CCNP security VPN : official cert guide
Study guides
xxxi, 725 pages : illustrations ; 25 cm + 1 CD-ROM (4 3/4/in.)
9781587142567, 1587142562
1034964553
Introduction xxivPart I ASA Architecture and Technologies OverviewChapter 1 Evaluation of the ASA Architecture 3“Do I Know This Already?” Quiz 3Foundation Topics 6Examining ASA Control Fundamentals 6 Interfaces, Security Levels, and EtherChannels 6 Security Levels 9 Same Security Interface and Intra-Interface Communication 10 EtherChannels 11 Access Control Lists 12 Modular Policy Framework 15Routing the Environment 16Address Translations and Your ASA 18AAA for Network-Based Access 21ASA VPN Technology Comparison 24Managing Your ASA Device 27Packet Processing 28Controlling VPN Access 29The Good, the Bad, and the Licensing 32 Time-Based Licenses 41 When Time-Based and Permanent Licenses Combine 42 Shared SSL VPN Licenses 43 Failover Licensing 43Exam Preparation Tasks 44 Review All Key Topics 44 Complete Tables and Lists from Memory 44 Define Key Terms 44Chapter 2 Configuring Policies, Inheritance, and Attributes 47“Do I Know This Already?” Quiz 47Foundation Topics 49Policies and Their Relationships 49Understanding Connection Profiles 50 Group URL 52 Group Alias 52 Certificate to Connection Profile Mapping 53 Per-User Connection Profile Lock 54 Default Connection Profiles 55Understanding Group Policies 56Configure User Attributes 59Using External Servers for AAA and Policies 60Exam Preparation Tasks 70 Review All Key Topics 70 Complete Tables and Lists from Memory 70 Define Key Terms 70Part II Cisco AnyConnect Remote-Access VPN SolutionsChapter 3 Deploying an AnyConnect Remote-Access VPN Solution 73“Do I Know This Already?” Quiz 73Foundation Topics 76Full SSL VPN Technology Overview 76 SSL/TLS 76 DTLS 80 IKEv2 81Configuration Procedures, Deployment Strategies, and Information Gathering 83 AnyConnect Secure Mobility Client Installation 84Deploying Your First Full-Tunnel AnyConnect SSL VPN Solution 85 IP Addressing 85 Hostname, Domain Name, and DNS 85 Enroll with a CA and Become a Member of a PKI 86 Add an Identity Certificate 87 Add the Signing Root CA Certificate 88 Enable the Interfaces for SSL/DTLS and AnyConnect Client Connections 88 Create a Connection Profile 89Deploying Your First AnyConnect IKEv2 VPN Solution 92 Enable the Relevant Interfaces for IKEv2 and AnyConnect Client Access 93 Create a Connection Profile 94Client IP Address Allocation 97 Connection Profile Address Assignment 98 Group Policy Address Assignment 100 Direct User Address Assignment 104Advanced Controls for Your Environment 104 ACLs and Downloadable ACLs 105 Split Tunneling 107 Access Hours/Time Range 110Troubleshooting the AnyConnect Secure Mobility Client 111Exam Preparation Tasks 117 Review All Key Topics 117 Complete Tables and Lists from Memory 117 Define Key Terms 117Chapter 4 Advanced Authentication and Authorization of AnyConnect VPNs 119“Do I Know This Already?” Quiz 119Foundation Topics 121Authentication Options and Strategies 121Provisioning Certificates as a Local CA 126Configuring Certificate Mappings 134 Certificate-to-Connection Profile Maps 135 Mapping Criteria 136Provisioning Certificates from a Third-Party CA 139 Configure an XML Profile for Use by the AnyConnect Client 141 Configure a Dedicated Connection Profile for Enrollment 144 Enroll the AnyConnect Client into a PKI 145 Optionally, Configure Client Certificate Selection 147 Import the Issuing CA’s Certificate into the ASA’s 149 Create a Connection Profile Using Certificate-Based Authentication 150Advanced PKI Deployment Strategies 151 CRLs 152 OCSP 152Doubling Up on Client Authentication 155Troubleshooting Your Advanced Configuration 161Exam Preparation Tasks 163 Review All Key Topics 163 Complete Tables and Lists from Memory 163 Define Key Terms 163Chapter 5 Advanced Deployment and Management of the AnyConnect Client 165“Do I Know This Already?” Quiz 165Foundation Topics 167Configuration Procedures, Deployment Strategies, and Information Gathering 167AnyConnect Installation Options 168 Manual Predeployment 168 Automatic Web Deployment 172Managing AnyConnect Client Profiles 177Advanced Profile Features 181 Start Before Login 182 Trusted Network Detection 182Advanced AnyConnect Customization and Management 188Exam Preparation Tasks 195 Review All Key Topics 195 Complete Tables and Lists from Memory 195 Define Key Terms 195Chapter 6 Advanced Authorization Using AAA and DAPs 197“Do I Know This Already?” Quiz 197Foundation Topics 199Configuration Procedures, Deployment Strategies, and Information Gathering 199Configuring Local and Remote Group Policies 199Full SSL VPN Accountability 209Authorization Through Dynamic Access Policies 213Troubleshooting Advanced Authorization Settings 216Exam Preparation Tasks 219 Review All Key Topics 219 Complete Tables and Lists from Memory 219 Define Key Terms 219Chapter 7 AnyConnect Integration with Cisco Secure Desktop and Optional Modules 221“Do I Know This Already?” Quiz 221Foundation Topics 224Cisco Secure Desktop Overview and Configuration 224 Host Scan 225 Prelogin Assessment 225 Secure Desktop (Vault) 226 Cache Cleaner 227 Keystroke Logger Detection 228 Integration with DAPs 228 Host Emulation Detection 228 Windows Mobile Device Management 228 Standalone Installation Packages 228 CSD Manual Launch 228 Prelogin Policies 229 Post-Login Policies 230 VPN Session Termination 231AnyConnect Posture Assessment and Host Scan 231 AnyConnect Posture Assessment Module 231 Host Scan 232Configure Prelogin Policies 234AnyConnect Network Access, Web Security, and Telemetry Modules 238 NAM Module 238 Web Security Module 241 Telemetry Module 243Exam Preparation Tasks 246 Review All Key Topics 246 Complete Tables and Lists from Memory 246 Define Key Terms 246Chapter 8 AnyConnect High Availability and Performance 249“Do I Know This Already?” Quiz 249Foundation Topics 251Overview of High Availability and Redundancy Methods 251 Hardware-Based Failover 251 VPN Clustering (VPN Load Balancing) 252 Redundant VPN Peering 253 External Load Balancing 253Deploying DTLS 255Performance Assurance with QOS 256 Basic ASDM QoS Configuration 258AnyConnect Redundant Peering and Failover 265Hardware-Based Failover with VPNs 267 Configure LAN Failover Interfaces 269 Configure Standby Addresses on Interfaces Used for Traffic Forwarding 270 Define Failover Criteria 270 Configure Nondefault MAC Addresses 270Redundancy in the VPN Core 271 VPN Clustering 272 Load Balancing Using an External Load Balancer 274Exam Preparation Tasks 276 Review All Key Topics 276 Complete Tables and Lists from Memory 276 Define Key Terms 276Part III Cisco Clientless Remote-Access VPN SolutionsChapter 9 Deploying a Clientless SSL VPN Solution 279“Do I Know This Already?” Quiz 279Foundation Topics 282Clientless SSL VPN Overview 282SSL VPN Building Blocks 283 SSL/TLS Recap 283 SSL Tunnel Negotiation 285 Handshake 286Deployment Procedures and Strategies 289 Physical Topology 289Deploying Your First Clientless SSL VPN Solution 293 IP Addressing 293 Hostname, Domain Name, and DNS 293 Become a Member of a Public Key Infrastructure 294 Adding a CA Root Certificate 294 Certificate Revocation List 295 Revocation Check 296 CRL Retrieval Policy 297 CRL Retrieval Method 297 OCSP Rules 297 Advanced 301 Enable the Relevant Interfaces for SSL 311 Create Local User Accounts for Authentication 312 Create a Connection Profile (Optional) 315Basic Access Control 319 Bookmarks 320 HTTP and HTTPS 320 CIFS 321 FTP 321 Group Policies 323Content Transformation 327 Gateway Content Rewriting 327 Application Helper Profiles 329 Java Code Signing 330Troubleshooting a Basic Clientless SSL VPN 331 Troubleshooting Session Establishment 331 Troubleshooting Certificate Errors 333Exam Preparation Tasks 335 Review All Key Topics 335 Complete Tables and Lists from Memory 335 Define Key Terms 335Chapter 10 Advanced Clientless SSL VPN Settings 337“Do I Know This Already?” Quiz 337Foundation Topics 340Overview of Advanced Clientless SSL VPN Settings 340Application Access Through Port Forwarding 343 Configuring Port Forwarding Using the ASDM 345Application Access Using Client-Server Plug-Ins 349 Configuring Client-Server Plug-In Access Using the ASDM 350Application Access Through Smart Tunnels 357 Configuring Smart Tunnel Access Using the ASDM 359Configuring SSL/TLS Proxies 363 Email Proxy 363 Internal HTTP and HTTPS Proxy 365Troubleshooting Advanced Application Access 366 Troubleshooting Application Access 366 Client 366 ASA/VPN Termination Appliance 367 Application/Web Server 369Exam Preparation Tasks 370 Review All Key Topics 370 Complete Tables and Lists from Memory 370 Define Key Terms 370Chapter 11 Customizing the Clientless Portal 373“Do I Know This Already?” Quiz 373Foundation Topics 375Basic Portal Layout Configuration 375 Logon Page Customization 377 Portal Page Customization 379 Logout Page Customization 379Outside-the-Box Portal Configuration 381Portal Localization 381Getting Portal Help 386AnyConnect Portal Integration 387Clientless SSL VPN Advanced Authentication 389Using an External and Internal CA for Clientless Access 391Clientless SSL VPN Double Authentication 399Deploying Clientless SSL VPN Single Sign-On 403Troubleshooting PKI and SSO Integration 406Exam Preparation Tasks 410 Review All Key Topics 410 Complete Tables and Lists from Memory 410 Define Key Terms 410Chapter 12 Advanced Authorization Using Dynamic Access Policies 413“Do I Know This Already?” Quiz 413Foundation Topics 416Configuration Procedures, Deployment Strategies, and Information Gathering 416 Create a DAP 419 Specify User AAA Attributes 419 Specify Endpoint Attributes 421 Configure Authorization Parameters 424 Configure Authorization Parameters for the Default DAP 426DAP Record Aggregation 427Troubleshooting DAP Deployment 432 ASDM Test Feature 432 ASA Logging 434 DAP Debugging 435Exam Preparation Tasks 437 Review All Key Topics 437 Complete Tables and Lists from Memory 437 Define Key Terms 437Chapter 13 Clientless SSL VPN with Cisco Secure Desktop 439“Do I Know This Already?” Quiz 439Foundation Topics 441Cisco Secure Desktop Overview and Configuration 441 Prelogin Assessment 442 Host Scan 443 Secure Desktop (Vault) 443 Cache Cleaner 443 Keystroke Logger Detection 444 Integration with DAP 444 Host Emulation Detection 444 Windows Mobile Device Management 444 Standalone Installation Packages 444 CSD Manual Launch 444 Secure Desktop (Vault) 446 Cache Cleaner 446 CSD Supported Browsers, Operating Systems, and Credentials 447 Enabling Cisco Secure Desktop on the ASA 450Configure Prelogin Criteria 452 Keystroke Logger and Safety Checks 457 Cache Cleaner 457 Secure Desktop (Vault) General 458 Secure Desktop (Vault) Settings 459 Secure Desktop (Vault) Browser 460Host Endpoint Assessment 460Authorization Through DAPs 461Troubleshooting Cisco Secure Desktop 463Exam Preparation Tasks 465 Review All Key Topics 465 Complete Tables and Lists from Memory 465 Define Key Terms 465Chapter 14 Clientless SSL VPN High-Availability and Performance Options 467“Do I Know This Already?” Quiz 467Foundation Topics 469High-Availability Deployment Information and Common Strategies 469 Failover 469 Active/Active 469 Active/Standby 469 VPN Load Balancing (Clustering) 470 External Load Balancing 470 Redundant VPN Peering 470Content Caching for Optimization 472Clientless SSL VPN Load Sharing Using an External Load Balancer 473Clustering Configuration for Clientless SSL VPN 474Troubleshooting Load Balancing and Clustering 477Exam Preparation Tasks 479 Review All Key Topics 479 Complete Tables and Lists from Memory 479 Define Key Terms 479Part IV Cisco IPsec Remote-Access Client SolutionsChapter 15 Deploying and Managing the Cisco VPN Client 481“Do I Know This Already?” Quiz 481Foundation Topics 483IPsec Review 483 IKEv1 483 AH and ESP 486Cisco IPsec VPN Client Features 488IPsec Client Software Installation and Basic Configuration 491 Connection Entries 495 Status 495 Certificates 495 Log 495 Options 495 Help 496 Create New VPN Connection Entry, Main Window 496 Authentication Tab 496 Transport Tab 497 Backup Servers Tab 497 Dial-Up Tab 497Advanced Profile Settings 498VPN Client Software GUI Customization 507Troubleshooting VPN Client Connectivity 507Exam Preparation Tasks 512 Review All Key Topics 512 Complete Tables and Lists from Memory 512 Define Key Terms 512Part V Cisco Easy VPN SolutionsChapter 16 Deploying Easy VPN Solutions 515“Do I Know This Already?” Quiz 515Foundation Topics 517Configuration Procedures, Deployment Procedures, and Information Gathering 517Easy VPN Basic Configuration 519 ASA IP Addresses 519 Configure Required Routing 519 Enable IPsec Connectivity 519 Configure Preferred IKEv1 and IPsec Policies 522 Client IP Address Assignment 527 VPN Client Authentication Using Pre-Shared Keys 529 Using XAUTH for VPN Client Access 532 IP Address Allocation Using the VPN Client 533 DHCP Configuration 538Controlling Your Environment with Advanced Features 539 ACL Bypass Configuration 540 Basic Interface ACL Configuration 540 Per-Group ACL Configuration 542 Per-User ACL Configuration 543 Split-Tunneling Configuration 545 Troubleshooting a Basic Easy VPN 546Exam Preparation Tasks 548 Review All Key Topics 548 Complete Tables and Lists from Memory 548 Define Key Terms 548Chapter 17 Advanced Authentication and Authorization Using Easy VPN 551“Do I Know This Already?” Quiz 551Foundation Topics 553Authentication Options and Strategies 553Configuring PKI with IPsec Easy VPNs 556Configuring Mutual/Hybrid Authentication 561Configuring Digital Certificate Mappings 562Provisioning Certificates from a Third-Party CA 566Advanced PKI Deployment Strategies 570Troubleshooting Advanced Authentication for Easy VPN 575Exam Preparation Tasks 577 Review All Key Topics 577 Complete Tables and Lists from Memory 577 Define Key Terms 577Chapter 18 Advanced Easy VPN Authorization 579“Do I Know This Already?” Quiz 579Foundation Topics 581Configuration Procedures, Deployment Strategies, and Information Gathering 581Configuring Local and Remote Group Policies 582 Assigning a Group Policy to a Local User Account 586 Assigning a Group Policy to a Connection Profile 586Accounting Methods for Operational Information 588 NetFlow 9 591 RADIUS VPN Accounting 593 SNMP 594Exam Preparation Tasks 597 Review All Key Topics 597 Complete Tables and Lists from Memory 597 Define Key Terms 597Chapter 19 High Availability and Performance for Easy VPN 599“Do I Know This Already?” Quiz 599Foundation Topics 602Configuration Procedures, Deployment Strategies, and Information Gathering 602Easy VPN Client HA and Failover 604Hardware-Based Failover with VPNs 606 Configure Optional Active/Standby Failover Settings 610Clustering Configuration for Easy VPN 612Troubleshooting Device Failover and Clustering 615Exam Preparation Tasks 619 Review All Key Topics 619 Complete Tables and Lists from Memory 619 Define Key Terms 619Chapter 20 Easy VPN Operation Using the ASA 5505 as a Hardware Client 621“Do I Know This Already?” Quiz 621Foundation Topics 623Easy VPN Remote Hardware Client Overview 623 Client Mode 623 Network Extension Mode 624Configuring a Basic Easy VPN Remote Client Using the ASA 5505 625Configuring Advanced Easy VPN Remote Client Settings for the ASA 5505 627 X-Auth and Device Authentication 627 Remote Management 629 Enable Tunneled Management 630 Clear Tunneled Management 630 NAT Traversal 631 Device Pass-Through 632Troubleshooting the ASA 5505 Easy VPN Remote Hardware Client 633Exam Preparation Tasks 637 Review All Key Topics 637 Complete Tables and Lists from Memory 637 Define Key Terms 637Part VI Cisco IPsec Site-to-Site VPN SolutionsChapter 21 Deploying IPsec Site-to-Site VPNs 639“Do I Know This Already?” Quiz 639Foundation Topics 642Configuration Procedures, Deployment Strategies, and Information Gathering 642IKEv1 Phase 1 644IKEv1 Phase 2 (Quick Mode) 645Configuring a Basic IPsec Site-to-Site VPN 647 Configure Basic Peer Authentication 647 Enable IKEv1 on the Interface 648 Configure IKEv1 Policies 648 Configure Pre-Shared Keys 649 Configure Transmission Protection 650 Select Transform Set and VPN Peer 650 Define Interesting Traffic 652Configure Advanced Authentication for IPsec Site-to-Site VPNs 656Troubleshooting an IPsec Site-to-Site VPN Connection 661 Tunnel Not Establishing: Phase 1 662 Tunnel Not Establishing: Phase 2 662 Traffic Not Passing Through Your Tunnel 662Exam Preparation Tasks 664 Review All Key Topics 664 Complete Tables and Lists from Memory 664 Define Key Terms 664Chapter 22 High Availability and Performance Strategies for IPsec Site-to-Site VPNs 667“Do I Know This Already?” Quiz 667Foundation Topics 669Configuration Procedures, Deployment Strategies, and Information Gathering 669High Assurance with QoS 670 Basic ASDM QoS Configuration 672Deploying Redundant Peering for Site-to-Site VPNs 678Site-to-Site VPN Redundancy Using Routing 679Hardware-Based Failover with VPNs 683 Configure LAN Failover Interfaces 684 Configure Standby Addresses on Interfaces Used for Traffic Forwarding 685 Define Failover Criteria 686 Configure Nondefault Mac Addresses 686Troubleshooting HA Deployment 688Exam Preparation Tasks 690 Review All Key Topics 690 Complete Tables and Lists from Memory 690 Define Key Terms 690Part VII Exam PreparationChapter 23 Final Exam Preparation 693Tools for Final Preparation 693 Pearson Cert Practice Test Engine and Questions on the CD 693 Install the Software from the CD 694 Activate and Download the Practice Exam 694 Activating Other Exams 695 Premium Edition 695 The Cisco Learning Network 695 Memory Tables 695Suggested Plan for Final Review/Study 696 Using the Exam Engine 696Summary 697Part VIII AppendixesAppendix A Answers to the “Do I Know This Already?” Quizzes 699Appendix B 642-647 CCNP Security VPN Exam Updates, Version 1.0 703Appendix C Memory Tables (CD only)Appendix D Memory Tables Answer Key (CD only)Glossary 707 9781587142567 TOC 6/20/2011
Includes index