CCIE Security Lab Exam Checklist v4.0

    CCIE Security Lab Exam v4.0 Checklist

    Expansion of the Security Lab v4.0 Exam Topics
    Detailed Checklist of Topics to Be Covered

     

    Please be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. Instead, we provide this outline as a supplement to the existing lab blueprint to help candidates prepare for their lab exams. Other relevant or related topics may also appear in the actual lab exam.

     

    We  would like to get your feedback please comment and/or rate this  document.

     

    1System Hardening and Availability

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Understanding Four Types of Traffic Planes on a Cisco Router (Control, Management, Data, and Services)

    Understanding Control Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Control Plane

    Understanding Management Plane Security Technologies and Core Concepts Covering Security Features Available to Protect the Management Plane

    Configuring Control Plane Policing (CoPP)

    Control Plane Rate Limiting

    Disabling Unused Control Plane Services (IP Source Routing, Proxy ARP, Gratuitous ARP, etc.)

    Disabling Unused Management Plane Services (Finger, BOOTP, DHCP, Cisco Discovery Protocol, etc.)

    MPP (Management Plane Protection) and Understanding OOB (Out-of-Band) Management Interfaces

    Configuring Routing Protocol Authentication

    Route Filtering and Protocol-Specific Filters

    ICMP Techniques to Reduce the Risk of ICMP-Related DoS Attacks (IP Unreachable, IP Redirect, IP Mask Reply, etc.)

    Selective Packet Discard (SPD)

    MQC and FPM Types of Service Policy on the CoPP Interface

    Broadcast Control on a Switch

    Catalyst Switch Port Security

    IPv6 Selective Packet Discard

    Cisco IOS Software-Based CPU Protection Mechanisms (Options Drop, Logging Interval, CPU Threshold)

    The Generalized TTL Security Mechanism Known as “BGP TTL Security Hack” (BTSH)

    Device Access Control (vty ACL, HTTP ACL, SSH Access, Privilege Levels)

    SNMP Security

    System Banners

    Secure Cisco IOS File Systems

    Understanding and Enabling Syslog

    NTP with Authentication

    Role-Based CLI Views and Cisco Secure ACS Setup

    Service Authentication on Cisco IOS Software (FTP, Telnet, HTTP)

    Network Telemetry Identification and Classification of Security Events (IP Traffic Flow, NetFlow, SNMP, Syslog, RMON)
    2Threat Identification and Mitigation

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Implementing RFC 1918 Antispoofing Filtering

    Implementing RFC 2827 Antispoofing Filtering

    Implementing RFC 2401 Antispoofing Filtering

    Enabling a TCP Intercept on a Router

    Enabling a TCP Intercept on the Cisco ASA Security Appliance

    FPM (Flexible Packet Matching) and Protocol Header Definition File (PHDF) Files and Configuration of Nested Policy Maps

    Classification Using NBAR

    Understanding and Enabling NetFlow on a Router

    Port Security on a Switch

    Storm Control on a Switch

    Private VLAN (PVLAN) on a Switch

    Port Blocking on a Switch

    Port ACL on a Switch

    MAC ACL on a Switch

    VLAN ACL on a Switch

    Spanning Tree Protocol (STP) Protection Using BPDU Guard and Loop Guard on a Switch

    DHCP Snooping on a Switch

    IP Source Guard on a Switch

    Dynamic ARP Inspection (DAI) on a Switch

    SeND for ND Protection

    IPv6 First Hop Security

    Disabling DTP on All Nontrunking Access Ports

    Concept of Proactive vs. Reactive Measures

    Knowledge of Protocols: TCP, UDP, HTTP, SMTP, ICMP, FTP

    Knowledge of Common Attacks: Network Reconnaissance, IP Spoofing, DHCP Snooping, DNS Spoofing, MAC Spoofing, ARP Snooping, Fragment Attack, Smurf Attack, TCP SYN Attack

    Understanding and Interpreting ARP Header Structure

    Understanding and Interpreting IP Header Structure

    Understanding and Interpreting TCP Header Structure

    Understanding and Interpreting UDP Header Structure

    Understanding and Interpreting HTTP Header Structure

    Understanding and Interpreting ICMP Header structure

    Understanding and Interpreting ICMP Type Name and Codes

    Understanding and Interpreting Syslog Messages

    Understanding and Interpreting Packet Capture Outputs (Sniffer, Ethereal, Wireshark, TCPDump)

    Understanding Different Types of Attack Vectors

    Interpreting Various show and debug Outputs

    Classifying Attack Patterns Using FPM

    Memorizing Common Protocol and Port Numbers

    Preventing an ICMP Attack Using ACLs

    Preventing an ICMP Attack Using NBAR

    Preventing an ICMP Attack Using Policing

    Preventing an ICMP Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance

    Preventing a SYN Attack Using ACLs

    Preventing a SYN Attack Using NBAR

    Preventing a SYN Attack Using Policing

    Preventing a SYN Attack Using CBAC

    Preventing a SYN Attack Using CAR

    Preventing a SYN Attack Using a TCP Intercept

    Preventing a SYN Attack Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance

    Preventing Application Protocol–Specific Attacks Using FPM (e.g., HTTP, SMTP)

    Preventing Application Protocol–Specific Attacks Using NBAR (e.g., HTTP, SMTP)

    Preventing Application Protocol–Specific Attacks Using the Modular Policy Framework (MPF) on the Cisco ASA Security Appliance (e.g., HTTP, SMTP)

    Preventing IP Spoofing Attacks Using Antispoofing ACLs

    Preventing IP Spoofing Attacks Using uRPF

    Preventing IP Spoofing Attacks Using IP Source Guard

    Preventing Fragment Attacks Using ACLs

    Preventing MAC Spoofing Attacks Using Port Security

    Preventing ARP Spoofing Attacks Using DAI

    Preventing VLAN Hopping Attacks Using the switchport mode access Command

    Preventing STP Attacks Using the Root Guard or BPDU Guard

    Preventing DHCP Spoofing Attacks Using Port Security

    Preventing DHCP Spoofing Attacks Using DAI

    Preventing Port Redirection Attacks Using ACLs
    3Intrusion Prevention and Content Security

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Understanding Cisco IPS System Architecture (System Design, MainApp, SensorApp, EventStore)

    Understanding Cisco IPS User Roles (Administrator, Operator, Viewer, Service)

    Understanding Cisco IPS Command Modes (Privileged, Global, Service, Multi-Instance)

    Understanding Cisco IPS Interfaces (Command and Control, Sensing, Alternate TCP Reset)

    Understanding Promiscuous (IDS) vs. Inline (IPS) Monitoring

    Initialization Basic Sensor (IP Address, Mask, Default Route, etc.)

    Troubleshooting Basic Connectivity Issues

    Managing Sensor ACLs

    Allowing Services Ping and Telnet from/to Cisco IPS

    Enabling Physical Interfaces

    Promiscuous Mode

    Inline Interface Mode

    Inline VLAN Pair Mode

    VLAN Group Mode

    Inline Bypass Mode

    Interface Notifications

    Understanding the Analysis Engine

    Creating Multiple Security Policies and Applying Them to Individual Virtual Sensors

    Understanding and Configuring Virtual Sensors (vs0, vs1)

    Assigning Interfaces to the Virtual Sensor

    Understanding and Configuring Event Action Rules (rules0, rules1)

    Understanding and Configuring Signatures (sig0, sig1)

    Adding Signatures to Multiple Virtual Sensors

    Understanding and Configuring Anomaly Detection (ad0, ad1)

    Using the Cisco IDM (IPS Device Manager)

    Using Cisco IDM Event Monitoring

    Displaying Events Triggered Using the Cisco IPS Console

    Troubleshooting Events Not Triggering

    Displaying and Capturing Live Traffic on the Cisco IPS Console (Packet Display and Packet Capture)

    SPAN and RSPAN

    Rate Limiting

    Configuring Event Action Variables

    Target Value Ratings

    Event Action Overrides

    Event Action Filters

    Configuring General Settings

    General Signature Parameters

    Alert Frequency

    Alert Severity

    Event Counter

    Signature Fidelity Rating

    Signature Status

    Assigning Actions to Signatures

    AIC Signatures

    IP Fragment Reassembly

    TCP Stream Reassembly

    IP Logging

    Configuring SNMP

    Signature Tuning (Severity Levels, Throttle Parameters, Event Actions)

    Creating Custom Signatures (Using the CLI and Cisco IDM)

    Understanding Various Types of Signature Engines

    Understanding Various Types of Signature Variables

    Understanding Various Types of Event Actions

    Creating a Custom String TCP Signature

    Creating a Custom Flood Engine Signature

    Creating a Custom AIC MIME-Type Engine Signature

    Creating a Custom Service HTTP Signature

    Creating a Custom Service FTP Signature

    Creating a Custom ATOMIC.ARP Engine Signature

    Creating a Custom ATOMIC.IP Engine Signature

    Creating a Custom TCP Sweep Signature

    Creating a Custom ICMP Sweep Signature

    Creating a Custom Trojan Engine Signature

    Enabling Shunning and Blocking (Enabling Blocking Properties)

    Enabling the TCP Reset Function

    Configure Cisco Ironport WSA

    Configuring WCCP

    Active Dir Integration

    Custom Categories

    HTTPS Config

    Services Configuration (Web Reputation)

    Configuring Proxy By-pass Lists

    Web proxy modes

    Application visibility and control
    4Identity Management

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Understanding the AAA Framework

    Understanding the RADIUS Protocol

    Understanding RADIUS Attributes (Cisco AV-PAIRS)

    Understanding the TACACS+ Protocol

    Understanding TACACS+ Attributes

    Comparison of RADIUS and TACACS+

    Configuring Basic LDAP Support

    Overview of Cisco Secure ACS

    How to Navigate Cisco Secure ACS

    Cisco Secure ACS – Network Settings Parameters

    Cisco Secure ACS – User Settings Parameters

    Cisco Secure ACS – Group Settings Parameters

    Cisco Secure ACS – Shared Profiles Components (802.1X, NAF, NAR, Command Author, Downloadable ACL, etc.)

    Cisco Secure ACS – Shell Command Authorization Sets Using Both Per-Group Setup and Shared Profiles

    Cisco Secure ACS – System Configuration Parameters

    Enabling AAA on a Router for vty Lines

    Enabling AAA on a Switch for vty Lines

    Enabling AAA on a Router for HTTP

    Enabling AAA on the Cisco ASA Security Appliance for Telnet and SSH Protocols

    Using Default vs. Named Method Lists

    Complex Command Authorization and Privilege Levels, and Relevant Cisco Secure ACS Profiles

    Proxy Service Authentication and Authorization on the Cisco ASA Security Appliance for Pass-Through Traffic (FTP, Telnet, and HTTP), and Relevant Cisco ISE Profiles\

    Using Virtual Telnet on the Cisco ASA Security Appliance

    Using Virtual HTTP on the Cisco ASA Security Appliance

    Downloadable ACLs

    AAA 802.1X Authentication Using RADIUS on a Switch

    NAC-L2-802.1X on a Switch

    NAC-L2-IP on a Switch

    Troubleshooting Failed AAA Authentication or Authorization

    Troubleshooting Using Cisco Secure ACS Logs

    Cisco Identity Services Engine Configuration and initialization

    ISE authZ result handling

    ISE Profiling Configuration (Probes)

    ISE Guest Services

    ISE Posture Assessment

    ISE Client Provisioning (CPP)

    ISE Configuring AD Integration/Identity Sources

    ISE support for 802.1x

    ISE MAB support

    ISE Web Auth support

    ISE definition and support for VSAs

    Support for MAB in Cisco IOS

    Support for Web Auth in Cisco IOS

    Using the test aaa Command on the Router, Switch, or Cisco ASA Security Appliance

    Understanding and Interpreting the debug radius Command

    Understanding and Interpreting the debug tacacs+ Command

    Understanding and Interpreting the debug aaa authentication Command

    Understanding and Interpreting the debug aaa authorization Command

    Understanding and Interpreting the debug aaa accounting Command
    5Perimeter Security and Services

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.)

    Understanding Security Levels (Same Security Interface)

    Understanding Single vs. Multimode

    Understanding Firewall vs. Transparent Mode

    Understanding Multiple Security Contexts

    Understanding Shared Resources for Multiple Contexts

    Understanding Packet Classification in Multiple-Contexts Mode

    VLAN Subinterfaces Using 802.1Q Trunking

    Multiple-Mode Firewall with Outside Access

    Single-Mode Firewall Using the Same Security Level

    Multiple-Mode, Transparent Firewall

    Single-Mode, Transparent Firewall with NAT

    ACLs in Transparent Firewall (for Pass-Through Traffic)

    Understanding How Routing Behaves on the Adaptive Security Appliance (Egress and Next-Hop Selection Process)

    Understanding Static vs. Dynamic Routing

    Static Routes

    RIP with Authentication

    OSPF with Authentication

    EIGRP with Authentication

    Managing Multiple Routing Instances

    Redistribution Between Protocols

    Route Summarization

    Route Filtering

    Static Route Tracking Using an SLA

    Dual ISP Support Using Static Route Tracking

    Redundant Interface Pair

    LAN-Based Active/Standby Failover (Routed Mode)

    LAN-Based Active/Active Failover (Routed Mode)

    LAN-Based Active/Standby Failover (Transparent Mode)

    LAN-Based Active/Active Failover (Transparent Mode)

    Stateful Failover Link

    Device Access Management

    Enabling Telnet

    Enabling SSH

    The nat-control Command vs. no nat-control Command

    Enabling Address Translation (NAT, Global, and Static) Pre & Post 8.4

    NAT Objects

    Context-Aware firewall

    Identity Firewall

    Using ASDM and Cisco Prime

    Policy NAT

    Destination NAT

    Bypassing NAT When NAT Control Is Enabled Using Identity NAT

    Bypassing NAT When NAT Control Is Enabled Using NAT Exemption

    Port Redirection Using NAT

    Tuning Default Connection Limits and Timeouts

    Basic Interface Access Lists and Access Group (Inbound and Outbound)

    Time-Based Access Lists

    ICMP Commands

    Enabling Syslog and Parameters

    NTP with Authentication

    Object Groups (Network, Protocol, ICMP, and Services)

    Nested Object Groups

    URL Filtering

    Java Filtering

    ActiveX Filtering

    ARP Inspection

    Modular Policy Framework (MPF)

    Application-Aware Inspection

    Identifying Injected Errors in Troubleshooting Scenarios

    Understanding and Interpreting Adaptive Security Appliance show and debug Outputs

    Understanding and Interpreting the packet-tracer and capture Commands

    Cisco IOS Firewalls

    Zone-Based Policy Firewall Using Multiple-Zone Scenarios

    User-Based Firewall

    Secure-Group Firewall

    Transparent Cisco IOS Firewall (Layer 2)

    Context-Based Access Control (CBAC)

    Proxy Authentication (Auth Proxy)

    Port-to-Application Mapping (PAM) Usage with ACLs

    Use of PAM to Change System Default Ports

    PAM Custom Ports for Specific Applications

    Mapping Nonstandard Ports to Standard Applications

    Performance Tuning

    Tuning Half-Open Connections

    Understanding and Interpreting the show ip port-map Commands

    Understanding and Interpreting the show ip inspect Commands

    Understanding and Interpreting the debug ip inspect Commands

    Understanding and Interpreting the show zone|zone-pair Commands

    Understanding and Interpreting the debug zone Commands

    Cisco IOS Services

    Marking Packets Using DSCP and IP Precedence and Other Values

    Unicast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)

    RTBH Filtering (Remote Triggered Black Hole)

    Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Named vs. Numbered ACLs)

    Managing Time-Based Access Lists

    Enabling NAT and PAT on a Router

    Conditional NAT on a Router

    Multihome NAT on a Router

    CAR Rate Limiting with Traffic Classification Using ACLs

    PBR (Policy-Based Routing) and Use of Route Maps

    Traffic Policing on a Router

    Traffic Characterization

    Packet Classification

    Packet-Marking Techniques
    6Confidentiality and Secure Access

    Implement, Optimize, Troubleshoot, IPv4/IPv6 Content


    Understanding Cryptographic Protocols (ISAKMP, IKEv1 and IKEv2, ESP, Authentication Header, CA)

    IPsec VPN Architecture on Cisco IOS Software and Cisco ASA Security Appliance

    Configuring VPNs Using ISAKMP Profiles

    Configuring VPNs Using IPsec Profiles

    GRE over IPsec Using IPsec Profiles

    Router-to-Router Site-to-Site IPsec Using the Classical Command Set (Using Preshared Keys and Certificates)

    Router-to-Router Site-to-Site IPsec Using the New VTI Command Set (Using Preshared Keys and Certificates)

    Router-to-ASA Site-to-Site IPsec (Using Preshared Keys and Certificates)

    Understanding DMVPN architecture (NHRP, mGRE, IPsec, Routing)

    DMVPN Using NHRP and mGRE (Hub-and-Spoke)

    DMVPN Using NHRP and mGRE (Full-Mesh)

    DMVPN Through Firewalls and NAT Devices

    Understanding GETVPN Architecture (GDOI, Key Server, Group Member, Header Preservation, Policy, Rekey, KEK, TEK, and COOP)

    Implementing GETVPN (Using Preshared Keys and Certificates)

    GETVPN Unicast Rekey

    GETVPN Multicast Rekey

    GETVPN Group Member Authorization List

    GETVPN Key Server Redundancy

    GETVPN Through Firewalls and NAT Devices

    Integrating GET VPN with a DMVPN Solution

    Basic VRF-Aware IPsec

    Enabling the CA (PKI) Server (on the Router and Cisco ASA Security Appliance)

    CA Enrollment Process on a Router Client

    CA Enrollment Process on a Cisco ASA Security Appliance Client

    CA Enrollment Process on a PC Client

    Clientless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Appliance (URLs)

    AnyConnect VPN Client on Cisco IOS Software

    AnyConnect VPN Client on the Cisco ASA Security Appliance

    Remote Access Using a Traditional Cisco VPN Client – on a Cisco IOS Router

    Remote Access Using a Traditional Cisco VPN Client – on a Cisco ASA Security Appliance

    Cisco Easy VPN – Router Server and Router Client (Using DVTI)

    Cisco Easy VPN – Router Server and Router Client (Using Classical Style)

    Cisco Easy VPN – Cisco ASA Server and Router Client

    Cisco Easy VPN Remote Connection Modes (Client, Network, Network+)

    Enabling Extended Authentication (XAUTH) on Cisco IOS Software and the Cisco ASA Security Appliance

    Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Appliance

    Enabling Reverse Route Injection (RRI) on Cisco IOS Software and the Cisco ASA Security Appliance

    Enabling NAT-T on Cisco IOS Software and the Cisco ASA Security Appliance

    High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Standby Router Protocol (HSRP)

    High Availability Using Link Resiliency (with Loopback Interface for Peering)

    High Availability Using HSRP and RRI

    High Availability Using IPsec Backup Peers

    High Availability Using GRE over IPsec (Dynamic Routing)

    Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Appliance

    Identifying Injected Errors in Troubleshooting Scenarios (for Site-to-Site, DMVPN, GET VPN, and Cisco Easy VPN)

    Understanding and Interpreting the show crypto Commands

    Understanding and Interpreting the debug crypto Commands

    Anyconnect VPN including DAP support

    MacSec (switch-switch, Host-switch)

    Wireless Security on AP and WLC

    EAP methods

    WPA/WPA-2

    WIPS