CCNP And CCIE Security Core SCOR 350-701 Official Cert .
CCNPand CCIESecurityCoreSCOR 350-701Official Cert GuideOMAR SANTOSCisco Press221 River St.Hoboken, NJ 07030 USA
iiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideCCNP and CCIE Security CoreSCOR 350-701 Official Cert GuideOmar SantosCopyright 2020 Cisco Systems, Inc.Published by:Cisco Press221 River St.Hoboken, NJ 07030 USAAll rights reserved. This publication is protected by copyright, and permission must be obtained from thepublisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any formor by any means, electronic, mechanical, photocopying, recording, or likewise. For information regardingpermissions, request forms, and the appropriate contacts within the Pearson Education Global Rights &Permissions Department, please visit www.pearson.com/permissions.No patent liability is assumed with respect to the use of the information contained herein. Althoughevery precaution has been taken in the preparation of this book, the publisher and author assume noresponsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use ofthe information contained herein.ScoutAutomatedPrintCodeLibrary of Congress Control Number: 2020901233ISBN-10: 0-13-597197-7ISBN-13: 978-0-13-597197-0Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have beenappropriately capitalized. Cisco Press cannot attest to the accuracy of this information. Use of a term inthis book should not be regarded as affecting the validity of any trademark or service mark.
iiiFeedback InformationAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each bookis crafted with care and precision, undergoing rigorous development that involves the unique expertise ofmembers from the professional technical community.Readers' feedback is a natural continuation of this process. If you have any comments regarding how wecould improve the quality of this book, or otherwise alter it to better suit your needs, you can contact usthrough email at feedback@ciscopress.com. Please make sure to include the book title and ISBN in yourmessage.We greatly appreciate your assistance.Editor-in-Chief: Mark TaubTechnical Editor: John StuppiAlliances Manager, Cisco Press: Arezou GolEditorial Assistant: Cindy TeetersDirector, Product Manager: Brett BartowDesigner: Chuti PrasertsithManaging Editor: Sandra SchroederComposition: codeMantraDevelopment Editor: Christopher A. ClevelandIndexer: Ken JohnsonProject Editor: Mandie FrankProofreader: Abigail ManheimCopy Editor: Bart Reed
ivCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideCreditsFigure 1-1 Screenshot of The Exploit Database (Exploit-DB) OffSec ServicesLimited 2020Figure 1-2 Screenshot of Using searchsploit OffSec Services Limited 2020Figure 1-4Screenshot of Ghidra Software Reverse Engineering Framework, ghidraFigure 1-6Screenshot of SQL injection vulnerability Webgoat SQL InjectionFigure 3-27 Screenshot of Installing the Python requests package using pip PythonSoftware FoundationFigure 3-28 Screenshot of Using the Python requests package Python SoftwareFoundationFigure 3-29Screenshot of Using curl to obtain information from an API GitHub, Inc.Figure 3-30 Screenshot of Using curl to obtain additional information from the Deckof Cards API GitHub, Inc.Figure 9-11Screenshot of AWS Lamda 2020, Amazon Web Services, IncFigure 9-14Screenshot of Docker 2020 Docker Inc.Figure 9-15Screenshot of Docker 2020 Docker Inc.Figure 9-16Screenshot of Docker 2020 Docker Inc.Figure 9-17Deploying your first app on Kubernetes, Google Inc.Figure 9-19Screenshot of The Kubernetes Authors Google Inc.Figure 9-20Screenshot of The Kubernetes Authors Google Inc.Figure 9-21Screenshot of The Kubernetes Authors Google Inc.Figure 10-2Screenshot of macOS Apple 2019The International Organization for Standardization (ISO), ISO/IEC 27001:2005(en)The International Organization for Standardization (ISO)Malware Tunneling in IPv6, June 22, 2012. United States Department of HomelandSecurityThe International Organization for Standardization (ISO)NIST Special Publication 800-61NIST Special Publication 800-61NIST Special Publication 800-61NIST Special Publication 800-61US-CERT Description Document - RFC 2350Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of HomelandSecurityNIST Special Publication 800-63B
vContents at a GlanceIntroductionxxvChapter 1Cybersecurity Fundamentals 2Chapter 2Cryptography 78Chapter 3Software-Defined NetworkingSecurity and Network Programmability 106Chapter 4Authentication, Authorization, Accounting (AAA) and IdentityManagement 150Chapter 5Network Visibility and SegmentationChapter 6Infrastructure Security 306Chapter 7Cisco Next-Generation Firewalls andCisco Next-Generation Intrusion Prevention SystemsChapter 8Virtual Private Networks (VPNs) 464Chapter 9Securing the Cloud 548Chapter 10Content SecurityChapter 11Endpoint Protection and DetectionChapter 12Final Preparation220392600634658Glossary of Key Terms660Appendix AAnswers to the “Do I Know This Already?”Quizzes and Q&A Sections 678Appendix BCCNP Security Core SCOR (350-701) Exam Updates 686Index688
viCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideContentsIntroduction xxvChapter 1Cybersecurity Fundamentals 2“Do I Know This Already?” QuizFoundation Topics36Introduction to Cybersecurity6Cybersecurity vs. Information Security (InfoSec)7The NIST Cybersecurity Framework 7Additional NIST Guidance and Documents7The International Organization for Standardization (ISO) 8Defining What Are Threats, Vulnerabilities, and Exploits 8What Is a Threat? 9What Is a Vulnerability?What Is an Exploit?910Risk, Assets, Threats, and Vulnerabilities12Defining Threat Actors 13Understanding What Threat Intelligence Is 14Viruses and Worms 16Types and Transmission MethodsMalware PayloadsTrojans161718Trojan Types 18Trojan Ports and Communication MethodsTrojan Goals 20Trojan Infection MechanismsEffects of Trojans22Distributing Malware 22Ransomware 23Covert CommunicationKeyloggers 25Spyware26Analyzing Malware 27Static Analysis 27Dynamic Analysis 28232019
ContentsCommon Software and Hardware Vulnerabilities 30Injection Vulnerabilities30SQL Injection 30HTML Injection 32Command Injection 32Authentication-based Vulnerabilities 32Credential Brute Force Attacks and Password CrackingSession Hijacking3334Default Credentials34Insecure Direct Object Reference Vulnerabilities 35Cross-site Scripting (XSS)35Cross-site Request Forgery 37Cookie Manipulation Attacks37Race Conditions 38Unprotected APIs 38Return-to-LibC Attacks and Buffer OverflowsOWASP Top 103940Security Vulnerabilities in Open Source Software 40Confidentiality, Integrity, and Availability40What Is Confidentiality? 40What Is Integrity?42What Is Availability?43Talking About Availability, What Is a Denial-of-Service (DoS) Attack?Access Control ManagementCloud Security Threats4547Cloud Computing Issues and Concerns 48Cloud Computing Attacks50Cloud Computing SecurityIoT Security ThreatsIoT Protocols515153Hacking IoT Implementations54An Introduction to Digital Forensics and Incident Response 55ISO/IEC 27002:2013 and NIST Incident Response GuidanceWhat Is an Incident?5556False Positives, False Negatives, True Positives, and True Negatives 57Incident Severity Levels58How Are Incidents Reported?5844vii
viiiCCNP and CCIE Security Core SCOR 350-701 Official Cert Guide60What Is an Incident Response Program?The Incident Response Plan60The Incident Response Process61Tabletop Exercises and Playbooks 63Information Sharing and Coordination64Computer Security Incident Response Teams 64Product Security Incident Response Teams (PSIRTs) 66The Common Vulnerability Scoring System (CVSS) 67National CSIRTs and Computer Emergency Response Teams (CERTs) 71Coordination Centers 72Incident Response Providers and Managed Security Service Providers(MSSPs) 73Key Incident Management PersonnelSummary7374Exam Preparation Tasks74Review All Key Topics 74Define Key Terms 76Review QuestionsChapter 276Cryptography 78“Do I Know This Already?” Quiz 78Foundation Topics 80Introduction to Cryptography 80CiphersKeys8081Block and Stream Ciphers 82Symmetric and Asymmetric AlgorithmsHashes8284Hashed Message Authentication Code 86Digital Signatures86Key Management89Next-Generation Encryption ProtocolsIPsec8990SSL and TLS 91Fundamentals of PKI93Public and Private Key Pairs93More About Keys and Digital Certificates 93Certificate Authorities 94Root Certificates95
ContentsIdentity Certificates 96X.500 and X.509v397Authenticating and Enrolling with the CAPublic Key Cryptography Standards9899Simple Certificate Enrollment Protocol 99Revoking Digital Certificates 99Digital Certificates in PracticePKI Topologies100101Single Root CA 101Hierarchical CA with Subordinate CAs101Cross-Certifying CAs 102Exam Preparation Tasks102Review All Key Topics 102Define Key Terms 103Review QuestionsChapter 3103Software-Defined NetworkingSecurity and Network Programmability106“Do I Know This Already?” Quiz 106Foundation Topics 108Introduction to Software-Defined NetworkingTraditional Networking Planes108109So What’s Different with SDN? 110Introduction to the Cisco ACI Solution 110VXLAN and Network Overlays 112Micro-Segmentation115Open Source Initiatives117More About Network Function VirtualizationNFV MANOContiv118119120Cisco Digital Network Architecture (DNA) 121Cisco DNA Policies123Cisco DNA Group-Based Access Control PolicyCisco DNA IP-Based Access Control PolicyCisco DNA Application Policies 126Cisco DNA Traffic Copy Policy 127Cisco DNA Center Assurance Solution 128Cisco DNA Center APIs 130Cisco DNA Security Solution 132126124ix
xCCNP and CCIE Security Core SCOR 350-701 Official Cert Guide132Cisco DNA Multivendor SupportIntroduction to Network Programmability132Modern Programming Languages and ToolsDevNet133136Getting Started with APIs136REST APIs 137Using Network Device APIs 139YANG ModelsNETCONFRESTCONF139141143OpenConfig and gNMIExam Preparation Tasks145146Review All Key Topics 146Define Key Terms 147Review QuestionsChapter 4147Authentication, Authorization,Accounting (AAA) and Identity Management 150“Do I Know This Already?” Quiz 151Foundation Topics 154Introduction to Authentication, Authorization, and AccountingThe Principle of Least Privilege and Separation of DutiesAuthentication 155Authentication by Knowledge156Authentication by Ownership or PossessionAuthentication by Characteristic 158Multifactor Authentication 159Duo Security159Zero Trust and BeyondCorp161Single Sign-On 164Authorization 167Mandatory Access Control (MAC)168Discretionary Access Control (DAC)168Role-Based Access Control (RBAC) 168Rule-Based Access Control169Attribute-Based Access ControlAccounting169169Infrastructure Access Controls 170Access Control Mechanisms170157154155
ContentsAAA Protocols 172RADIUS173TACACS Diameter802.1X174176178180Network Access Control List and FirewallingVLAN ACLs 181Security Group–Based ACL 181Downloadable ACL 181Cisco Identity Services Engine (ISE)181Cisco Platform Exchange Grid (pxGrid)182Cisco ISE Context and Identity Services184Cisco ISE Profiling Services 184Cisco ISE Identity Services 187Cisco ISE Authorization Rules 188Cisco TrustSec190Posture Assessment 192Change of Authorization (CoA)193Configuring TACACS Access 196Configuring RADIUS Authentication 202Configuring 802.1X Authentication 205Additional Cisco ISE Design Tips 211Advice on Sizing a Cisco ISE Distributed DeploymentExam Preparation Tasks214214Review All Key Topics 214Define Key Terms 216Review QuestionsChapter 5216Network Visibility and Segmentation“Do I Know This Already?” Quiz220221Foundation Topics 224Introduction to Network Visibility 224NetFlow225The Network as a Sensor and as an EnforcerWhat Is a Flow?226227NetFlow for Network Security and Visibility229NetFlow for Anomaly Detection and DDoS Attack MitigationData Leak Detection and Prevention231229xi
xiiCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideIncident Response, Threat Hunting, and Network Security Forensics 231Traffic Engineering and Network Planning236NetFlow Versions 237IP Flow Information Export (IPFIX)237IPFIX Architecture 238Understanding IPFIX Mediators 239IPFIX Templates 239Option Templates 241Understanding the Stream Control Transmission Protocol (SCTP)Exploring Application Visibility and Control and NetFlowApplication Recognition241241Metrics Collection and ExportingNetFlow Deployment Scenarios242242NetFlow Deployment Scenario: User Access Layer243NetFlow Deployment Scenario: Wireless LAN 244NetFlow Deployment Scenario: Internet Edge 245NetFlow Deployment Scenario: Data Center246NetFlow Deployment Scenario: NetFlow in Site-to-Siteand Remote VPNs 248Cisco Stealthwatch250Stealthwatch Cloud251On-Premises Monitoring with Cisco Stealthwatch Cloud 256Cisco Stealthwatch Cloud Integration with Meraki and CiscoUmbrella 256Exploring the Cisco Stealthwatch On-Premises AppliancesThreat Hunting with Cisco Stealthwatch258Cisco Cognitive Threat Analytics (CTA) and Encrypted TrafficAnalytics (ETA) 262What Is Cisco ETA?262What Is Cisco Cognitive Threat Analytics?262NetFlow Collection Considerations and Best Practices 268Determining the Flows per Second and Scalability 269Configuring NetFlow in Cisco IOS and Cisco IOS-XE 269Simultaneous Application Tracking 270Flexible NetFlow Records 271Flexible NetFlow Key Fields 271Flexible NetFlow Non-Key Fields 273NetFlow Predefined Records 274256241
ContentsUser-Defined Records 275Flow Monitors275Flow Exporters 275Flow Samplers 275Flexible NetFlow Configuration275Configure a Flow Record 276Configure a Flow Monitor for IPv4 or IPv6278Configure a Flow Exporter for the Flow Monitor280Apply a Flow Monitor to an Interface 282Flexible NetFlow IPFIX Export Format283Configuring NetFlow in NX-OS 283Introduction to Network SegmentationData-Driven Segmentation285286Application-Based Segmentation288Micro-Segmentation with Cisco ACI 289Segmentation with Cisco ISE 290The Scalable Group Tag Exchange Protocol (SXP)SGT Assignment and Deployment292294Initially Deploying 802.1X and/or TrustSec in Monitor ModeActive Policy Enforcement295Cisco ISE TrustSec and Cisco ACI IntegrationExam Preparation Tasks294298301Review All Key Topics 301Define Key Terms 302Review QuestionsChapter 6302Infrastructure Security306“Do I Know This Already?” Quiz 307Foundation Topics 310Securing Layer 2 Technologies 310VLAN and Trunking FundamentalsWhat Is a VLAN?310311Trunking with 802.1Q 313Let’s Follow the Frame, Step by Step 315What Is the Native VLAN on a Trunk?315So, What Do You Want to Be? (Asks the Port) 316Understanding Inter-VLAN Routing316What Is the Challenge of Only Using Physical Interfaces? 316xiii
xivCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideUsing Virtual “Sub” Interfaces 316Spanning Tree Fundamentals317The Solution to the Layer 2 Loop318STP Is Wary of New Ports 321Improving the Time Until Forwarding321322Common Layer 2 Threats and How to Mitigate ThemDo Not Allow Negotiations323Layer 2 Security Toolkit 324BPDU GuardRoot Guard324325Port Security 325CDP and LLDPDHCP Snooping327328Dynamic ARP Inspection330Network Foundation Protection 332The Importance of the Network Infrastructure 332The Network Foundation Protection Framework 333Interdependence 333Implementing NFP333Understanding and Securing the Management Plane334Best Practices for Securing the Management Plane 334Understanding the Control Plane 336Best Practices for Securing the Control Plane 336Understanding and Securing the Data Plane337Best Practices for Protecting the Data Plane 337Additional Data Plane Protection Mechanisms 338Securing Management Traffic338What Is Management Traffic and the Management Plane? 338Beyond the Console Cable339Management Plane Best Practices 339Password Recommendations341Using AAA to Verify Users 342Router Access Authentication 342The AAA Method List 343Role-Based Access ControlCustom Privilege Levels344344Limiting the Administrator by Assigning a View 344
ContentsEncrypted Management ProtocolsUsing Logging Files345Understanding NTP346344Protecting Cisco IOS, Cisco IOS-XE, Cisco IOS-XR, andCisco NX-OS Files 346Implementing Security Measures to Protect the Management Plane 347Implementing Strong Passwords347User Authentication with AAA 349Using the CLI to Troubleshoot AAA for Cisco Routers353RBAC Privilege Level/Parser View 356Implementing Parser Views358SSH and HTTPS 360Implementing Logging Features 362Configuring Syslog Support363Configuring NTP 363Securing the Network Infrastructure Device Image andConfiguration Files 364Securing the Data Plane in IPv6365Understanding and Configuring IPv6The Format of an IPv6 AddressUnderstanding the Shortcuts365367367Did We Get an Extra Address? 367IPv6 Address Types368Configuring IPv6 Routing370Moving to IPv6 372Developing a Security Plan for IPv6 372Best Practices Common to Both IPv4 and IPv6372Threats Common to Both IPv4 and IPv6 373The Focus on IPv6 Security 374New Potential Risks with IPv6375IPv6 Best Practices 376IPv6 Access Control Lists377Securing Routing Protocols and the Control Plane 379Minimizing the Impact of Control Plane Traffic on the CPUDetails about CoPP380Details about CPPr383Securing Routing Protocols383379xv
xviCCNP and CCIE Security Core SCOR 350-701 Official Cert GuideImplementing Routing Update Authentication on OSPF 383Implementing Routing Update Authentication on EIGRP 384Implementing Routing Update Authentication on RIP 385Implementing Routing Update Authentication on BGPExam Preparation Tasks386387Review All Key Topics 387Define Key Terms 389Review QuestionsChapter 7389Cisco Next-Generation Firewalls andCisco Next-Generation Intrusion Prevention Systems392“Do I Know This Already?” Quiz 392Foundation Topics 395Introduction to Cisco Next-Generation Firewalls (NGFW) andNext-Generation Intrusion Prevention Systems (NGIPS) 395Cisco Firewall History and Legacy396Introducing the Cisco ASA 396The Cisco ASA FirePOWER Module 397Cisco Firepower Threat Defense (FTD)Cisco Firepower 1000 Series397Cisco Firepower 2100 Series397Cisco Firepower 4100 Series398Cisco Firepower 9300 Series399397Cisco FTD for Cisco Integrated Services Routers (ISRs) 399Introduction to Cisco’s NGIPS 399Surveying the Cisco Firepower Management Center (FMC) 401Exploring the Cisco Firepower Device Manager (FDM) 404Cisco Defense Orchestrator 408Comparing Network Security SolutionsThat Provide Firewall Capabilities 411Deployment Modes of Network Security Solutions and Architectures ThatProvide Firewall Capabilities 412Routed vs. Transparent FirewallsSecurity Contexts413414Single-Mode Transparent Firewalls414Surveying the Cisco FTD Deployment Modes 416Cisco FTD Interface Modes 417Inline Pair420Inline Pair with Tap420
ContentsPassive Mode 420Passive with ERSPAN Mode 422Additional Cisco FTD Deployment Design ConsiderationsHigh Availability and Clustering422423Clustering 425Implementing Access Control427Implementing Access Control Lists in Cisco ASA 427Cisco ASA Application Inspection 433To-the-Box Traffic Filtering in the Cisco ASAObject Grouping and Other ACL FeaturesStandard ACLs434435436Time-Based ACLs 436ICMP Filtering in the Cisco ASA 437Network Address Translation in Cisco ASA 437Cisco ASA Auto NAT 443Implementing Access Control Policies in the Cisco Firepower ThreatDefense 443Cisco Firepower Intrusion Policies446Variables 449Platform Settings Policy 450Cisco NGIPS Preprocessors 450Cisco Advanced Malware Protection (AMP)452Security Intelligence, Security Updates, and Keeping Firepower SoftwareUp to Date 457Security Intelligence Updates 457Keeping Software Up to Date 458Exam Preparation Tasks 458Review All Key Topics 458Define Key Terms 460Review QuestionsChapter 8460Virtual Private Networks (VPNs) 464“Do I Know This Already?” Quiz464Foundation Topics 467Virtual Private Network (VPN) FundamentalsAn Overview of IPsec470IKEv1 Phase 1 470IKEv1 Phas
Cisco Identity Services Engine (ISE) 181 Cisco Platform Exchange Grid (pxGrid) 182 Cisco ISE Context and Identity Services 184 Cisco ISE Profiling Services 184 Cisco ISE Identity Services 187 Cisco ISE Authorization Rules 188 Cisco TrustSec 190 Posture Assessment 192 Change of Authorization (CoA) 193 Configuring TACACS Access 196
Routing & Switching [CCNA, CCNP] CCIE Security [CCNA, CCNP] CCIE Data Center [CCNA, CCNP] CCIE Service Provider [CCNA, CCNP] CCIE Wireless [CCNA, CCNP] CCIE Collaboration [CCNA, CCNP] CCIE Network Design [CCNA, CCNP] CCIE Cyber Ops CCNA
CCIE Collaboration CCIE Data Center CCDE CCIE Routing & Switching CCIE Security CCIE SP CCIE Wireless Network Programmability Service Provider Internet of Things CCNP Wireless CCNP SP CCNP Security CCNP Routing & Switching CCDP CCNP Data Center CCNP Collaboration CCNP Cloud Customer Success Security Data Center CCNA Wireless
Cisco Notecards CCNP / CCIE CCNP flash cards CCIE flash cards Hands on cisco training Study guides CCIE study plan Cisco TSHOOT 642-813 preparation Cisco SWITCH 642-832 preparation Cisco ROUTE 642-902 preparation Cisco CCIE study summary CCIE mobile app CCNP mobile app ANKI CCIE APP ANKI CCNP APP CCNP Ankidroid CCIE Ankidroid TCP / IP training .
Section 1 CCIE Program Overview Section 2 CCIE Data Centre Overview - Written Exam Section 3 CCIE Data Centre Overview - Lab Exam Section 4 CCIE DC Topic 1 - Cisco DC Infrastructure (NXOS) Section 5 CCIE DC Topic 2 - Storage Networking Section 6 CCIE DC Topic 3 - Unified Computing Section 7 CCIE DC Topic 4 - Nexus 1000v
CCIE Collaboration CCIE Data Center CCDE CCIE R&S CCIE Security CCIE Service Provider CCIE Wireless Entry Associate Professional Expert New CCNA Continues No Certification . Relative Exam Blueprint Comparison by Size Old CCNA 200-125 New CCNA 200-301 About 50% goes
needed to pass the CCIE lab exam. I recommend anyone pursuing a CCIE to read it before beginning lab exam preparation and closely follow the do's, don'ts, and the timeline." Tahir Awan, CCIE#12680 "The book flows perfectly. A great behind the scenes look at the CCIE experience! Dean and Vivek have put forth the CCIE mind-set in an .
CCNP/CCIE Data Center Core study is the CCNP and CCIE Data Center Core DCCOR 350-601 Official Cert Guide Premium Edition eBook and Practice Test. This digital-only certification preparation product combines an eBook with enhanced Pearson Test Prep Practice Test.This integrated learning package· Enables you to focus on individual topic
CCIE 400-101 Routing and Switching Written Bootcamp - The CCIE Routing and Switching Written (CCIE Written) Bootcamp is a five-day course that prepares students for the CCIE R&S Written exam. The exam assesses technical knowledge on topics such as IP, IP routing, bridging and switch-rel
