Description

Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions. This five-day course focuses on using one or more of the available WAN connection technologies for remote access between enterprise sites.

This course includes cable modems and DSL with Network Address Translation (NAT), Multiprotocol Label Switching (MPLS) virtual private networks (VPNs), and network security using VPNs with IPsec encryption and Internet Key Exchange (IKE) keys. Successful graduates will be able to secure the network environment using existing Cisco IOS security features, and configure the three primary components of the Cisco IOS Firewall feature set (firewall, intrusion prevention system [IPS], and authentication, authorization, and accounting [AAA]). This task-oriented course teaches the knowledge and skills needed to secure Cisco IOS router networks using features and commands in Cisco IOS software, and using a router configuration application. This course is part of the recommended learning path for learners seeking the Cisco CCNP®.

Objectives

After completing this course the student should be able to:

• Explain the Cisco hierarchical network model as it pertains to the WAN
• Describe and implement teleworker configuration and access
• Implement and verify frame mode MPLS
• Describe and configure a site-to-site IPSEC VPN
• Describe and configure Cisco EZVPN
• Explain the strategies used to mitigate network attacks
• Describe and configure Cisco device hardening
• Describe and configure IOS firewall features

Prerequisites

The knowledge and skills that a learner must have before attending this course are as follows:

• Completion of the Introduction to Cisco Networking Technologies (INTRO) and the Interconnecting Cisco Network Devices (ICND) courses, or Cisco CCNA® certification
• Ability to complete the initial configuration of a Cisco switch
• Ability to create basic interswitch connections
• Ability to complete the initial configuration of a Cisco router
• Basic knowledge of routing (static, default router, default gateway, and basic NAT and PAT)
• Basic knowledge of concepts linked to routing protocols (classful versus classless routing protocol, single area OSPF, RIP, EIGRP, administrative distance, and interoperations)
• Basic knowledge of standard WAN technologies (Frame Relay, PPP, and HDLC)
• Fundamental security knowledge, including the presence of hackers, viruses, and other security threats
• Fundamental knowledge of IP addressing, including the format of IPv4 addresses, the concept of subnetting, VLSM and CIDR, and static and default routing
• Basic knowledge of standard and extended ACLs
• Ability to use client utilities including Telnet, IPCONFIG, Trace Route, Ping, FTP, TFTP, and HyperTerminal or other terminal emulation programs
• Basic IOS familiarity, including accessing the CLI on a Cisco device and specifically implementing the debug and show commands

Who Should Attend

• Module 1: Network Connectivity Requirements
  • Lesson 1: Describing Network Requirements
    • IIN and Cisco SONA Framework
    • Cisco Network Models
    • Remote Connection Requirements in a Converged Network
• Module 2: Teleworker Connectivity
  • Lesson 1: Describing Topologies for Facilitating Remote Connections
    • Remote Connection Topologies
    • The Challenge of Connecting the Teleworker
  • Lesson 2: Describing Cable Technology
    • Cable Technology Terms
    • Cable System Components
    • Cable Features
    • Digital Signals over RF Channels
    • Data over Cable
    • Cable Technology: Putting It All Together
    • Provisioning a Cable Modem
  • Lesson 3: Describing DSL Technology
    • DSL Features
    • DSL Types
    • DSL Limitations
    • ADSL
    • ADSL and POTS Coexistence
    • ADSL Channels and Encoding
    • Data over ADSL: PPPoE
    • Data over ADSL: PPPoA
  • Lesson 4: Configuring the CPE as the PPPoE or PPPoA Client
    • Configuration of a Cisco Router as the PPPoE Client
    • Configuration of PPPoE in a VPDN Group
    • Configuration of a PPPoE Client
    • Configuration of the PPPoE DSL Dialer Interface
    • Configuration of PAT
    • Configuring DHCP to Scale DSL
    • Configuration of a Static Default Route
    • Verifying a PPPoE Configuration
  • Lesson 5: Verifying Broadband ADSL Configurations
    • Layer Troubleshooting
    • Layer 1 Issues
    • Administratively Down State for an ATM Interface
    • Correct DSL Operating Mode?
    • Layer 2 Issues
    • Data Received from the ISP
    • Proper PPP Negotiation
• Module 3: Frame Mode MPLS Implementation
  • Lesson 1: Introducing MPLS Networks
    • The MPLS Conceptual Model
    • Router Switching Mechanisms
    • MPLS Architecture
    • MPLS Labels
    • Label Switch Routers
    • LSR Component Architecture
  • Lesson 2: Assigning MPLS Labels to Packets
    • Label Allocation in a Frame Mode MPLS Environment
    • Label Distribution and Advertisement
    • Populating the LFIB Table
    • Packet Propagation Across an MPLS Network
    • Penultimate Hop Popping
  • Lesson 3: Implementing Frame Mode MPLS
    • The Procedure to Configure MPLS
    • Configuring IP CEF
    • Configuring MPLS on a Frame Mode Interface
    • Configuring the MTU Size in Label Switching
  • Lesson 4: Describing MPLS VPN Technology
    • Defining MPLS VPN
    • MPLS VPN Architecture
    • Propagation of Routing Information Across the P-Network
    • End-to-End Routing Information Flow
    • MPLS VPNs and Packet Forwarding
• Module 4: IPsec VPNs
  • Lesson 1: Understanding IPsec Components and IPsec VPN Features
    • IPsec Overview
    • Internet Key Exchange
    • IKE: Other Functions
    • ESP and AH
    • Message Authentication and Integrity Check
    • Symmetric vs. Asymmetric Encryption Algorithms
    • PKI Environment
  • Lesson 2: Implementing Site-to-Site IPsec VPN Operations
    • Site-to-Site IPsec VPN Operations
    • Configuring IPsec
    • Site-to-Site IPsec Configuration: Phase 1
    • Site-to-Site IPsec Configuration: Phase 2
    • Site-to-Site IPsec Configuration: Apply VPN Configuration
    • Site-to-Site IPsec Configuration: Interface ACL
  • Lesson 3: Configuring IPsec Site-to-Site VPN Using SDM
    • Introducing the SDM VPN Wizard Interface
    • Site-to-Site VPN Components
    • Launching the Site-to-Site VPN Wizard
    • Connection Settings
    • IKE Proposals
    • Transform Set
    • Defining What Traffic to Protect
    • Completing the Configuration
  • Lesson 4: Configuring GRE Tunnels over IPsec
    • Generic Routing Encapsulation
    • Introducing Secure GRE Tunnels
    • Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
    • Backup GRE Tunnel Information
    • VPN Authentication Information
    • IKE Proposals
    • Transform Set
    • Routing Information
    • Completing the Configuration
  • Lesson 5: Configuring High-Availability Options
    • High Availability for IOS IPsec VPNs
    • IPsec Backup Peer
    • Hot Standby Routing Protocol
    • IPsec Stateful Failover
    • Backing Up a WAN Connection with an IPsec VPN
  • Lesson 6: Configuring Cisco Easy VPN and Easy VPN Server Using SDM
    • Introducing Cisco Easy VPN
    • Describe Easy VPN Server and Easy VPN Remote
    • Cisco Easy VPN Server Configuration Tasks
    • Configuring Easy VPN Server
    • IKE Proposals
    • Transform Set
    • Group Policy Configuration Location
    • User Authentication
    • Local Group Policies
    • Completing the Configuration
  • Lesson 7: Implementing the Cisco VPN Client
    • Cisco VPN Client Configuration Tasks
    • Use the Cisco VPN Client to Establish an RA VPN Connection and Verify the Connection Status
• Module 5: Cisco Device Hardening
  • Lesson 1:
  • Cisco Self-Defending Network
    • Types of Network Attacks
    • Reconnaissance Attacks and Mitigation
    • Access Attacks and Mitigation
    • DoS Attacks and Mitigation
    • Worm, Virus, and Trojan Horse Attacks and Mitigation
    • Application Layer Attacks and Mitigation
    • Management Protocols and Vulnerabilities
    • Determining Vulnerabilities and Threats
  • Lesson 2: Disabling Unused Cisco Router Network Services and Interfaces
    • Vulnerable Router Services and Interfaces
    • Locking Down Routers with AutoSecure
    • AutoSecure Process Overview
    • Locking Down Routers with the SDM
  • Lesson 3: Securing Cisco Router Installations and Administrative Access
    • Configuring Router Passwords
    • Setting a Login Failure Rate
    • Setting Timeouts
    • Setting Multiple Privilege Levels
    • Configuring Banner Messages
    • Configuring Role-Based CLI
    • Secure Configuration Files
  • Lesson 4: Mitigating Threats and Attacks with Access Lists
    • Cisco ACLs
    • Applying ACLs to Router Interfaces
    • Using Traffic Filtering with ACLs
    • Filtering Network Traffic to Mitigate Threats
    • Mitigating DDoS with ACLs
    • Combining Access Functions
    • Caveats
  • Lesson 5: Securing Management and Reporting Features
    • Secure Management and Reporting Planning Considerations
    • Secure Management and Reporting Architecture
    • Configuring an SSH Server for Secure Management and Reporting
    • Using Syslog Logging for Network Security
    • Configuring Syslog Logging
    • SNMP Version 3
    • Configuring an SNMP Managed Node
    • Configuring NTP Client
    • Configuring NTP Server
  • Lesson 6: Configuring AAA on Cisco Routers
    • Introduction to AAA
    • Router Access Modes
    • AAA Protocols: RADIUS and TACACS+
    • Configure AAA Login Authentication on Cisco Routers Using CLI
    • Configure AAA Login Authentication on Cisco Routers Using SDM
    • Troubleshoot AAA Login Authentication on Cisco Routers
    • AAA Authorization Commands
    • AAA Accounting Commands
• Module 6: Cisco IOS Threat Defense Features
  • Lesson 1: Introducing the Cisco IOS Firewall
    • Layered Defense Strategy
    • Firewall Technologies
    • Stateful Firewall Operation
    • Introducing the Cisco IOS Firewall Feature Set
    • Cisco IOS Firewall Functions
    • Cisco IOS Firewall Process
  • Lesson 2: Implementing Cisco IOS Firewalls
    • Configuring Cisco IOS Firewall from the CLI
    • Basic and Advanced Firewall Wizards
    • Configuring a Basic Firewall
    • Configuring Interfaces on an Advanced Firewall
    • Configuring a DMZ on an Advanced Firewall
    • Advanced Firewall Security Configuration
    • Complete the Configuration
    • Viewing Firewall Activity
  • Lesson 3: Introducing Cisco IOS IPS
    • Introducing Cisco IOS IDS and IPS
    • Types of IDS and IPS Systems
    • IDS and IPS Signatures
    • Cisco IOS IPS Alarms
  • Lesson 4: Configuring Cisco IOS IPS
    • Configuring Cisco IOS IPS
    • Cisco IOS IPS SDM Tasks
    • Selecting Interfaces and Configuring SDF Locations
    • Viewing the IPS Policy Summary and Delivering the Configuration to the Router
    • Configuring IPS Policies and Global Settings
    • Viewing SDEE Messages
    • Tuning Signatures

  Lab Outline

  • Lab 2-1: E-Lab: Configuring DSL
  • Lab 3-1: Configuring Frame Mode MPLS
  • Lab 4-1: Configuring Site-to-Site IPsec VPNs
  • Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM
  • Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection
  • Lab 4-4: Configuring Cisco Easy VPN Server Using SDM
  • Lab 5-1: Securing Cisco Routers
  • Lab 5-2: Securing Cisco Router Management
  • Lab 5-3: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers
  • Lab 6-1: Configuring a Cisco IOS Firewall
  • Lab 6-2: Configuring Cisco IOS IPS
  • Lab 6-3: Troubleshooting Security