Cisco Firewall Specialist

Cisco security certifications focus on the growing need for knowledgeable network professionals who can implement complete security solutions. Cisco Firewall Specialists focus on securing network access using Cisco IOS Software and Cisco PIX and Adaptive Security Appliance (ASA) Firewall Technologies.

Cisco Firewall Specialist Exams & Recommended Training
642-552 SND	Securing Cisco Network Devices (SND)
642-523 SNPA	Securing Networks with PIX and ASA (SNPA)

SND

The Securing Cisco Network Devices 642-552 SND is the exam associated with the Cisco Certified Security Professional, Cisco Firewall Specialist, Cisco IPS Specialist, and Cisco VPN Specialist certifications. Candidates can prepare for this exam by taking the Securing Cisco Network Devices v2.0 (SND) course. This exam tests a candidate's knowledge of securing Cisco routers and switches and their associated networks. Topics covered include; Security threats facing modern network infrastructures, Securing Cisco routers, Implementing basic AAA, Using ACLs to mitigate router and network threats, Implementing secure management and reporting, Mitigating common Layer 2 attacks, and Implementing Cisco IOS Firewall features, Cisco IOS IPS features, and IPsec VPN features using Cisco Security Device Manager

Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Describe the products in the Cisco security portfolio and explain how they mitigate security threats to a network

• Identify the appropriate devices to secure a network
• Identify the appropriate device feature to secure a network
• Describe the difference in functionality and capabilities of the different security devices
• Identify security issues with common management protocols
• Describe threats to a network and network devices
• Identify different techniques to deal with security threats

Describe the security features available for a Cisco Layer 2 device in a secure network

• Identify security features on a Layer 2 device
• Describe basic security feature configurations on a Layer 2 device

Implement security on a Cisco IOS Router

• Identify mitigation techniques for common physical router security threats
• Configure router for secure administrative access
• Implement basic AAA for router administrative authentication
• Configure AutoSecure to harden Cisco routers
• Configure router access lists to secure networks
• Configure security for router services and interfaces
• Implement Syslog logging
• Identify major components of the SDM

Describe and configure Cisco IPS and HIPS

• Configure user accounts
• Describe and configure Network Access lists
• Describe how the sensor device is secure by default
• Install the sensor on the network
• Describe the methods used to access a sensor
• Describe the process for displaying the sensor configuration
• Identify major components of IDM
• Describe basic sensor operations
• Describe the process of using alarms to identify network attacks
• Identify the appropriate platform required to install the CSA MC
• Configure the default group
• Describe the process of agent kit deployment and verifying management of the agent
• Describe key features and concepts of VMS
• Describe the interoperability of the components of VMS
• Describe the hardware and software requirements of VMS

Configure and verify basic remote access on a Cisco VPN 3000 Concentrator

• Perform an initial configuration
• Configure users and groups
• Configure VPN clients
• Verify IPSec tunnel establishment

Implement a Cisco PIX security appliance

• Describe basic PIX security appliance hardware and software architecture
• Identify appropriate PIX security appliance hardware and software configuration
• Configure basic network settings using CLI
• Configure basic interface features on a PIX security appliance
• Verify initial configurations
• Identify major components of the PDM
• Configure static address translation
• Configure Network Address Translation
• Configure firewall to secure inbound traffic
• Verify inbound traffic restrictions
• Describe basic IPSec topologies
• Define the services provided by IPSec
• Describe the IPSec protocol framework
• Describe the IPSec algorithm framework
• Describe the concepts of split tunneling
• Describe the various authentication methods
• Describe how the PIX security appliance uses IPSec to secure networks

SNPA

The Securing Networks with PIX and ASA exam is one of the exams associated with the Cisco Certified Security Professional and the Cisco Firewall Specialist certifications. Candidates can prepare for this exam by taking the SNPA v4.0 course. This exam includes simulations and tests a candidate's knowledge and ability to describe, configure, verify and manage the Cisco PIX and ASA security appliance products.

Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

Install and configure a security appliance for basic network connectivity

• Describe the Security Appliance hardware and software architecture
• Determine the Security Appliance hardware and software configuration and verify if it is correct
• Use setup or the CLI to configure basic network settings, including interface configurations
• Use appropriate show commands to verify initial configurations
• Configure NAT and global addressing to meet user requirements
• Configure DHCP client option
• Set default route
• Configure logging options
• Describe the firewall technology
• Explain the information contained in syslog files
• Configure static address translations
• Configure Network Address Translations: PAT
• Configure static port redirection
• Configure a net static
• Set embryonic and connection limits on the security appliance
• Verify network address translation operation

Configure a security appliance to restrict inbound traffic from untrusted sources

• Configure access-lists to filter traffic based on address, time, and protocols
• Configure object-groups to optimize access-list processing
• Configure Network Address Translations: Nat0
• Configure Network Address Translations: Policy NAT
• Configure java/activeX filtering
• Configure URL filtering
• Verify inbound traffic restrictions

Configure a security appliance to provide secure connectivity using site-to-site VPNs

• Explain certificates, certificate authorities and how they are used
• Explain the basic functionality of IPSec
• Configure IKE with preshared keys
• Configure IKE to use certificates
• Differentiate between the types of encryption
• Configure IPSec parameters
• Configure crypto-maps and ACLs

Configure a security appliance to provide secure connectivity using remote access VPNs

• Explain the functions of EasyVPN
• Configure IPSec using EasyVPN Server/Client
• Configure the Cisco Secure VPN client
• Explain the purpose of WebVPN
• Configure WebVPN services: Server/Client
• Verify VPN operations

Configure transparent firewall, virtual firewall, and high availability firewall features on a security appliance

• Explain differences between L2 and L3 operating modes
• Configure security appliance for transparent mode (L2)
• Explain purpose of virtual firewalls
• Configure security appliance to support virtual firewall
• Monitor and maintain virtual firewall
• Explain the types, purpose and operation of fail-over
• Install appropriate topology to support cable-based or LAN-based fail-over
• Explain the hardware, software and licensing requirements for high-availability
• Configure the SA for active/standby fail-over
• Configure the SA for stateful fail-over
• Configure the SA for active-active fail-over
• Verify fail-over operation
• Recover from a fail-over

Configure AAA services for access through a security appliance

• Configure ACS for security appliance support
• Configure security appliance to use AAA feature
• Configure authentication using both local and external databases
• Configure authorization using an external database
• Configure the ACS server for downloadable ACLs
• Configure accounting of connection start/stop
• Verify AAA operation

Configure routing and switching on a security appliance

• Enable DHCP server and relay functionality
• Configure VLANs on a security appliance interface
• Configure routing functionality of security appliance including OSPF, RIP
• Configure security appliance to pass multi-cast traffic
• Configure ICMP on the security appliance

Configure a modular policy on a security appliance

• Configure a class-map
• Configure a policy-map
• Configure a service-policy
• Configure a ftp-map
• Configure a http-map
• Configure an inspection protocol
• Explain the function of protocol inspection
• Explain DNS guard feature
• Describe the AIP-SSM HW and SW
• Load IPS SW on the AIP-SSM
• Verify AIP-SSM
• Configure an IPS modular policy

Monitor and manage an installed security appliance

• Obtain and apply OS updates
• Backup and restore configurations and software
• Explain the security appliance file management system
• Perform password/lockout recovery procedures
• Obtain and upgrade license keys
• Configure passwords for various access methods: Telnet, serial, enable, SSH
• Configure various access methods: Telnet, SSH, PDM
• Configure command authorization and privilege levels
• Configure local username database
• Verify access control methods
• Enable ASDM functionality
• Verify a security appliance configuration via ASDM
• Verify the licensing available on a security appliance

Copyright ?2007 WOLF Network Technology Inc. All rights reserved. http://www.labwolf.com