CCIE-Security-lab-3.0

1、CCIE-Security-lab-3.0CCIE Security Lab Exam v3.0 ChecklistExpa nsion of the Security Lab v3.0 Exam Topics(Bluepri nt)Detailed Checklist of Topics to Be CoveredPlease be advised that this topic checklist is not an all-inclusive list of Cisco CCIE Security lab exam subjects. In stead, we provide this

2、outl ine as a suppleme nt to the existi ng lab bluepri nt to help can didates prepare for their lab exams. Other releva nt or related topics may also appear in the actual lab exam.We would like to get your feedback please comme nt an d/or rate thisdocume nt.1.0Impleme nti ng Secure Networks Using Ci

3、sco ASA Firewalls Con figuri ng and Troubleshooti ng Cisco ASA Firewalls1.01.Initializing the Basic Cisco ASA Firewall (IP Address, Mask, Default Route, etc.)1.02.Un dersta nding Security Levels (Same Security In terface)1.03. 1Un dersta nding Sin gle vs. Multimode1.04.Un dersta nding Firewall vs. T

4、ran spare nt Mode1.05.Un dersta nding Multiple Security Con texts1.06.Un dersta nding Shared Resources for Multiple Con texts1.07.Un dersta nding Packet Classificati on in Multiple-C on texts Mode1.08.VLAN Subi nterfaces Using 802.1Q Trunking1.09.Multiple-Mode Firewall with Outside Access1.10.Single

5、-Mode Firewall Using the Same Security Level1.11.Multiple-Mode, Tran spare nt Firewall1.12.Sin gle-Mode, Tran spare nt Firewall with NAT1.13.ACLs in Tran spare nt Firewall (for Pass-Through Traffic)1.14.Un dersta nding How Rout ing Behaves on the Adaptive Security Applia nee (Egress and Next-Hop Sel

6、ect ion Process)1.15.Un dersta nding Static vs. Dyn amic Rout ing1.16.Static Routes1.17.RIP with Authe nticati on1.18.OSPF with Authe nticatio n1.19.EIGRP with Authe nticati on1.20.Managing Multiple Rout ing In sta nces1.21.Redistributio n Betwee n Protocols1.22.Route Summarizati on1.23.Route Filter

7、i ng1.24.Static Route Track ing Usi ng an SLA1.25.Dual ISP Support Using Static Route Track ing1.26.Redu ndant In terface Pair1.27.LAN-Based Active/Sta ndby Failover (Routed Mode)1.28.LAN-Based Active/Active Failover (Routed Mode)1.29.LAN-Based Active/Sta ndby Failover (Tra nspare nt Mode)1.30.LAN-B

8、ased Active/Active Failover (Tra nspare nt Mode)1.31.Stateful Failover Link1.32.Device Access Man ageme nt1.33.En abli ng Telnet1.34.En abli ng SSH1.35.The n at-c on trol Comma nd vs. no n at-c on trol Comma nd1.36. 1En abli ng Address Tran slation (NAT, Global, and Static)1.37.Dyn amic NAT1.38. 1Dy

9、n amic PAT1.39.Static NAT1.40.Static PAT1.41.Policy NAT1.42.Dest in ation NAT1.43.Bypassi ng NAT When NAT Con trol Is En abled Usi ng Ide ntity NAT1.44.Bypassi ng NAT When NAT Control Is En abled Usi ng NAT Exemptio n1.45.Port Redirection Usi ng NAT1.46.Tuning Default Connection Limits and Timeouts1

10、.47.Basic In terface Access Lists and Access Group (Inbound and Outbo und)1.48.Time-Based Access Lists1.49.ICMP Comma nds1.50.Enabling Syslog and Parameters1.51.NTP with Authe nticatio n1.52.Object Groups (Network, Protocol, ICMP, and Services)1.53.Nested Object Groups1.54.URL Filteri ng1.55.Java Fi

11、lteri ng1.56.ActiveX Filteri ng1.57.ARP In spectio n1.58.Modular Policy Framework (MPF)1.59.Applicatio n-Aware In spect ion1.60.Ide ntify ing Injected Errors in Troubleshooti ng Seen arios1.61.Un dersta nding and In terpret ing Adaptive Security Applia nee show and debug Outputs1.62.Un dersta nding

12、and In terpreti ng the packet-tracer and capture Comma nds2.0Implementing Secure Networks Using Cisco IOS Firewalls Configuring and Troubleshooting Cisco IOS Firewalls2.01.Zone-Based Policy Firewall Using Multiple-Zone Seenarios2.02.Tran spare nt Cisco IOS Firewall (Layer 2)2.03.Con text-Based Acces

13、s Con trol (CBAC)2.04.Proxy Authe nticati on (Auth Proxy)2.05.Port-to-Applicatio n Mappi ng (PAM) Usage with ACLs2.06.Use of PAM to Cha nge System Default Ports2.07.PAM Custom Ports for Specific Applicati ons2.08.Mapp ing Non sta ndard Ports to Stan dard Applicatio ns2.09.Performa nee Tuning2.10.Tun

14、ing Half-Ope n Connections2.11.Un dersta nding and In terpret ing the show ip port-map Comma nds2.12.Un dersta nding and In terpret ing the show ip in spect Comma nds2.13.Un dersta nding and In terpret ing the debug ip in spect Comma nds2.14.Un dersta nding and In terpret ing the show zon e|z on e-p

15、air Comma nds2.15.Un dersta nding and In terpreti ng the debug zone Comma nds3.0Implementing Secure Networks Using Cisco VPN Solutions Configuring and Troubleshooting Cisco VPN Solutions3.01.Un dersta nding Cryptographic Protocols (ISAKMP, IKE, ESP, Authe nticati on Header, CA)3.02.IPsec VPN Archite

16、cture on Cisco IOS Software and Cisco ASA Security Applia nee3.03.Con figuri ng VPNs Usi ng ISAKMP Profiles3.04.Con figuri ng VPNs Using IPsec Profiles3.05.GRE over IPsec Usi ng IPsec Profiles3.06.Router-to-Router Site-to-Site IPsec Usi ng the Classical Comma nd Set (Usi ng Preshared Keys and Certif

17、icates)3.07.Router-to-Router Site-to-Site IPsec Using the New VTI Comma nd Set (Us ing Preshared Keys and Certificates)3.08.Router-to-ASA Site-to-Site IPsec (Usi ng Preshared Keys and Certificates)3.09.Un dersta ndi ng DMVPN architecture (NHRP, mGRE, IPsec, Routi ng)3.10.DMVPN Using NHRP and mGRE (H

18、ub-and-Spoke)3.11.DMVPN Usi ng NHRP and mGRE (Full-Mesh)3.12.DMVPN Through Firewalls and NAT Devices3.13.Un dersta ndi ng GET VPN Architecture (GDOI, Key Server, Group Member, Header Preservation, Policy, Rekey, KEK, TEK, and COOP)3.14.Impleme nti ng GET VPN (Usi ng Preshared Keys and Certificates)3

19、.15.GET VPN Uni cast Rekey3.16.GET VPN Multicast Rekey3.17.GET VPN Group Member Authorization List3.18.GET VPN Key Server Redu ndancy3.19.GET VPN Through Firewalls and NAT Devices3.20.Integrating GET VPN with a DMVPN Solution3.21.Basic VRF-Aware IPsec3.22.En abl ing the CA (PKI) Server (o n the Rout

20、er and Cisco ASA Security Applia nee)3.23.CA En rollme nt Process on a Router Clie nt3.24.CA En rollme nt Process on a Cisco ASA Security Applia nee Clie nt3.25.CA En rollme nt Process on a PC Clie nt3.26.Clie ntless SSL VPN (Cisco IOS WebVPN) on the Cisco ASA Security Applia nee (URLs)3.27.AnyConn

21、ect VPN Clie nt on Cisco IOS Software3.28. 1AnyConn ect VPN Clie nt on the Cisco ASA Security Applia nee3.29.Remote Access Using a Traditio nal Cisco VPN Clie nt-on a Cisco IOS Router3.30.Remote Access Usi ng a Traditi onal Cisco VPN Clie nt-on a Cisco ASA SecurityApplia nee3.31.Cisco Easy VPN -Rout

22、er Server and Router Clie nt (Us ing DVTI)3.32.Cisco Easy VPN -Router Server and Router Clie nt (Us ing Classical Style)3.33.Cisco Easy VPN -Cisco ASA Server and Router Clie nt3.34.Cisco Easy VPN Remote Conn ection Modes (Clie nt. Network, Network+)3.35.En abli ng Exte nded Authe nticati on (XAUTH)

23、on Cisco IOS Software and the Cisco ASA Security Applia nee3.36.Enabling Split Tunneling on Cisco IOS Software and the Cisco ASA Security Applia nee3.37.En abli ng Reverse Route Injectio n (RRI) on Cisco IOS Software and the Cisco ASA Security Applia nee3.38.En abli ng NAT-T on Cisco IOS Software an

24、d the Cisco ASA Security Applia nee3.39.High-Availability Stateful Failover for IPsec with Stateful Switchover (SSO) and Hot Sta ndby Router Protocol (HSRP)3.40.High Availability Using Li nk Resilie ncy (with Loopback In terface for Peeri ng)3.41.High Availability Using HSRP and RRI3.42.High Availab

25、ility Using IPsec Backup Peers3.43.High Availability Using GRE over IPsec (Dy namic Rout ing)3.44.Basic QoS Features for VPN Traffic on Cisco IOS Software and the Cisco ASA Security Applia nee3.45.Ide ntify ing Injected Errors in Troubleshooti ng Seen arios (for Site-to-Site, DMVPN, GET VPN, and Cis

26、co Easy VPN)3.46.Un dersta nding and In terpret ing the show crypto Comma nds3.47.Un dersta nding and In terpreti ng the debug crypto Comma nds4.0Co nfiguri ng Cisco IPS to Mitigate Network Threats Configuring and Troubleshooting Cisco IPS4.01.Un dersta nding Cisco IPS System Architecture (System De

27、sig n, Mai nApp, Sen sorApp, Eve ntStore)4.02.Un dersta nding Cisco IPS User Roles (Admi nistrator, Operator, Viewer, Service)4.03.Un dersta nding Cisco IPS Comma nd Modes (Privileged, Global, Service, Multi-I nsta nee)4.04.Un dersta nding Cisco IPS In terfaces (Comma nd and Con trol, Sensing, Alter

28、nate TCP Reset)4.05.Un dersta nding Promiscuous (IDS) vs. I nline (IPS) Mon itori ng4.06.In itializatio n Basic Sen sor (IP Address, Mask, Default Route, etc.)4.07. 1Troubleshooti ng Basic Conn ectivity Issues4.08.Managing Sen sor ACLs4.09.Allowi ng Services Ping and Telnet from/to Cisco IPS4.10.En

29、abli ng Physical In terfaces4.11. 1Promiscuous Mode4.12.In li ne In terface Mode4.13.Inline VLAN Pair Mode4.14.VLAN Group Mode4.15.In li ne Bypass Mode4.16.In terface Notificati ons4.17.Un dersta nding the An alysis Engine4.18.Creat ing Multiple Security Policies and Applyi ng Them to In dividual Vi

30、rtual Sen sors4.19.Un dersta nding and Con figuri ng Virtual Sen sors (vs0, vs1)4.20.Assig ning In terfaces to the Virtual Sen sor4.21.Understanding and Configuring Event Action Rules (rules0, rules1)4.22.Un dersta nding and Con figuri ng Sign atures (sig0, sig1)4.23.Addi ng Sign atures to Multiple

31、Virtual Sen sors4.24.Un dersta nding and Con figuri ng Ano maly Detecti on (ad0, ad1)4.25.Using the Cisco IDM (IPS Device Manager)4.26.Using Cisco IDM Eve nt Mo nitori ng4.27.Displayi ng Events Triggered Using the Cisco IPS Con sole4.28.Troubleshooti ng Events Not Triggeri ng4.29.Displayi ng and Cap

32、turi ng Live Traffic on the Cisco IPS Con sole (Packet Display and Packet Capture)4.30.SPAN and RSPAN4.31.Rate Limit ing4.32.Con figuri ng Event Actio n Variables4.33.Target Value Rati ngs4.34.Eve nt Action Overrides4.35.Event Action Filters4.36.Configuring General Settings4.37.Gen eral Sig nature P

33、arameters4.38.Alert Freque ncy4.39.Alert Severity4.40.Eve nt Coun ter4.41.Sig nature Fidelity Rat ing4.42.Sig nature Status4.43.Assig ning Acti ons to Sig natures4.44.AIC Sig natures4.45.IP Fragme nt Reassembly4.46.TCP Stream Reassembly4.47.IP Loggi ng4.48.Co nfiguri ng SNMP4.49.Sig nature Tuning (S

34、everity Levels, Throttle Parameters, Event Actio ns)4.50.Creati ng Custom Sign atures (Us ing the CLI and Cisco IDM)4.51.Un dersta nding Various Types of Sign ature Engines4.52.Un dersta nding Various Types of Sign ature Variables4.53.Un dersta nding Various Types of Eve nt Actions4.54.Un dersta ndi

35、 ng New Cisco IPS 6.0 Features (e.g., De ny Packets for High-Risk Eve nts by Default)4.55.Creati ng a Custom Stri ng TCP Sig nature4.56.Creati ng a Custom Flood Engine Sig nature4.57. JCreat ing a Custom AIC MIME-Type En gi ne Sig nature4.58.Creati ng a Custom Service HTTP Sig nature4.59.Creat ing a

36、 Custom Service4.60.Creat ing a Custom ATOMIC.ARP Engine Sig nature4.61.Creat ing a Custom ATOMIC.IP Engine Sig nature4.62.Creati ng a Custom TCP Sweep Sig nature4.63.Creat ing a Custom ICMP Sweep Sig nature4.64.Creat ing a Custom Troja n Engine Sig nature4.65.En abli ng Shunning and Block ing (En a

37、bli ng Block ing Properties)4.66.Shunning on a Router4.67.Shunning on the Cisco ASA Security Applia nee4.68.Enabling the TCP Reset Function4.69.Cisco IOS IPS on a Router Using Versio n 5.x Format Sig natures4.70.Load ing a Versi on 5.x Sig naturethe Router4.71.Un dersta nding the Sig nature Engines

38、for Cisco IOS IPS4.72.Tran spare nt Cisco IOS IPS5.0Impleme nting Ide ntity Man ageme ntCon figuri ng and Troubleshoot ing Ide ntity Man ageme nt5.01 Un dersta nding the AAA Framework5.02Understanding the RADIUS Protocol5.03Un dersta ndi ng RADIUS Attributes (Cisco AV-PAIRS)5.04Un dersta ndi ng the

39、TACACS+ Protocol5.05Un dersta ndi ng TACACS+ Attributes5.06Comparison of RADIUS and TACACS+5.07Con figuri ng Basic LDAP Support5.08Overview of Cisco Secure ACS5.09How to Navigate Cisco Secure ACS5.10.Cisco Secure ACS -Network Sett ings Parameters5.11.Cisco Secure ACS - User Sett ings Parameters5.12.

40、Cisco Secure ACS -Group Sett ings Parameters5.13.Cisco Secure ACS -Shared Profiles Compo nents (802.1X, NAF, NAR, Comma nd Author, Downl oadable ACL, etc.)5.14.Cisco Secure ACS -Shell Comma nd Authorizati on Sets Usi ng Both Per-Group Setup and Shared Profiles5.15.Cisco Secure ACS -System Con figura

41、ti on Parameters5.16.Cisco Secure ACS -Posture Validati on Policies for NAC Setup5.17.Cisco Secure ACS -Us ing Network Access Profiles (NAPs)5.18.Cisco Secure ACS -MAC Authe nticatio n Bypass (MAB) Using NAP5.19. 1En abli ng AAA on a Router for vty Lines5.20.Enabling AAA on a Switch for vty Lines5.2

42、1.En abli ng AAA on a Router for HTTP5.22.En abli ng AAA on the Cisco ASA Security Applia nee for Tel net and SSH Protocols5.23.Using Default vs. Named Method Lists5.24.Complex Comma nd Authorizati on and Privilege Levels, and Releva nt Cisco Secure ACS Profiles5.25.Proxy Service Authe nticati on an

43、d Authorizati on on the Cisco ASA Security Applia nce for Pass-Through Traffic (FTP, Teln et, and HTTP), and Releva nt Cisco Secure ACS Profiles5.26.Using Virtual Telnet on the Cisco ASA Security Appliance5.27.Using Virtual HTTP on the Cisco ASA Security Appliance5.28.Downl oadable ACLs5.29.AAA 802.

44、1X Authentication Using RADIUS on a Switch5.30.NAC-L2-802.1X on a Switch5.31.NAC-L2-IP on a Switch5.32.Troubleshooting Failed AAA Authentication or Authorization5.33.Troubleshooti ng Using Cisco Secure ACS Logs5.34.Using the test aaa Comma nd on the Router, Switch, or Cisco ASA Security Applia nce5.

45、35.Un dersta nding and In terpreti ng the debug radius Comma nd5.36.Un dersta nding and In terpret ing the debug tacacs+ Comma nd5.37.Un dersta nding and In terpreti ng the debug aaa authe nticati on Comma nd5.38.Un dersta nding and In terpreti ng the debug aaa authorizati on Comma nd5.39.Un dersta

46、nding and In terpret ing the debug aaa acco unting Comma nd6.0Implementing Control Plane and Management Plane Security Con figuri ng and Troubleshooti ng Router Traffic Pla ne Security6.01Understanding Four Types of Traffic Planes on a Cisco Router (Control, Man ageme nt, Data, and Services)6.02Un d

47、ersta nding Con trol Pla ne Security Tech no logies and Core Con ceptsCoveri ng Security Features Available to Protect the Con trol Pla ne6.03Un dersta nding Man ageme nt Pla ne Security Tech no logies and Core Con cepts Coveri ng Security Features Available to Protect the Man ageme nt Pla ne6.04Con

48、 figuri ng Control Pla ne Polici ng (CoPP)6.05 1Control Plane Rate Limiting6.06Disabling Unused Control Plane Services (IP Source Routing. Proxy ARP, Gratuitous ARP, etc.)6.07Disabli ng Un used Ma nageme nt Pla ne Services (Fin ger, BOOTP, DHCP, Cisco Discovery Protocol, etc.)6.08MPP (Ma nageme nt P

49、la ne Protectio n) and Un dersta ndi ng OOB (Out-of-Ba nd) Man ageme nt In terfaces6.09Configuring Protocol Authentication6.10Route Filtering and Protocol-Specific Filters6.11ICMP Tech ni ques to Reduce the Risk of ICMP-Related DoS Attacks (IP Un reachable, IP Redirect, IP Mask Reply, etc.)6.12Selec

50、tive Packet Discard (SPD)6.13MQC and FPM Types of Service Policy on the CoPP In terface6.14 1Broadcast Con trol on a Switch6.15Catalyst Switch Port Security6.16Cisco IOS Software-Based CPU Protectio n Mecha ni sms (Opti ons Drop, Loggi ng In terval, CPU Threshold)6.17The Gen eralized TTL Security Me

51、cha nism Known as“ BGP TTL Security Hac(BTSH)6.18Device Access Con trol (vty ACL, HTTP ACL, SSH Access, Privilege Levels)6.19SNMP Security6.20System Banners6.21Secure Cisco IOS6.22Un dersta nding and En abli ng Syslog6.23NTP with Authe nticatio n6.24Role-Based CLI Views and Cisco Secure ACS Setup6.2

52、5Service Authe nticatio n on Cisco IOS Software (FTP, Teln et, HTTP)6.26Network Telemetry Ide ntificati on and Classificati on of Security Events (IP Traffic Flow, NetFlow, SNMP, Syslog, RMON)7.0Con figuri ng Adva need SecurityCon figuri ng and Troubleshoot ing Adva need Security Features7.01Impleme

53、 nting RFC 1918 An tispoofi ng Filteri ng7.02Implementing RFC 2827 Antispoofing Filtering7.03Impleme nting RFC 2401 An tispoofi ng Filteri ng7.04Marki ng Packets Usi ng DSCP and IP Precede nee and Other Values7.05Un icast RPF (uRPF) With or Without an ACL (Strict and Loose Mode)7.06RTBH Filteri ng (

54、Remote Triggered Black Hole)7.07Basic Traffic Filtering Using Access Lists: SYN Flags, Established, etc. (Namedvs. Numbered ACLs)7.08Managing Time-Based Access Lists7.09En abli ng NAT and PAT on a Router7.10Conditional NAT on a Router7.11Multihome NAT on a Router7.12En abli ng a TCP In tercept on a

55、Router7.13En abli ng a TCP In tercept on the Cisco ASA Security Applia nee7.14FPM (Flexible Packet Matchi ng) and Protocol Header Defin iti on File (PHDF) Files and Configuration of Nested Policy Maps7.15CAR Rate Limiting with Traffic Classification Using ACLs7.16PBR (Policy-Based Routi ng) and Use of Route Maps7.17 1Adva need MQC (Modular QoS CLI) on a Router7.18Adva need Modular Policy Framework (MPF) on the Cisco ASA Security Applia nee7.19.Classification Usi ng NBAR7.20.Un dersta nding and En abli ng NetFlow on a Router7.21Traffic Policing on a Router7.22Port Security on