security threats facing modern network infrastructures
• physical installation
• mitigation methods for common network attacks
• mitigation methods for Worm, Virus, and Trojan Horse attacks
• secure network lifecycle
• security needs, security policy
• Cisco Self Defending Network architecture

Secure Cisco routers
• SDM Security Audit feature
• One-Step Lockdown to secure a Cisco router
• setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements
• configuring multiple privilege levels
• Sconfiguring role based CLI
• Secure the Cisco IOS image and configuration file

AAA using Cisco routers
• functions and importance of AAA
• TACACS+ and RADIUS AAA protocols
• authentication, provide access to the router (character mode)

Mitigate threats to Cisco routers and networks using ACLs
• standard, extended, and named IP ACLs used by routers to filter packets
• Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
• Configure IP ACLs to prevent IP address spoofing using CLI

Secure network management and reporting
• secure management and reporting of network devices
• configure SSH on Cisco routers to enable secured management access
• configure Cisco routers to send Syslog messages to a Syslog server
• SNMPv3 and NTPv3

Mitigate common Layer 2 attacks
• Layer 2 attacks, VLAN hopping, STP attacks, ARP spoofing, MAC spoofing, CAM overflow
• Cisco Catalyst switches (IBNS, PVLAN, SPAN port)
• common threats to WLANs
• security features of the 802.11 protocol

Cisco IOS firewall feature set using SDM
• firewall technologies
• stateful firewall operations and the function of the state table
• types of NAT that can be implemented in a firewall
• Configure and verify basic and advanced firewall on a Cisco router using SDM

Cisco IOS IPS feature set using SDM
• network based vs. host based intrusion detection and prevention
• IPS technologies, attack responses, and monitoring options
• Enable and verify Cisco IOS IPS operations using SDM

IPsec VPN on Cisco routers using SDM
• IKE protocol functionality and phases
• IPsec and the security functions it provides
• hash-based message authentication code (HMAC) operations
• different methods of encryption
• purpose of the Diffie-Hellman key agreement protocol
• IPsec establishes origin authentication
• PKI environment at a high level
• IPsec VPN implementations
• Configure and verify an IPsec site-to-site VPN
• Cisco Easy VPN Server and Cisco Easy VPN Remote
• Configure and verify remote access VPNs using the Cisco Easy VPN Server

642-523 SNPA: Securing Networks with PIX and ASA Exam

Install and configure a Security Appliance for basic network connectivity
• Security Appliance hardware and software architecture
• Appliance hardware and software configuration and verify if it is correct
• CLI to configure basic network settings, including interface configurations
• show commands to verify initial configurations
• Configure NAT and global addressing
• Configure DHCP client
• default route
• Configure logging, syslog files
• Configure static address translations
• Configure Network Address Translations: PAT

Configure to restrict inbound traffic from untrusted sources
• access-lists to filter traffic based on address, time, and protocols
• object-groups to optimize access-list processing
• Nat0, Policy NAT
• java/activeX filtering
• Configure URL filtering, inbound traffic restrictions
• Configure static port redirection, Configure a net static
• Set embryonic and connection limits on the Security Appliance

Configure to provide secure connectivity using site-to-site VPNs
• functionality of IPsec , Configure IKE with preshared keys
• types of encryption, IPsec parameters, crypto-maps and ACLs

Configure to provide secure connectivity using remote access VPNs
• functions of EasyVPN
• IPsec using EasyVPN Server/Client
• Cisco Secure VPN client, SSL VPN
• WebVPN services: Server/Client, VPN operations
• SVCs, Cisco Secure Desktop

Configure transparent firewall, virtual firewall, and high availability firewall features on a Security Appliance
• Explain differences between L2 and L3 operating modes
• Transparent mode (L2)
• Virtual firewalls, Monitor and maintain virtual firewall
• Types, purpose and operation of fail-over
• Cable-based or LAN-based fail-over, Hardware, software and licensing requirements for high-availability
• Active/standby fail-over, Stateful fail-over, Active-active fail-over
• Verify fail-over operation, Recover from a fail-over, Allocate resources to virtual firewalls

Configure AAA services for the Security Appliance
• ACS for Security Appliance support, Use AAA feature
• Configure authentication using both local and external databases
• Configure authorization using an external database
• Configure the ACS server for downloadable ACLs
• Configure accounting of connection start/stop
• AAA operation

Configure routing and switching on a Security Appliance
• DHCP server and relay functionality
• VLANs, Pass multi-cast traffic

Configure Security Appliance advanced application layer and modular policy features
• Class-map, Policy-map, Service-policy, ftp-map, http-map
• Inspection protocol, Function of protocol inspection
• DNS guard, AIP-SSM HW and SW, Load IPS SW in the AIP-SSM, AIP-SSM
• IPS modular policy, CSC-SSM HW and SW, Configure regex class maps, regular expressions
• Load CSC SW on the SSM
• CSC-SSM, Divert traffic to the CSC-SSM, Initialize the CSC-SSM

Monitor and manage an installed Security Appliance
• Obtain and apply OS updates
• Backup and restore configurations and software
• File management system
• Password/lockout recovery procedures
• Upgrade license keys
• Passwords for various access methods: Telnet, serial, enable, SSH
• Various access methods: Telnet, SSH, ASDM
• Configure command authorization and privilege levels
• Configure local username database
• Verify access control methods
• Enable ASDM functionality
• ASDM, Verify the licensing available on a Security Appliance
• Add, delete, and modify syslog messages