan command. This command limits the interface from initiating contact to another VLAN. Therefore, when the

inside and outside VLAN interfaces are configured, the no forward interface vlan number command must be entered before the nameif command is entered on the third

interface. The number argument specifies the VLAN ID to which this VLAN interface cannot initiate traffic. The Security Plus license is required to achieve full

functionality. ! show ip address show interface ip brief !  route OUTSIDE 0 0 ! telnet INSIDE telnet timeout 2 ! crypto key generate rsa general-keys modulus 1024 aaa authentication ssh console LOCAL username admin PASsword password123 privilege 15 ssh INSIDE ssh timeout 3 ! show ssh ! ntp server ntp authenticate ntp authentication-key 1 md5 cisco123 ntp trusted-key 1 ! show ntp status show ntp associations ! Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32. For a 50-user license, the maximum is 128

clients. For an unlimited user license, the maximum is 250 (which is the same as all other ASA models). ! dhcpd enable INSIDE dhcpd address INSIDE dhcpd domain lab.local dhcpd lease 3200 dhcpd dns ! If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain

information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface. dhcpd auto_config ! show dhcpd state show dhcpd binding show dhcpd statistics ! Cisco ASDM is a Java-based GUI tool that facilitates the setup, configuration, monitoring, and troubleshooting of Cisco ASAs. ! Cisco ASDM can be used to monitor and configure multiple ASAs that run the same ASDM version. ! copy tftp:// disk0: disk0: ! http server enable http INSIDE aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa local authentication attempts max-fail 3 aaa authorization exec LOCAL asdm image disk0:/asdm-647.bin asdm history enable ! The Cisco ASDM Home page displays important information about the ASA. Status information in the Home page is updated every 10 seconds. ! A network object name can contain only one IP address and mask pair. Therefore, there can only be one statement in the network object. Entering a second IP

address/mask pair will replace the existing configuration. ! A service object name can only be associated with one protocol and port (or ports). If an existing service object is configured with a different protocol and port (or

ports), the new configuration replaces the existing protocol and port (or ports) with the new ones. ! service protocol service tcp service udp service icmp service icmp6 ! ! ! policy-map type inspect dns preset_dns_map  parameters   message-length maximum 512 policy-map global_policy  class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global ! Note: A network object group cannot be used to implement NAT. A network object is required to implement NAT. ! ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., instead of a wildcard mask (e.g. Also most ASA ACLs are named instead

of numbered. ! Therefore an ACL would be required to permit traffic from a lower security level to a higher security level. ! Note: To allow connectivity between interfaces with the same security levels, the same-security-traffic permit inter-interface global configuration command is

required. To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface

unencrypted, use the same-security-traffic permit intra-interface global configuration command. ! ACLs on a security appliance can be used not only to filter out packets passing through the appliance but also to filter out packets destined to the appliance. ! The ASA divides the NAT configuration into two sections. The first section defines the network to be translated using a network object. The second section defines the

actual nat command parameters. These appear in two different places in the running-config. ! Note: The any keyword could be used instead of the mapped-ifc parameter. This allows the translation of an object between multiple interfaces with just one CLI

command. For example, nat (dmz, any) static would allow any device on any internal network access to the DMZ server using the outside IP address. !

CCNA Security – Chapter 9 – Comprensive Security

To help simplify network design, it is recommended that all security mechanisms come from a single vendor. The Cisco SecureX architecture is a comprehensive, end-to-end solution for network security that includes solutions to secure the network, email, web, access, mobile users and data center resources. Cisco Security Manager and CCP provide network management options for Cisco SecureX solutions.


! The SDLC includes five phases: initiation, acquisition and development, implementation, operations and maintenance, and disposition. It is important to include security considerations in all phases of the SDLC. ! Risk analysis is the systematic study of uncertainties and risks. It estimates the probability and severity of threats to a system and provides an organization with a prioritized list. Risk analysts identify the risks, determine how and when those risks might arise, and estimate the impact (financial or otherwise) of adverse outcomes.


The first step in developing a risk analysis is to evaluate each threat to determine its severity and probability ! After the threats are evaluated for severity and likelihood, the information is used in a risk analysis. There are two types of risk analysis in information security, quantitative and qualitative. ! Quantitative risk analysis uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of

security implementations. Monetary figures are typically based on an annual cost. ! Quantitative risk analysis is more mathematically precise and typically used by organizations as cost justification for proposed countermeasures. ! There are various ways of conducting qualitative risk analysis. One method uses a scenario-based model. This approach is best for large cities, states, and countries

because it is impractical to try to list all the assets, which is the starting point for any quantitative risk analysis. For example, by the time a typical national

government lists all of its assets, the list would have hundreds or thousands of changes and would no longer be accurate. ! !!!! Quantitative risk analysis relies on specific formulas to determine the value of the risk decision variables. These include formulas that calculate the asset value

(AV), exposure factor (EF), single loss expectancy (SLE), annualized rate of occurrence (ARO), and annualized loss expectancy (ALE). ! Quantitative Risk Analisis Formula !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! AV is the cost of an individual asset. EF is the loss, represented as a percentage, that a realized threat could have on an asset. SLE is the result of AV * EF, or the cost of a single instance of a threat. ! Cisco calls this the Borderless Network. In this new Borderless Network, access to resources can be initiated by users from many locations, on many types of endpoint

devices, using various connectivity methods. ! To address these very issues, Cisco has outlined a security architecture called Cisco SecureX. ! The SecureX security architecture for the Borderless Network relies on a lightweight, pervasive endpoint. Its role is not to scan content or run signatures. Instead,

its sole focus is making sure every connection coming on or off the endpoint is pointed at a network scanning element somewhere in a Cisco security cloud. These

scanning elements are now capable of running many more layers of scanning than a single endpoint possibly could: five layers of malware signatures, data loss

prevention and acceptable use policies, content scanning, and more. ! This architecture is designed to provide effective security for any user, using any device, from any location, and at any time. !! This architecture is comprised of five major components: Scanning engines: Delivery mechanisms: Security intelligence operations (SIO): Policy management consoles: The next-generation endpoint: ! In the Borderless Network, security must begin with the endpoint. ! A context-aware scanning element is a network security device that does more than just examining packets on the wire. It looks at external information to understand

the full context of the situation. To be context aware, the scanner has to consider the who, what, where, when and how of security. ! A context-aware policy uses a simplified descriptive business language to define security policies based on five parameters: !!!!!! The person’s identity The application in use The type of device being used for access The location The time of access ! Cisco SIO is the world’s largest cloud-based security ecosystem, using almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions. ! Cisco ScanSafe Cloud Web Security: !! Analyzes web requests for malicious, inappropriate, or acceptable content Offers granular control over open and encrypted web content Extends real-time protection and policy enforcement to remote employees Blocks unwanted and malicious emails, while protecting confidential data ! To ensure a secure working environment within the operations department, certain core principles should be integrated into the day-to-day activities: !!! Separation of duties Rotation of duties Trusted recovery Change and configuration controls ! After a network is operational, it is important to ascertain its security status. Many tests can be conducted to assess the operational status of the system: !!! Network scanning Vulnerability scanning Password cracking Log review Integrity checkers Virus detection Wardialing Wardriving (802.11 or wireless LAN testing) Penetration testing ! Business continuity planning may address the following concerns: !!! Moving or relocating critical business components and people to a remote location while the original location is being repaired Using different channels of communication to deal with customers, shareholders, and partners until operations are returned to normal !


An SSL VPN provides three modes of remote access on Cisco IOS routers: clientless, thin client, and full client. ASA devices have two modes: clientless (which includes clientless and thin client port forwarding) and AnyConnect client (which replaces full tunnel).
Clientless access requires no specialized VPN software or applet on the user desktop. All VPN traffic is transmitted and delivered through a standard web browser.
Thin client mode, sometimes called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In this mode, the remote user downloads a Java applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine for the services configured on the SSL VPN gateway.
Full client mode enables complete access to the corporate network over an SSL VPN tunnel, which is used to move data at the Network (IP) Layer.
Establishing an SSL session involves five steps:

Step 1. The user makes an outbound connection to TCP port 443.

Step 2. The router responds with a digital certificate, which contains a public key that is digitally signed by a trusted certificate authority (CA).

Step 3. The user’s computer generates a shared secret key that both parties use.

Step 4. The shared secret is encrypted with the public key of the router and transmitted to the router. The router software is able to easily decrypt the packet using its private key. Now both participants in the session know the shared secret key.

Step 5. The key is used to encrypt the SSL session.

SSL utilizes encryption algorithms with key lengths from 40 to 256 bits.
The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. It consists of three components:
Cisco Easy VPN Server – A Cisco IOS router or Cisco ASA Firewall acting as the VPN head-end device in site-to-site or remote-access VPNs.
Cisco Easy VPN Remote – A Cisco IOS router or Cisco ASA Firewall acting as a remote VPN client.
Cisco VPN Client – An application supported on a PC used to access a Cisco VPN server.
The reverse route injection (RRI) process is initiated. RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client.


A VPN is a communications channel that is used to form a logical connection between two endpoints over a public network. VPNs do not necessarily include encryption or

authentication. IPsec VPNs rely on the IKE protocol to establish secure communications. ! Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto ACL. ! Some basic tasks must be completed to configure a site-to-site IPsec VPN. !!!! Task 1. Ensure that ACLs configured on interfaces are compatible with the IPsec configuration. Usually there are restrictions on the interface that the VPN traffic

uses. For example, block all traffic that is not IPsec or IKE. !!!! Task 2. Create an ISAKMP policy. This policy determines the ISAKMP parameters that will be used to establish the tunnel. !!!! Task 3. Configure the IPsec transform set. The transform set defines the parameters that the IPsec tunnel uses. The set can include the encryption and integrity

algorithms. !!!! Task 4. Create a crypto ACL. The crypto ACL defines which traffic is sent through the IPsec tunnel and protected by the IPsec process. !!!! Task 5. Create and apply a crypto map. The crypto map groups the previously configured parameters together and defines the IPsec peer devices. The crypto map is

applied to the outgoing interface of the VPN device. ! ! Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and Authentication Header (AH) traffic is not blocked at the interfaces used

by IPsec. !!!! ESP is assigned IP protocol number 50. AH is assigned IP protocol number 51. ISAKMP uses UDP port 500. ! Multiple ISAKMP policies can be configured on each peer participating in IPsec. When configuring policies, each policy must be given a unique priority number. ! Assign the most secure policy the smallest available number. ! When the ISAKMP negotiation begins in IKE Phase 1 main mode, the peer that initiates the negotiation sends all its policies to the remote peer. The remote peer tries

to find a match with its own policies. The remote peer looks for a match by comparing its own highest priority policy against the policies it received from the other

peer. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found. ! A match is made when both policies from the two peers contain the same encryption, hash, authentication, DH parameter values, and when the policy of the remote peer

specifies a lifetime less than or equal to the lifetime of the policy that is being compared. If the lifetimes are not identical, the shorter lifetime from the remote

peer policy is used. ! By default, the ISAKMP identity is set to use the IP address. To use the hostname parameter, the ISAKMP identity must be configured to use the host name with the

crypto isakmp identity hostname global configuration mode command. In addition, DNS must be accessible to resolve the hostname. ! Transform sets consist of a combination of an AH transform, an ESP transform, and the IPsec mode (either tunnel or transport mode). ! When ISAKMP is not used to establish SAs, a single transform set must be used. In this instance, the transform set is not negotiated. ! Type of transform set. Specify up to four “transforms”: one AH, one ESP encryption, one ESP authentication, and optionally IP compression. These transforms define the

IPsec security protocols and algorithms. ! Transform sets are negotiated during IKE Phase 2 quick mode. When configuring multiple transform sets, configure the transforms from most to least secure, according to

the network security policy. ! Outbound crypto ACLs select outbound traffic that IPsec should protect. Traffic that is not selected is sent in plaintext. If desired, inbound ACLs can be created to

filter and discard traffic that should have been protected by IPsec. ! Symmetric crypto ACLs must be configured for use by IPsec. When a router receives encrypted packets back from an IPsec peer, it uses the same ACL to determine which

inbound packets to decrypt by viewing the source and destination addresses in the ACL in reverse order. The ACL criteria are applied in the forward direction to

traffic exiting a router, and in the backward direction to traffic entering the router, so that the outbound ACL source becomes the inbound ACL destination. !!!!! Crypto map entries with the same crypto map name but different map sequence numbers are grouped into a crypto map set. ! Only one crypto map can be set to a single interface. The crypto map set can include a combination of Cisco Encryption Technology (CET) and IPsec using IKE. Multiple

interfaces can share the same crypto map set if the same policy is applied to multiple interfaces. If more than one crypto map entry is created for a given interface,

use the sequence number (seq-num) of each map entry to rank the map entries. The smaller the sequence number, the higher the priority. At the interface that has the

crypto map set, traffic is evaluated against higher priority map entries first. !!!!!!! Create multiple crypto map entries for a given interface if any of these conditions exist: !!!!!! Separate IPsec peers handle different data flows. Different IPsec security must be applied to different types of traffic (to the same or separate IPsec peers). For example, if traffic between one set of subnets needs

to be authenticated, and traffic between another set of subnets needs to be both authenticated and encrypted. In this case, define the different types of traffic in

two separate ACLs, and create a separate crypto map entry for each crypto ACL. IKE is not used to establish a particular set of SAs, and multiple ACL entries must be specified, create separate ACLs (one per permit entry) and specify a separate

crypto map entry for each ACL. ! Two peers can be specified in a crypto map for redundancy. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant

peers that can be configured. ! Multiple peers can be specified for redundancy.  set peer default  set peer ! The crypto map is applied to the outgoing interface of the VPN tunnel using the crypto map command in interface configuration mode. ! ! Make sure that the routing information that is needed to send packets into the tunnel is also configured. ! show crypto map show crypto isakmp policy show crypto ipsec sa show crypto isakmp sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec ! QM_IDLE status indicates an active IKE SA. !


Recibe cada nueva publicación en tu buzón de correo electrónico.