Implementing Secure Converged Wide Area Networks

Course description
ISCW is an advanced instructor-led course that focuses on WAN and remote access solutions. This 5-day course includes cable modems and DSL with Network Address Translation (NAT), Multiprotocol Label Switching (MPLS) VPNs, IPsec VPNs. This course will teach you how to secure the network environment using Cisco IOS security features, and configure the three primary components of the Cisco IOS Firewall feature set (firewall, IPS, and AAA).


Learning objectives
After you complete this course, you will be able to:

• Describe remote connectivity requirements for secured access
• Describe Cisco network architectures for remote connectivity
• Describe and implement teleworker broadband connectivity
• Implement and verify frame mode MPLS
• Describe and configure a site-to-site IPsec VPN
• Describe and configure Cisco device hardening
• Describe and configure IOS firewall features

Who should attend
This course provides in-depth technical training for system engineers, network engineers, and field engineers who need to design, deploy, configure, and manage Cisco IOS routers and switches.


Recommended prerequisites

• CCNA certification or equivalent knowledge and experience
• Ability to complete the initial configuration of a Cisco IOS switch or router
• Ability to create interswitch connections and run show commands on a Cisco IOS switch or router
• Moderate knowledge of routing protocols
• Basic knowledge of standard WAN technologies (Frame Relay, PPP, and HDLC)
• Basic knowledge of standard and extended ACLs

Course outline
Module 1: Network Connectivity Requirements
Lesson 1: Describing Network Requirements

• IIN and Cisco SONA Framework
• Cisco Network Models
• Remote Connection Requirements in a Converged Network

Module 2: Teleworker Connectivity
Lesson 1: Describing Topologies for Facilitating Remote Connections

• Remote Connection Topologies
• The Challenge of Connecting the Teleworker

Lesson 2: Describing Cable Technology

• Cable Technology Terms
• Cable System Components
• Cable Features
• Digital Signals over RF Channels
• Data over Cable
• Cable Technology: Putting It All Together
• Provisioning a Cable Modem

Lesson 3: Describing DSL Technology

• DSL Features
• DSL Types
• DSL Limitations
• ADSL
• ADSL and POTS Coexistence
• ADSL Channels and Encoding
• Data over ADSL: PPPoE
• Data over ADSL: PPPoA

Lesson 4: Configuring the CPE as the PPPoE or PPPoA Client

• Configuration of a Cisco Router as the PPPoE Client
• Configuration of a PPPoE Client
• Configuration of the PPPoE DSL Dialer Interface
• Configuration of PAT
• Configuration of DHCP to Scale DSL
• Configuration of a Static Default Route
• Verifying a PPPoE Configuration
• Configuration of a PPPoA DSL Connection
• Configuration of the DSL ATM Interface

Lesson 5: Verifying Broadband ADSL Configurations

• Layer Troubleshooting
• Layer 1 Issues
• Administratively Down State for an ATM Interface
• Correct DSL Operating Mode?
• Layer 2 Issues
• Data Received from the ISP
• Proper PPP Negotiation

Module 3: Frame Mode MPLS Implementation
Lesson 1: Introducing MPLS Networks

• The MPLS Conceptual Model
• Router Switching Mechanisms
• MPLS Architecture
• MPLS Labels
• Label Switch Routers
• LSR Component Architecture

Lesson 2: Assigning MPLS Labels to Packets

• Label Allocation in a Frame Mode MPLS Environment
• Label Distribution and Advertisement
• Populating the LFIB Table
• Packet Propagation Across an MPLS Network
• Penultimate Hop Popping

Lesson 3: Implementing Frame Mode MPLS

• The Procedure to Configure MPLS
• Configuring IP CEF
• Configuring MPLS on a Frame Mode Interface
• Configuring the MTU Size in Label Switching

Lesson 4: Describing MPLS VPN Technology

• Defining MPLS VPN
• MPLS VPN Architecture
• Propagation of Routing Information Across the P-Network
• End-to-End Routing Information Flow
• MPLS VPNs and Packet Forwarding

Module 4: IPsec VPNs
Lesson 1: Understanding IPsec Components and IPsec VPN Features

• IPsec Overview
• Internet Key Exchange
• IKE: Other Functions
• ESP and AH
• Message Authentication and Integrity Check
• Symmetric and Asymmetric Encryption Algorithms
• PKI Environment

Lesson 2: Implementing Site-to-Site IPsec VPN Operations

• Site-to-Site IPsec VPN Operations
• Configuring IPsec
• Site-to-Site IPsec Configuration: Phase 1
• Site-to-Site IPsec Configuration: Phase 2
• Site-to-Site IPsec Configuration: Apply VPN Configuration
• Site-to-Site IPsec Configuration: Interface ACL

Lesson 3: Configuring IPsec Site-to-Site VPN Using SDM

• Introducing the SDM VPN Wizard Interface
• Site-to-Site VPN Components
• Launching the Site-to-Site VPN Wizard
• Connection Settings
• IKE Proposals
• Transform Set
• Defining What Traffic to Protect
• Completing the Configuration

Lesson 4: Configuring GRE Tunnels over IPsec

• Generic Routing Encapsulation
• Introducing Secure GRE Tunnels
• Configuring GRE over IPsec Site-to-Site Tunnel Using SDM
• Backup GRE Tunnel Information
• VPN Authentication Information
• IKE Proposals
• Transform Set
• Routing Information
• Completing the Configuration

Lesson 5: Configuring High-Availability Options

• High Availability for IOS IPsec VPNs
• IPsec Backup Peer
• Hot Standby Routing Protocol
• IPsec Stateful Failover
• Backing Up a WAN Connection with an IPsec VPN

Lesson 6: Configuring Cisco Easy VPN and Easy VPN Server Using SDM

• Introducing Cisco Easy VPN
• Describe Easy VPN Server and Easy VPN Remote
• Cisco Easy VPN Server Configuration Tasks
• Configuring Easy VPN Server
• IKE Proposals
• Transform Set
• Group Policy Configuration Location
• User Authentication
• Local Group Policies
• Completing the Configuration

Lesson 7: Implementing the Cisco VPN Client

• Cisco VPN Client Configuration Tasks
• Use the Cisco VPN Client to Establish a VPN Connection and Verify the Connection Status

Module 5: Cisco Device Hardening
Lesson 1: Mitigating Network Attacks

• Cisco Self-Defending Network
• Types of Network Attacks
• Reconnaissance Attacks and Mitigation
• Access Attacks and Mitigation
• DoS Attacks and Mitigation
• Worm, Virus, and Trojan Horse Attacks and Mitigation
• Application Layer Attacks and Mitigation
• Management Protocols and Vulnerabilities
• Determining Vulnerabilities and Threats

Lesson 2: Disabling Unused Cisco Router Network Services and Interfaces

• Vulnerable Router Services and Interfaces
• Locking Down Routers with AutoSecure
• AutoSecure Process Overview
• Locking Down Routers with the SDM

Lesson 3: Securing Cisco Router Installations and Administrative Access

• Configuring Router Passwords
• Setting a Login Failure Rate
• Setting Timeouts
• Setting Multiple Privilege Levels
• Configuring Banner Messages
• Configuring Role-Based CLI
• Secure Configuration Files

Lesson 4: Mitigating Threats and Attacks with Access Lists

• Cisco ACLs
• Applying ACLs to Router Interfaces
• Using Traffic Filtering with ACLs
• Filtering Network Traffic to Mitigate Threats
• Mitigating Distributed DoS with ACLs
• Combining Access Functions
• Caveats

Lesson 5: Securing Management and Reporting Features

• Secure Management and Reporting Planning Considerations
• Secure Management and Reporting Architecture
• Configuring an SSH Server for Secure Management and Reporting
• Using Syslog Logging for Network Security
• Configuring Syslog Logging
• SNMP Version 3
• Configuring an SNMP Managed Node
• Configuring NTP Client
• Configuring NTP Server

Lesson 6: Configuring AAA on Cisco Routers

• Introduction to AAA
• Router Access Modes
• AAA Protocols: RADIUS and TACACS+
• Configure AAA Login Authentication on Cisco Routers Using CLI
• Configure AAA Login Authentication on Cisco Routers Using SDM
• Troubleshoot AAA Login Authentication on Cisco Routers
• AAA Authorization Commands
• AAA Accounting Commands

Module 6: Cisco IOS Threat Defense Features
Lesson 1: Introducing the Cisco IOS Firewall

• Layered Defense Strategy
• Firewall Technologies
• Stateful Firewall Operation
• Introducing the Cisco IOS Firewall Feature Set
• Cisco IOS Firewall Functions
• Cisco IOS Firewall Process

Lesson 2: Implementing Cisco IOS Firewalls

• Configuring Cisco IOS Firewall from the CLI
• Basic and Advanced Firewall Wizards
• Configuring a Basic Firewall
• Configuring Interfaces on an Advanced Firewall
• Configuring a DMZ on an Advanced Firewall
• Advanced Firewall Security Configuration
• Complete the Configuration
• Viewing Firewall Activity

Lesson 3: Introducing Cisco IOS IPS

• Introducing Cisco IOS IDS and IPS
• Types of IDS and IPS Systems
• IDS and IPS Signatures
• Cisco IOS IPS Alarms

Lesson 4: Configuring Cisco IOS IPS

• Configuring Cisco IOS IPS
• Cisco IOS IPS SDM Tasks
• Selecting Interfaces and Configuring SDF Locations
• Viewing the IPS Policy Summary and Delivering the Configuration to the Router
• Configuring IPS Policies and Global Settings
• Viewing SDEE Messages
• Tuning Signatures

Course labs
Lab 2-1: Configuring DSL
Lab 3-1: Configuring Frame Mode MPLS
Lab 4-1: Configuring Site-to-Site IPsec VPNs
Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM
Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection
Lab 4-4: Configuring Cisco Easy VPN Server Using SDM
Lab 5-1: Securing Cisco Routers
Lab 5-2: Securing Cisco Router Management
Lab 5-3: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers
Lab 6-1: Configuring a Cisco IOS Firewall
Lab 6-2: Configuring Cisco IOS IPS
Lab 6-3: Troubleshooting Security