CCNP Security FIREWALL 642-617 Official Cert Guide: (Official Cert Guide)

This is the eBook version of the printed book. The eBook does not contain the practice test software that accompanies the print book.    CCNP Security FIREWALL 642-617 Official Cert Guide is a best of breed Cisco exam study guide that focuses specifically on the objectives for the CCNP Security FIREWALL exam. Senior security consultants and instructors David Hucaby, Dave Garneau, and Anthony Sequeira share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics. Learn, prepare, and practice for exam success Master CCNP Security FIREWALL 642-617 exam topics Assess your knowledge with chapter-opening quizzes Review key concepts with exam preparation tasks CCNP Security FIREWALL 642-617 Official Cert Guide presents you with an organized test-preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.   Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, this official study guide helps you master the concepts and techniques that will enable you to succeed on the exam the first time.   CCNP Security FIREWALL 642-617 Official Cert Guide is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.   The official study guide helps you master all the topics on the CCNP Security FIREWALL exam, including ASA interfaces IP connectivity ASA management Recording ASA activity Address translation Access control Proxy services Traffic inspection and handling Transparent firewall mode Virtual firewalls High availability ASA service modules This volume is part of the Official Cert Guide Series from Cisco Press. Books in this series provide officially developed exam preparation materials that offer assessment, review, and practice to help Cisco Career Certification candidates identify weaknesses, concentrate their study efforts, and enhance their confidence as exam day nears.  

Table of Contents:
Introduction xxiii Chapter 1 Cisco ASA Adaptive Security Appliance Overview 3 “Do I Know This Already?” Quiz 3 Foundation Topics 7 Firewall Overview 7 Firewall Techniques 11     Stateless Packet Filtering 11     Stateful Packet Filtering 12     Stateful Packet Filtering with Application Inspection and Control 12     Network Intrusion Prevention System 13     Network Behavior Analysis 14     Application Layer Gateway (Proxy) 14 Cisco ASA Features 15 Selecting a Cisco ASA Model 18     ASA 5505 18     ASA 5510, 5520, and 5540 19     ASA 5550 20     ASA 5580 21     Security Services Modules 22         Advanced Inspection and Prevention (AIP) SSM 22         Content Security and Control (CSC) SSM 23         4-Port Gigabit Ethernet (4GE) SSM 24     ASA 5585-X 24     ASA Performance Breakdown 25 Selecting ASA Licenses 28 Exam Preparation Tasks 31     Review All Key Topics 31     Define Key Terms 31 Chapter 2 Working with a Cisco ASA 33 “Do I Know This Already?” Quiz 33 Foundation Topics 38 Using the CLI 38     Entering Commands 39     Command Help 41     Command History 43     Searching and Filtering Command Output 43     Terminal Screen Format 45 Using Cisco ASDM 45 Understanding the Factory Default Configuration 50 Working with Configuration Files 52     Clearing an ASA Configuration 55 Working with the ASA File System 56     Navigating an ASA Flash File System 57     Working with Files in an ASA File System 58 Reloading an ASA 61     Upgrading the ASA Software at the Next Reload 63     Performing a Reload 64     Manually Upgrading the ASA Software During a Reload 65 Exam Preparation Tasks 69     Review All Key Topics 69     Define Key Terms 69     Command Reference to Check Your Memory 69 Chapter 3 Configuring ASA Interfaces 73 “Do I Know This Already?” Quiz 73 Foundation Topics 77 Configuring Physical Interfaces 77     Default Interface Configuration 78     Configuring Physical Interface Parameters 80     Mapping ASA 5505 Interfaces to VLANs 80     Configuring Interface Redundancy 81 Configuring VLAN Interfaces 83     VLAN Interfaces and Trunks on ASA 5510 and Higher Platforms 84     VLAN Interfaces and Trunks on an ASA 5505 86 Configuring Interface Security Parameters 88     Naming the Interface 88     Assigning an IP Address 89     Setting the Security Level 90     Interface Security Parameters Example 94 Configuring the Interface MTU 94 Verifying Interface Operation 96 Exam Preparation Tasks 99     Review All Key Topics 99     Define Key Terms 99     Command Reference to Check Your Memory 99 Chapter 4 Configuring IP Connectivity 103 “Do I Know This Already?” Quiz 103 Foundation Topics 107 Deploying DHCP Services 107     Configuring a DHCP Relay 107     Configuring a DHCP Server 108 Using Routing Information 111 Configuring Static Routing 115     Tracking a Static Route 117 Routing with RIPv2 122 Routing with EIGRP 125 Routing with OSPF 134     An Example OSPF Scenario 140 Verifying the ASA Routing Table 144 Exam Preparation Tasks 147     Review All Key Topics 147     Define Key Terms 147     Command Reference to Check Your Memory 148 Chapter 5 Managing a Cisco ASA 155 “Do I Know This Already?” Quiz 155 Foundation Topics 159 Basic Device Settings 159     Configuring Device Identity 159     Configuring Basic Authentication 160     Verifying Basic Device Settings 162 Configuring Name-to-Address Mappings 162     Configuring Local Name-to-Address Mappings 162     Configuring DNS Server Groups 164     Verifying Name-to-Address Mappings 166 File System Management 166     File System Management Using ASDM 166     File System Management Using the CLI 167         dir 168         more 168         copy 168         delete 168         rename 168         mkdir 169         rmdir 169         cd 170         pwd 170         fsck 170         format or erase 171 Managing Software and Feature Activation 171     Managing Cisco ASA Software and ASDM Images 171     Upgrading Files from a Local PC or Directly from Cisco.com 173     License Management 175     Upgrading the Image and Activation Key at the Same Time 176     Cisco ASA Software and License Verification 176 Configuring Management Access 179     Overview of Basic Procedures 179     Configuring Remote Management Access 181         Configuring an Out-of-Band Management Interface 182     Configuring Remote Access Using Telnet 182     Configuring Remote Access Using SSH 185     Configuring Remote Access Using HTTPS 187         Creating a Permanent Self-Signed Certificate 187         Obtaining an Identity Certificate by PKI Enrollment 189         Deploying an Identity Certificate 190     Configuring Management Access Banners 191 Controlling Management Access with AAA 194     Creating Users in the Local Database 196     Using Simple Password-Only Authentication 197     Configuring AAA Access Using the Local Database 198     Configuring AAA Access Using Remote AAA Server(s) 200         Step 1: Create an AAA Server Group and Configure How Servers in the Group Are Accessed 201         Step 2: Populate the Server Group with Member Servers 202         Step 3: Enable User Authentication for Each Remote Management Access Channel 203     Configuring Cisco Secure ACS for Remote Authentication 204     Configuring AAA Command Authorization 207     Configuring Local AAA Command Authorization 208     Configuring Remote AAA Command Authorization 211     Configuring Remote AAA Accounting 214     Verifying AAA for Management Access 215 Configuring Monitoring Using SNMP 216 Troubleshooting Remote Management Access 221 Cisco ASA Password Recovery 223     Performing Password Recovery 223     Enabling or Disabling Password Recovery 224 Exam Preparation Tasks 225     Review All Key Topics 225     Command Reference to Check Your Memory 225 Chapter 6 Recording ASA Activity 233 “Do I Know This Already?” Quiz 233 Foundation Topics 237 System Time 237     NTP 237     Verifying System Time Settings 241 Managing Event and Session Logging 242     NetFlow Support 243     Logging Message Format 244     Message Severity 244 Configuring Event and Session Logging 245     Configuring Global Logging Properties 245     Altering Settings of Specific Messages 247     Configuring Event Filters 250     Configuring Individual Event Destinations 252         Internal Buffer 252         ASDM 253         Syslog Server(s) 255         Email 257         NetFlow 259         Telnet or SSH Sessions 260 Verifying Event and Session Logging 261     Implementation Guidelines 262 Troubleshooting Event and Session Logging 263     Troubleshooting Commands 263 Exam Preparation Tasks 265     Review All Key Topics 265     Command Reference to Check Your Memory 265 Chapter 7 Using Address Translation 269 “Do I Know This Already?” Quiz 270 Foundation Topics 277 Understanding How NAT Works 277 Enforcing NAT 279 Address Translation Deployment Options 280     NAT Versus PAT 281     Input Parameters 283     Deployment Choices 283     NAT Exemption 284 Configuring NAT Control 285 Configuring Dynamic Inside NAT 287 Configuring Dynamic Inside PAT 292 Configuring Dynamic Inside Policy NAT 297 Verifying Dynamic Inside NAT and PAT 300 Configuring Static Inside NAT 301 Configuring Network Static Inside NAT 304 Configuring Static Inside PAT 307 Configuring Static Inside Policy NAT 310 Verifying Static Inside NAT and PAT 313 Configuring No-Translation Rules 313     Configuring Dynamic Identity NAT 314     Configuring Static Identity NAT 316     Configuring NAT Bypass (NAT Exemption) 318 NAT Rule Priority with NAT Control Enabled 319 Configuring Outside NAT 320 Other NAT Considerations 323     DNS Rewrite (Also Known as DNS Doctoring) 323     Integrating NAT with ASA Access Control 325     Integrating NAT with MPF 326     Integrating NAT with AAA (Cut-Through Proxy) 326 Troubleshooting Address Translation 326     Improper Translation 327     Protocols Incompatible with NAT or PAT 327     Proxy ARP 327     NAT-Related Syslog Messages 328 Exam Preparation Tasks 329     Review All Key Topics 329     Define Key Terms 330     Command Reference to Check Your Memory 330 Chapter 8 Controlling Access Through the ASA 333 “Do I Know This Already?” Quiz 333 Foundation Topics 338 Understanding How Access Control Works 338 State Tables 338     Connection Table 339     TCP Connection Flags 342     Inside and Outside, Inbound and Outbound 343     Local Host Table 344     State Table Logging 345 Understanding Interface Access Rules 346     Stateful Filtering 347     Interface Access Rules and Interface Security Levels 349     Interface Access Rules Direction 349 Configuring Interface Access Rules 350     Access Rule Logging 356     Cisco ASDM Public Server Wizard 363     Configuring Access Control Lists from the CLI 364     Implementation Guidelines 365 Time-Based Access Rules 366     Configuring Time Ranges from the CLI 370 Verifying Interface Access Rules 371     Managing Rules in Cisco ASDM 372     Managing Access Rules from the CLI 375 Organizing Access Rules Using Object Groups 376 Verifying Object Groups 387 Configuring and Verifying Other Basic Access Controls 390     uRPF 390     Shunning 392 Troubleshooting Basic Access Control 393     Examining Syslog Messages 393     Packet Capture 395     Packet Tracer 397     Suggested Approach to Access Control Troubleshooting 399 Exam Preparation Tasks 400     Review All Key Topics 400     Command Reference to Check Your Memory 401 Chapter 9 Inspecting Traffic 409 “Do I Know This Already?” Quiz 409 Foundation Topics 415 Understanding the Modular Policy Framework 415 Configuring the MPF 418 Configuring a Policy for Inspecting OSI Layers 3 and 4 420     Step 1: Define a Layer 3—4 Class Map 421     Step 2: Define a Layer 3—4 Policy Map 423     Step 3: Apply the Policy Map to the Appropriate Interfaces 426     Creating a Security Policy in ASDM 427     Tuning Basic Layer 3—4 Connection Limits 431     Inspecting TCP Parameters with the TCP Normalizer 435     Configuring ICMP Inspection 441 Configuring Dynamic Protocol Inspection 441     Configuring Custom Protocol Inspection 450 Configuring a Policy for Inspecting OSI Layers 5—7 451     Configuring HTTP Inspection 452         Configuring HTTP Inspection Policy Maps Using the CLI 454         Configuring HTTP Inspection Policy Maps Using ASDM 461     Configuring FTP Inspection 473         Configuring FTP Inspection Using the CLI 474         Configuring FTP Inspection Using ASDM 476     Configuring DNS Inspection 479         Creating and Applying a DNS Inspection Policy Map Using the CLI 480         Creating and Applying a DNS Inspection Policy Map Using ASDM 482     Configuring ESMTP Inspection 487         Configuring an ESMTP Inspection with the CLI 487         Configuring an ESMTP Inspection with ASDM 489     Configuring a Policy for ASA Management Traffic 492 Detecting and Filtering Botnet Traffic 497     Configuring Botnet Traffic Filtering with the CLI 498         Step 1: Configure the Dynamic Database 498         Step 2: Configure the Static Database 499         Step 3: Enable DNS Snooping 499         Step 4: Enable the Botnet Traffic Filter 499     Configuring Botnet Traffic Filtering with ASDM 501         Step 1: Configure the Dynamic Database 501         Step 2: Configure the Static Database 501         Step 3: Enable DNS Snooping 502         Step 4: Enable the Botnet Traffic Filter 502 Using Threat Detection 503     Configuring Threat Detection with the CLI 504         Step 1: Configure Basic Threat Detection 504         Step 2: Configure Advanced Threat Detection 506         Step 3: Configure Scanning Threat Detection 507     Configuring Threat Detection in ASDM 509         Step 1: Configure Basic Threat Detection 509         Step 2: Configure Advanced Threat Detection 509         Step 3: Configure Scanning Threat Detection 510 Exam Preparation Tasks 512     Review All Key Topics 512     Define Key Terms 513     Command Reference to Check Your Memory 513 Chapter 10 Using Proxy Services to Control Access 515 “Do I Know This Already?” Quiz 515 Foundation Topics 518 User-Based (Cut-Through) Proxy Overview 518     User Authentication 518 AAA on the ASA 519     AAA Deployment Options 519 User-Based Proxy Preconfiguration Steps and Deployment Guidelines 520     User-Based Proxy Preconfiguration Steps 520     User-Based Proxy Deployment Guidelines 520 Direct HTTP Authentication with the Cisco ASA 521     HTTP Redirection 521     Virtual HTTP 522 Direct Telnet Authentication 522 Configuration Steps of User-Based Proxy 522 Configuring User Authentication 522     Configuring an AAA Group 523     Configuring an AAA Server 524     Configuring the Authentication Rules 524     Verifying User Authentication 526     Configuring HTTP Redirection 527     Configuring the Virtual HTTP Server 527     Configuring Direct Telnet 528 Configuring Authentication Prompts and Timeouts 528     Configuring Authentication Prompts 529     Configuring Authentication Timeouts 529 Configuring User Authorization 530     Configuring Downloadable ACLs 531 Configuring User Session Accounting 531 Using Proxy for IP Telephony and Unified TelePresence 532 Exam Preparation Tasks 534     Review All Key Topics 534     Define Key Terms 534     Command Reference to Check Your Memory 534 Chapter 11 Handling Traffic 537 “Do I Know This Already?” Quiz 537 Foundation Topics 541 Handling Fragmented Traffic 541 Prioritizing Traffic 543 Controlling Traffic Bandwidth 547     Configuring Traffic Policing Parameters 550     Configuring Traffic Shaping Parameters 553 Exam Preparation Tasks 557     Review All Key Topics 557     Define Key Terms 557     Command Reference to Check Your Memory 557 Chapter 12 Using Transparent Firewall Mode 561 “Do I Know This Already?” Quiz 561 Foundation Topics 564 Firewall Mode Overview 564 Configuring Transparent Firewall Mode 567 Controlling Traffic in Transparent Firewall Mode 569 Using ARP Inspection 571 Disabling MAC Address Learning 575 Exam Preparation Tasks 579     Review All Key Topics 579     Define Key Terms 579     Command Reference to Check Your Memory 580 Chapter 13 Creating Virtual Firewalls on the ASA 583 “Do I Know This Already?” Quiz 583 Foundation Topics 586 Cisco ASA Virtualization Overview 586     The System Configuration, the System Context, and Other Security Contexts 586 Virtual Firewall Deployment Guidelines 587     Deployment Choices 587     Deployment Guidelines 588     Limitations 588 Configuration Tasks Overview 589 Configuring Security Contexts 589     The Admin Context 590     Configuring Multiple Mode 590     Creating a Security Context 590 Verifying Security Contexts 592 Managing Security Contexts 592     Packet Classification 592     Changing the Admin Context 593 Configuring Resource Management 594     The Default Class 594     Creating a New Resource Class 594 Verifying Resource Management 596 Troubleshooting Security Contexts 596 Exam Preparation Tasks 598     Review All Key Topics 598     Define Key Terms 598     Command Reference to Check Your Memory 598 Chapter 14 Deploying High Availability Features 601 “Do I Know This Already?” Quiz 601 Foundation Topics 605 ASA Failover Overview 605     Failover Roles 605     Detecting an ASA Failure 611 Configuring Active-Standby Failover Mode 612     Step 1: Configure the Primary Failover Unit 613     Step 2: Configure Failover on the Secondary Device 614     Scenario for Configuring Active-Standby Failover Mode 614     Configuring Active-Standby Failover with the ASDM Wizard 616     Configuring Active-Standby Failover Manually in ASDM 618 Configuring Active-Active Failover Mode 621     Step 1: Configure the Primary ASA Unit 622     Step 2: Configure the Secondary ASA Unit 623     Scenario for Configuring Active-Active Failover Mode 623 Tuning Failover Operation 630     Configuring Failover Timers 630     Configuring Failover Health Monitoring 631     Detecting Asymmetric Routing 632     Administering Failover 634 Verifying Failover Operation 635 Leveraging Failover for a Zero Downtime Upgrade 637 Exam Preparation Tasks 639     Review All Key Topics 639     Define Key Terms 639     Command Reference to Check Your Memory 639 Chapter 15 Integrating ASA Service Modules 645 “Do I Know This Already?” Quiz 645 Foundation Topics 648 Cisco ASA Security Services Modules Overview 648     Module Components 648         General Deployment Guidelines 649         Overview of the Cisco ASA Content Security and Control SSM 649         Cisco Content Security and Control SSM Licensing 649         Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC 649         Inline Operation 650         Promiscuous Operation 650         Supported Cisco IPS Software Features 650 Installing the ASA AIP-SSM and AIP-SSC 651     The Cisco AIP-SSM and AIP-SSC Ethernet Connections 651     Failure Management Modes 652     Managing Basic Features 652     Initializing the AIP-SSM and AIP-SSC 653     Configuring the AIP-SSM and AIP-SSC 653 Integrating the ASA CSC-SSM 653     Installing the CSC-SSM 653     Ethernet Connections 654     Managing the Basic Features 654     Initializing the Cisco CSC-SSM 654     Configuring the CSC-SSM 655 Exam Preparation Tasks 656     Review All Key Topics 656     Definitions of Key Terms 656     Command Reference to Check Your Memory 656 Chapter 16 Final Preparation 659 Tools for Final Preparation 659     Pearson Cert Practice Test Engine and Questions on the CD 659         Install the Software from the CD 659         Activate and Download the Practice Exam 660         Activating Other Exams 660         Premium Edition 660     The Cisco Learning Network 661     Chapter-Ending Review Tools 661 Suggested Plan for Final Review/Study 661     Using the Exam Engine 662 Summary 663 Appendix A Answers to the “Do I Know This Already?” Quizzes 665 Appendix B CCNP Security 642-617 FIREWALL Exam Updates: Version 1.0 671 Appendix C Traffic Analysis Tools 675 Glossary 707     9781587142796   TOC   8/25/2011  

About the Author :
David Hucaby, CCIE No. 4594, is a network architect for the University of Kentucky, where he works with healthcare networks based on the Cisco Catalyst, ASA, FWSM, and Unified Wireless product lines. David has a bachelor of science degree and master of science degree in electrical engineering from the University of Kentucky. He is the author of several Cisco Press titles, including Cisco ASA, PIX, and FWSM Firewall Handbook, Second Edition; Cisco Firewall Video Mentor; Cisco LAN Switching Video Mentor; and CCNP SWITCH Exam Certification Guide.   David lives in Kentucky with his wife, Marci, and two daughters.   Dave Garneau is a senior member of the Network Security team at Rackspace Hosting, Inc., a role he started during the creation of this book. Before that, he was the principal consultant and senior technical instructor at The Radix Group, Ltd. In that role, Dave trained more than 3000 students in nine countries on Cisco technologies, mostly focusing on the Cisco security products line, and worked closely with Cisco in establishing the new Cisco Certified Network Professional Security (CCNP Security) curriculum. Dave has a bachelor of science degree in mathematics from Metropolitan State College of Denver (now being renamed Denver State University). Dave lives in San Antonio, Texas with his wife, Vicki.   Anthony Sequeira, CCIE No. 15626, is a Cisco Certified Systems Instructor and author regarding all levels and tracks of Cisco Certification. Anthony formally began his career in the information technology industry in 1994 with IBM in Tampa, Florida. He quickly formed his own computer consultancy, Computer Solutions, and then discovered his true passion–teaching and writing about Microsoft and Cisco technologies. Anthony joined Mastering Computers in 1996 and lectured to massive audiences around the world about the latest in computer technologies. Mastering Computers became the revolutionary online training company KnowledgeNet, and Anthony trained there for many years. Anthony is currently pursuing his second CCIE in the area of Security and is a full-time instructor for the next generation of KnowledgeNet, StormWind Live.