Network security has become more important than ever because of the need to deal with the increased number of network threats from worms and easy-to-use distributed denial of service (DDoS) tools. Today, companies can no longer afford to deal with network security in a reactionary mode due to the potential for severe financial and intellectual loss. For that reason, companies are investing in the security of their networks to provide a safe environment for their employees and customers. The Building Enhanced Cisco Security Networks course teaches how to create a network security policy, an often overlooked but vital part of any network security deployment, as well as deploy several emerging security technologies. In practical labs, students will build a dynamic multipoint VPN (DMVPN), set up High Availability for IPSec (IPSec-HA), identify the Path MTU of a nested IPSec tunnel, configure a site-to-site IPSec VPN for split tunneling, secure network management, configure VMS 2.2 for IDS management, and set up Identity-Based Network Services (IBNS) for a wireless environment. To test the students' understanding of the course materials, the final phase of the class will be a network attack in which various tools will be used to attempt to gain access to their networks.

Course Objectives

After completing this course the student should be able to:

• Given a network topology and network assessment from Cisco AS, develop and document a comprehensive security policy that fulfills all requirements of the network assessment.
• Given the security policy developed at the beginning of the class and a set of threat management criteria, document a threat response procedure that fulfills the requirements of the threat management criteria.
• Given a remote office network, configure a site-to-site IPSec VPN to the corporate core network.

Introduction

Developing a Network Security Policy

Configuring Site-to-Site IPSec VPNs with Split Tunneling

Understanding Fragmentation, Path MTU Discovery, and Recursive Routing

Deploying IPSec-High Availability (IPSec-HA)

Implementing Dynamic Multipoint VPN (DMVPN)

Deploying Identity-Based Networking Services (IBNS) for a Wireless Network

Securing Cisco Network Management

Configuring VMS 2.2 for IDS Management

Common Network Attack Mitigation Lab Outline

Developing a Network Security Policy

Create a Threat Response Procedure for the Network Security Policy

Configure Cisco IOS for Site-to-Site VPN using IPSec

Configure a Remote Office for Secure Split Tunneling

Identify Path MTU for an Established Site-to-Site IPSec VPN

Configure Stateless High Availability Between IPSec Routers

Configure Connectivity to a Stateful High Availability IPSec Redundant Pair

Configure a NHRP Spoke Router to Participate in a DMVPN

Configure Cisco IOS for SSH

Configure SNMP v2 and SNMP ACLs

Configure a Wireless Network for 802.1X Using Cisco Secure ACS

• Cisco IOS routers, routing fundamentals, and IP addressing knowledge covered in the Interconnecting Cisco Networking Devices (ICND) course, or equivalent experience; preferred knowledge source is CCNA certification (required)
• Managing Cisco Network Security (MCNS) 3.0 or equivalent experience with Cisco IOS-based security products (recommended)
• Cisco Secure PIX Firewall Advanced (CSPFA) 3.1 or equivalent experience with the configuration of Cisco Secure PIX firewalls (recommended)
• Cisco Secure Intrusion Detection System (CSIDS) 3.0 or equivalent experience configuring Cisco Secure IDS products (recommended)
• Cisco Secure Virtual Private Networks (CSVPN) 3.1 or equivalent experience configuring Cisco Secure VPN products (recommended)
• Aironet Wireless LAN Fundamentals (AWLF) 3.0 or equivalent experience configuring Cisco wireless products (recommended)

• Individuals who design security networks based on Cisco security products
• Individuals who implement end-to-end Cisco security services
• Individuals who deploy networks using Cisco security services