Download - Cisco Security Curriculum-Course outlines
-
7/28/2019 Cisco Security Curriculum-Course outlines
1/92
CISCO SYSTEMS, INC.
Security CurriculumCourse Outline
10/13/2009
Created by Davie Chia ([email protected]), CCSP program manager
-
7/28/2019 Cisco Security Curriculum-Course outlines
2/92
2 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
CONTENT:
IINS (CCNA Security) page 3
SNRS (CCSPcore) page 22
IPS (CCSPcore) page 36
SNAF (CCSPcore) page 48
SNAA (CCSPelective) page 58
MARS (CCSPelective) page 71
CANAC (CCSPelective) page 81
-
7/28/2019 Cisco Security Curriculum-Course outlines
3/92
2008 Cisco Systems, Inc. Course Administration Guide 3
IINS Course Outline Overview
Implementing Cisco IOS Network Security (IINS) v1.0 is an instructor-led course presented byCisco training partners to their end-user customers. This five-day course focuses on thenecessity of a comprehensive security policy and how it affects the posture of the network.Learners will be able to perform basic tasks to secure a small branch type office network usingCisco IOS security features available through web-based GUIs (Cisco Router and SecurityDevice Manager [SDM]) and the command-line interface (CLI) on the Cisco routers and switches.
Course ObjectivesUpon completing this course, the learner will be able to meet these overall objectives:
Develop a comprehensive network security policy to counter threats against informationsecurity
Configure routers on the network perimeter with Cisco IOS Software security features
Configure firewall features including ACLs and Cisco IOS zone-based firewalls to perform basic security operations on a network
Configure site-to-site VPNs using Cisco IOS features
Configure IPS on Cisco network routers
Configure LAN devices to control access, resist attacks, shield other network devices and systems, and protect the integrity and confidentiality of network traffic
High-Level Course OutlineThis subtopic provides an overview of how the course is organized. The course contains theseseven components:
Introduction to Network Security Principles
Perimeter Security
Network Security Using Cisco IOS Firewalls
Site-to-Site VPNs
Network Security Using Cisco IOS IPS LAN, SAN, Voice, and Endpoint Security Overview
-
7/28/2019 Cisco Security Curriculum-Course outlines
4/92
4 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Detailed Course Outl ine
Module 1: Introduct ion to Network Security Princip les
Upon completing this module, the learner will be able to develop a comprehensive network security policy to counter threats against information security.
Lesson 1: Examining Network Security Fundamentals
This lesson describes the core principles that are part of a secure network. Upon completingthis lesson, the learner will be able to meet these objectives:
Describe how sophisticated attack tools and open networks generate an increased need for network security and dynamic security policies
Describe the three primary objectives of security
Describe the different classifications of data that are used by the private sector and the public sector
Describe the three primary types of security controls
Describe some of the factors that are involved in responding to a security breach
Identify key laws and codes of ethics that are binding to INFOSEC professionals
The lesson includes these topics:
The Need for Network Security
Network Security Objectives
Data Classification
Security Controls
Response to a Security Breach Laws and Ethics
Lesson 2: Examining Network Attack Methodologies
This lesson describes various attack methods and how to plan a defense in depth to help protectyour network from these attacks. Upon completing this lesson, the learner will be able to meetthese objectives:
Describe network adversaries, motivations, and classes of attack
Describe how hackers work so that you have a better appreciation of the threats they pose
Describe the concept of defense in depth
Describe how attackers use IP spoofing to launch various types of attacks
Describe several attack methods that attackers use to compromise confidentiality
Describe several attack methods that attackers use to compromise integrity
Describe several attack methods that attackers use to compromise availability
Describe some best practices that can help defend your network against hackers
-
7/28/2019 Cisco Security Curriculum-Course outlines
5/92
2008 Cisco Systems, Inc. Course Administration Guide 5
The lesson includes these topics:
Adversaries, Motivations, and Classes of Attack
How Hackers Think
The Principles of Defense in Depth
IP Spoofing Attacks
Confidentiality Attacks
Integrity Attacks
Availability Attacks
Best Practices to Defeat Network Attacks
The lesson includes this activity:
Lab 1-1: Embedding a Secret Message Using Steganography
Lesson 3: Examining Operations Security
This lesson describes the principles behind operations security and how correct practicesincrease security, including security testing, a secure life cycle, and business continuity
planning. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the SDLC and how you use it to design a Secure Network Lifecycle management process
Identify key operations security principles
Explain various network security testing techniques and tools
Explain the principles of disaster recovery and business continuity planning and giveexamples of how they are practiced
The lesson includes these topics:
Secure Network Lifecycle Management Principles of Operations Security
Network Security Testing
Disaster Recovery and Business Continuity Planning
The lesson includes these activities:
Lab 1-2: Scanning a Computer System Using Testing Tools
Lab 1-3: Scanning a Network Using Testing Tools
Lesson 4: Understanding and Developing a Comprehensive Network Security PolicyThis lesson describes how increasing network security threats demand comprehensive network security policies, and describes the main activities in each phase of a secure network lifecycle.Upon completing this lesson, the learner will be able to meet these objectives:
Describe the essential functions and goals of a security policy and how to use them tocreate a security policy
Identify commonly used policy documents and standards, and explain the differences between these standards and procedures
-
7/28/2019 Cisco Security Curriculum-Course outlines
6/92
6 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Identify the various roles that are played within an enterprise for the development and maintenance of a security policy
Describe the role that risk management plays in the development of a security policy
Describe the system-level security principles that should be considered throughout thelifecycle of a secure network
Describe how training and other awareness techniques can help to increase theeffectiveness of a security policy
The lesson includes these topics:
Security Policy Overview
Policies, Standards, and Procedures
Roles and Responsibilities
Risk Management
Principles of Secure Network Design
Security Awareness
Lesson 5: Bui lding Cisco Self-Defending NetworksThis lesson describes how to implement the Cisco Self-Defending Network strategy byenhancing the existing network infrastructure with Cisco technologies, products, and solutions.Upon completing this lesson, the learner will be able to meet these objectives:
Describe how changing threats and challenges demand a new approach to network security
Describe the components of the Cisco Self-Defending Network strategy
Describe the positioning and benefits of the Cisco integrated security portfolio
The lesson includes these topics:
Changing Threats and Challenges
Building a Cisco Self-Defending Network
Cisco Integrated Security Portfolio
-
7/28/2019 Cisco Security Curriculum-Course outlines
7/92
2008 Cisco Systems, Inc. Course Administration Guide 7
Module 2: Perimeter Security
Upon completing this module, the learner will be able to configure routers on the network perimeter with Cisco IOS Software security features.
Lesson 1: Securing Ad ministrative Access to Cisco Routers
This lesson defines how to secure the physical installation of and administrative access to Ciscorouters based on different network requirements using the CLI. Upon completing this lesson,the learner will be able to meet these objectives:
Describe the security features of the Cisco IOS Software on Cisco routers
Describe the security features of the Cisco Integrated Services Routers
Configure passwords and login failure rates using the CLI to secure administrative accessto Cisco routers
Configure multiple privilege levels using the CLI to secure administrative access to Ciscorouters
Configure role-based CLI access to create views
Configure the Cisco IOS resilient configuration feature using the CLI to secure the CiscoIOS image and configuration file
Configure virtual login connection security using the CLI
Configure a banner message using the CLI to secure administrative access to Cisco routers
The lesson includes these topics:
Cisco IOS Security Features
Introducing the Cisco Integrated Services Router Family
Configuring Secure Administrative Access
Setting Multiple Privilege Levels
Configuring Role-Based CLI Access
Securing the Cisco IOS Image and Configuration Files
Configuring Enhanced Support for Virtual Logins
Configuring Banner Messages
The lesson includes this activity:
Lab 2-1: Securing Administrative Access to Cisco Routers
Lesson 2: Introducing Cisco SDM
This lesson describes the features and wizards of Cisco SDM, and describes how to launch and navigate Cisco SDM. Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe the key features, concepts, and purpose of Cisco SDM
Set up a router to run Cisco SDM and Cisco SDM Express
Launch Cisco SDM Express to configure a new router
Launch Cisco SDM
-
7/28/2019 Cisco Security Curriculum-Course outlines
8/92
8 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Navigate Cisco SDM
Describe the common wizards available in Cisco SDM
The lesson includes these topics:
Cisco SDM Overview
Supporting Cisco SDM and Cisco SDM Express
Launching Cisco SDM Express
Launching Cisco SDM
Navigating the Cisco SDM Interface
Cisco SDM Wizards
Lesson 3: Configuring AAA on a Cisco Router Using the Local Database
This lesson defines how to configure a Cisco router to perform authentication, authorization,and accounting (AAA) authentication with a local database using Cisco SDM. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the functions and importance of AAA
Describe the different ways to implement AAA services on Cisco routers
Describe the steps to authenticate user access to a Cisco router using a local database
Configure AAA using Cisco SDM to support using the local database
Troubleshoot AAA on a Cisco router using the debug aaa command
The lesson includes these topics:
AAA Overview
Introduction to AAA for Cisco Routers
Using Local Services to Authenticate Router Access
Configuring Local Database Authentication Using AAA
Troubleshooting AAA on Cisco Routers
The lesson includes this activity:
Lab 2-2: Configuring AAA on Cisco Routers to Use the Local Database
Lesson 4: Configuring AAA on a Cisco Router to Use Cisco Secure ACS
This lesson describes the operation of external AAA sources such as RADIUS and TACACS+servers and defines how to configure a Cisco router to use Cisco Secure Access Control Server (ACS) to perform AAA. Upon completing this lesson, the learner will be able to meet theseobjectives:
List the features and benefits of Cisco Secure ACS products and describe their function in anetwork security solution
Describe and compare the TACACS+ and RADIUS protocols
Install Cisco Secure ACS for Windows
Configure the Cisco Secure ACS server
-
7/28/2019 Cisco Security Curriculum-Course outlines
9/92
2008 Cisco Systems, Inc. Course Administration Guide 9
Configure Cisco Routers to use TACACS+ as a AAA protocol using the CLI and CiscoSDM
Describe troubleshooting TACACS+ using debug commands from the CLI
The lesson includes these topics:
Cisco Secure ACS Overview
TACACS+ and RADIUS Protocols
Installing Cisco Secure ACS for Windows
Configuring the Server
Configuring TACACS+ Support on a Cisco Router
Troubleshooting TACACS+
The lesson includes this activity:
Lab 2-3: Configuring AAA on Cisco Routers to Use Cisco Secure ACS
Lesson 5: Implementing Secure Management and Report ingThis lesson defines how to securely implement the management and reporting features of syslog, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and Network Time Protocol (NTP). Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe the factors you must consider when planning the secure management and reporting configuration of network devices
Describe the architecture of secure management and reporting
Describe the key role that syslog plays in network security
Use Cisco SDM to monitor log messages
Describe the security features of SNMPv3
Configure an SSH daemon for secure management and reporting
Enable time features with Cisco SDM
The lesson includes these topics:
Planning Considerations for Secure Management and Reporting
Secure Management and Reporting Architecture
Using Syslog Logging for Network Security
Using Logs to Monitor Network Security
Using SNMP
Configuring an SSH Daemon for Secure Management and Reporting
Enabling Time Features
The lesson includes this activity:
Lab 2-4: Implementing Secure Management and Reporting
-
7/28/2019 Cisco Security Curriculum-Course outlines
10/92
10 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Lesson 6: Locking Down the Router
This lesson defines how to examine router configurations with the Security Audit feature of Cisco SDM and make the router and network more secure by using the one-step lockdownfeature in Cisco SDM or the command auto secure . Upon completing this lesson, the learner will be able to meet these objectives:
Describe the router services and interfaces that are vulnerable to network attacks
Explain the vulnerabilities posed by commonly configured router management services
Use the Cisco SDM Security Audit feature to determine and to fix router securityvulnerabilities
Use the Cisco SDM one-step lockdown feature or the CLI auto secure command to securea router
Explain the limitations of using the Cisco SDM one-step lockdown feature or the CLI autosecure command
The lesson includes these topics:
Vulnerable Router Services and Interfaces
Management Service Vulnerabilities Performing a Security Audit
Locking Down a Cisco Router
Limitations and Cautions
The lesson includes this activity:
Lab 2-5: Using Cisco SDM One-Step Lockdown and Security Audit
-
7/28/2019 Cisco Security Curriculum-Course outlines
11/92
2008 Cisco Systems, Inc. Course Administration Guide 11
Module 3: Network Security Using Cisco IOS Firewalls
Upon completing this module, the learner will be able to configure firewall features includingaccess control lists (ACLs) and Cisco IOS zone-based policy firewalls to perform basic securityoperations on a network.
Lesson 1: Introducing Firewall Technologies
This lesson describes the operations of the different types of firewall technologies, and thefirewall technologies that are embedded in Cisco routers and Cisco security appliances. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the role of firewalls in securing networks
Describe the role of firewalls in a layered defense strategy
Describe how a static packet filter allows or blocks data packets as they pass through anetwork interface
Describe how application layer or proxy firewalls control or monitor inbound and outbound traffic
Describe how dynamic or stateful inspection packet filtering improves network security
and performance Describe additional types of firewalls, including application inspection firewalls and
transparent firewalls
Describe the features of the Cisco IOS Firewall, Cisco PIX 500 Series Security Appliances,and Cisco ASA 5500 Series Adaptive Security Appliances
Develop an effective firewall policy that is based on firewall best practices
The lesson includes these topics:
Firewall Fundamentals
Firewalls in a Layered Defense Strategy Static Packet Filtering Firewalls
Application Layer Gateways
Dynamic or Stateful Packet Filtering Firewalls
Other Types of Firewalls
Cisco Family of Firewalls
Developing an Effective Firewall Policy
Lesson 2: Creating Static Packet Filters Using ACLs
This lesson defines how to create static packet filters using ACLs. Upon completing this lesson,the learner will be able to meet these objectives:
Explain how ACLs are used to control access in networks
Define wildcard masks and explain how they are used by ACLs
Configure and apply ACLs to router interfaces using the CLI
Explain the caveats you must consider when creating ACLs
-
7/28/2019 Cisco Security Curriculum-Course outlines
12/92
12 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Configure standard and extended ACLs using Cisco SDM
Configure ACLs to protect common network services
The lesson includes these topics:
ACL Fundamentals
ACL Wildcard Masking
Using ACLs to Control Traffic ACL Considerations
Configuring ACLs Using SDM
Using ACLs to Permit and Deny Network Services
The lesson includes this activity:
Lab 3-1: Creating Static Packet Filters Using ACLs
Lesson 3: Configuring Cisco IOS Zone-Based Polic y Firewall
This lesson defines how to configure a Cisco IOS zone-based policy firewall on your network using the Cisco SDM wizard. Upon completing this lesson, the learner will be able to meetthese objectives:
Describe the principles of zone-based policy firewalls
Configure a zone-based policy firewall using Cisco SDM Basic Firewall wizard
Configure a zone-based policy firewall manually using Cisco SDM
Verify the zone-based policy firewall configuration using Cisco SDM and the CLI
The lesson includes these topics:
Zone-Based Policy Firewall Overview Configuring Zone-Based Policy Firewalls Using the Basic Firewall Wizard
Manually Configuring Zone-Based Policy Firewalls Using Cisco SDM
Monitoring a Zone-Based Policy Firewall
The lesson includes this activity:
Lab 3-2: Configuring a Cisco IOS Zone-Based Policy Firewall
-
7/28/2019 Cisco Security Curriculum-Course outlines
13/92
2008 Cisco Systems, Inc. Course Administration Guide 13
Module 4: Site-to-Site VPNs
After completing this module, the learner will be able to configure site-to-site virtual privatenetworks (VPNs) using Cisco IOS features.
Lesson 1: Examining Cryptographic Services
This lesson describes how encryption, hashing, and digital signatures provide confidentiality,integrity, and nonrepudiation. Upon completing this lesson, the learner will be able to meetthese objectives:
Define cryptology, cryptanalysis, and encryption, and explain the symbiotic relationship between cryptanalysis and encryption
Explain the difference between, and the functionality of, symmetric and asymmetricencryption algorithms
Describe the differences between block and stream ciphers
Describe the basic forms of encryption, as well as their differences and their benefits
Explain the importance and function of cryptographic hashes
Explain the importance of key length, key creation, key distribution, key recovery, and keydestruction
Describe the basic functions, advantages, and disadvantages of SSL VPNs
The lesson includes these topics:
Cryptology Overview
Symmetric and Asymmetric Encryption Algorithms
Block and Stream Ciphers
Encryption Algorithm Selection
Cryptographic Hashes Key Management
Introducing SSL VPNs
Lesson 2: Examining Symmetric Encryption
This lesson defines how to describe the methods, algorithms, and purposes of symmetricencryption. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the generic functionality of symmetric encryption algorithms
Describe the features and functions of the DES algorithm
Describe the features and functions of the 3DES algorithm
Describe the features and functions of the AES algorithm
Describe the features and functions of the SEAL algorithm
Describe the features and functions of several algorithms written by Ron Rivest
-
7/28/2019 Cisco Security Curriculum-Course outlines
14/92
14 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
The lesson includes these topics:
Symmetric Encryption Overview
DES Features and Functions
3DES Features and Functions
AES Features and Functions
SEAL Features and Functions
Rivest Ciphers Features and Functions
Lesson 3: Examining Cryptographic Hashes and Digital Signatures
This lesson describes the use and purpose of hashes and digital signatures in providing integrityand nonrepudiation. Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain the generic functionality of hash algorithms and the HMAC variant
Describe the features and functions of the MD5 algorithm
Describe the features and functions of the SHA-1 algorithm
Explain the generic functionality of digital signatures
Describe the features and functions of the DSS
The lesson includes these topics:
Overview of Hash Algorithms and HMACs
MD5 Features and Functions
SHA-1 Features and Functions
Overview of Digital Signatures
DSS Features and Functions
Lesson 4: Examining As ymmetric Encryption and PKI
This lesson describes the use and purpose of asymmetric encryption and public keyinfrastructure (PKI). Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain the generic functionality of asymmetric encryption algorithms
Describe the features and functions of the RSA algorithm
Describe the features and functions of the DH key exchange algorithm
Explain the principles behind a PKI
Explain the PKI standards
Explain the role of CAs and RAs in a PKI
The lesson includes these topics:
Asymmetric Encryption Overview
RSA Features and Functions
-
7/28/2019 Cisco Security Curriculum-Course outlines
15/92
2008 Cisco Systems, Inc. Course Administration Guide 15
DH Features and Functions
PKI Definitions and Algorithms
PKI Standards
Certificate Authorities
Lesson 5: Examining IPsec Fundamentals
This lesson describes the fundamental concepts, technologies, and terms that IP Security(IPsec) VPNs use. Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe the purpose and types of VPNs, contrast SSL with IPsec VPNs, and define whereto use VPNs in a network
List the Cisco VPN product line and describe the security features of these products
Describe the IPsec protocol and its basic functions
Describe the advantages of IPsec VPNs compared with other types of VPNs
Describe the ESP protocols, the AH protocols, and the tunnel modes that IPsec uses
List and describe the IKE protocols
The lesson includes these topics:
VPN Overview
Cisco VPN Product Family
Introducing IPsec
IPsec Advantages
IPsec Protocol Framework
IKE Protocol
Lesson 6: Building a Site-to-Site IPsec VPN
This lesson describes how to configure a site-to-site IPsec VPN. Upon completing this lesson,the learner will be able to meet these objectives:
Describe the five steps of IPsec operation
Describe the procedure to configure IPsec
Ensure that ACLs are compatible with IPsec
Describe and configure the IKE parameters using the CLI
Configure the IPsec transform sets using the CLI Configure the cryptographic ACL and other IPsec settings using the CLI
Configure and apply a cryptographic map to an interface using the CLI
Confirm the IPsec configuration
-
7/28/2019 Cisco Security Curriculum-Course outlines
16/92
16 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
The lesson includes these topics:
Site-to-Site IPsec VPN Operations
Configuring IPsec
Site-to-Site IPsec ConfigurationStep 1
Site-to-Site IPsec ConfigurationStep 2
Site-to-Site IPsec ConfigurationStep 3
Site-to-Site IPsec ConfigurationStep 4
Site-to-Site IPsec ConfigurationStep 5
Verifying the IPsec Configuration
Lesson 7: Configuring IPsec on a Site-to-Site VPN Using Cisco SDM
This lesson defines how to configure a site-to-site IPsec VPN with preshared keys (PSKs)authentication using Cisco SDM. Upon completing this lesson, the learner will be able to meetthese objectives:
Describe how to navigate the Cisco SDM site-to-site VPN Wizard interface
Describe the components that you configure when you use the Cisco SDM site-to-site VPNwizard
Configure the site-to-site VPN tunnel connections using the Cisco SDM wizards
Complete the site-to-site VPN configuration using Cisco SDM and verify the VPNconfiguration
The lesson includes these topics:
Introducing the Cisco SDM VPN Wizard Interface
Site-to-Site VPN Components
Using the Cisco SDM Wizards to Configure Site-to-Site VPNs
Completing the Configuration
The lesson includes this activity:
Lab 4-1: Configuring a Site-to-Site IPsec VPN
-
7/28/2019 Cisco Security Curriculum-Course outlines
17/92
2008 Cisco Systems, Inc. Course Administration Guide 17
Module 5: Network Security Using Cisco IOS IPS
Upon completing this module, learners will be able to configure IPS on Cisco network routers.
Lesson 1: Introducing IPS Technologies
This lesson describes the underlying intrusion detection system (IDS) and intrusion preventionsystem (IPS) technology that is embedded in the Cisco host- and network-based IDS and IPSsolutions. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the functions and operations of IDS and IPS systems
Describe the types of IDS and IPS systems
Describe IPS technologies, attack responses, and monitoring options such as syslog and SDEE
Describe host and network-based IDS and IPS monitoring
Explain the available Cisco IPS appliances
Explain how IDS and IPS signatures are used to detect malicious network traffic and describe different types of signatures
Describe signature micro-engines Describe the role of signature alarms in a Cisco IPS solution
Describe IPS policies and best practices
The lesson includes these topics:
Introducing IDS and IPS
Types of IDS and IPS Systems
Intrusion Prevention Technologies
Host and Network IPS
Introducing Cisco IPS Appliances
Introducing Signatures
Examining Signature Micro-Engines
Introducing Signature Alarms
IPS Best Practices
Lesson 2: Conf igur ing Cisco IOS IPS Using Cisc o SDM
This lesson defines how to configure Cisco IOS IPS using Cisco SDM. Upon completing this
lesson, the learner will be able to meet these objectives: Describe the IPS features of Cisco IOS Software
Configure Cisco IOS IPS using Cisco SDM
Configure IPS signatures using Cisco SDM
Monitor a Cisco IOS IPS router using Cisco SDM and the CLI
Verify Cisco IOS IPS operations
-
7/28/2019 Cisco Security Curriculum-Course outlines
18/92
18 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
The lesson includes these topics:
Cisco IOS IPS Features
Configuring Cisco IOS IPS Using Cisco SDM
Configuring IPS Signatures
Monitoring IOS IPS
Verifying IPS Operation
The lesson includes this activity:
Lab 5-1: Configuring Cisco IOS IPS
-
7/28/2019 Cisco Security Curriculum-Course outlines
19/92
2008 Cisco Systems, Inc. Course Administration Guide 19
Module 6: LAN, SAN, Voice, and Endpoint Security Overview
You will be able to configure LAN devices to control access, resist attacks, shield other network devices and systems, and protect the integrity and confidentiality of network traffic.
Lesson 1: Examining Endpoint Security
This lesson describes the current endpoint protection methods, such as host intrusion protectionsystem (HIPS), integrity checkers, operating system protection, and the Cisco NAC Appliance.Upon completing this lesson, the learner will be able to meet these objectives:
Describe what endpoint security is and the fundamental principles that are involved in hostsecurity
Describe buffer overflows and the threat that they present
Describe the features of IronPort products and how they enhance and complement endpointsecurity
Describe the features of the Cisco NAC Appliance and how it enhances and complementsendpoint security
Describe the functions of Cisco Security Agent at a high level and describe how it provides
endpoint security Provide a list of basic host security principles
The lesson includes these topics:
What Is Endpoint Security?
Buffer Overflows
IronPort
Cisco NAC Products
Cisco Security Agent
Endpoint Security Best Practices
Lesson 2: Examining SAN Security
This lesson defines how to describe the risks and countermeasures for storage area networks(SANs) security. Upon completing this lesson, the learner will be able to meet these objectives:
Describe a SAN and its benefits
Describe the basic principles of SANs
Explain various security strategies that can be used to compartmentalize data for security purposes
The lesson includes these topics:
What Is a SAN?
SANs Fundamentals
SAN Security Scope
-
7/28/2019 Cisco Security Curriculum-Course outlines
20/92
20 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Lesson 3: Examining Voice Security
This lesson describes the risks and countermeasures to IP telephony. Upon completing thislesson, the learner will be able to meet these objectives:
Describe VoIP fundamentals
Describe security threats to VoIP networks
Define SPIT and describe how it poses a security threat against voice-enabled networks
Explain how fraud can cost VoIP customers considerable sums of money Describe various SIP vulnerabilities
Describe how to prevent hacking on VoIP networks
The lesson includes these topics:
VoIP Fundamentals
Voice Security Threats
Spam over IP Telephony
Fraud
SIP Vulnerabilities
Defending Against VoIP Hacking
Lesson 4: Mitigating Layer 2 At tacks
This lesson defines how to mitigate Layer 2 attacks against network topologies and protocols.Upon completing this lesson, the learner will be able to meet these objectives:
Explain how basic switch operations makes networks vulnerable to attacks at Layer 2
Configure Cisco switches to mitigate VLAN attacks
Explain how to prevent STP manipulation Describe how an attacker can flood a switch by launching a CAM table overflow attack
Describe how a MAC spoofing attack can be launched and mitigated
Describe and configure port security as a key step in defending networks from Layer 2attacks
Describe some of the additional features available in Cisco switch security includingSPAN, RSPAN, and storm control
Describe Layer 2 best practices and explain how they mitigate attacks on specific areas of Layer 2 hardware and software components
-
7/28/2019 Cisco Security Curriculum-Course outlines
21/92
2008 Cisco Systems, Inc. Course Administration Guide 21
The lesson includes these topics:
Basic Switch Operation
Mitigating VLAN Attacks
Preventing STP Manipulation
CAM Table Overflow Attacks
MAC Address Spoofing Attacks
Using Port Security
Additional Switch Security Features
Layer 2 Best Practices
The lesson includes this activity:
Lab 6-1: Using Cisco Catalyst Switch Security Features
-
7/28/2019 Cisco Security Curriculum-Course outlines
22/92
22 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
SNRS - Course Outline
OverviewSecuring Networks with Cisco Routers and Switches (SNRS) v3.0 is an instructor-led course
presented by Cisco training partners to their end-user customers. This five-day course focuseson providing the network specialists with the knowledge and skills needed to secure Cisco IOS
router and switch-based networks. Learners will be able to secure the network environmentusing existing Cisco IOS features, including installing and configuring Cisco IOS ClassicFirewall, Cisco IOS Zone-Based Policy Firewall, user group-based firewall, Cisco IOSintrusion prevention system (IPS), authentication proxy, implementing secure tunnels using IPSecurity (IPsec) technology, and implementing advanced switch security. This course alsocovers advanced virtual private network (VPN) technologies.
Course Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Implement Layer 2 security features on a network using Cisco IOS commands
Implement Cisco Network Foundation Protection on Cisco IOS routers Design, install, configure, and troubleshoot site-to-site VPNs using Cisco Integrated
Services routers
Design, install, configure, and troubleshoot remote-access communications using CiscoIOS security features
Install, configure, and troubleshoot URL filtering, NAT and PAT, Cisco IOS ClassicFirewall, Cisco IOS Zone-Based Policy Firewall, and Cisco IOS IPS on a Cisco Integrated Services router
-
7/28/2019 Cisco Security Curriculum-Course outlines
23/92
2008 Cisco Systems, Inc. Course Administration Guide 23
High-Level Course Outline
This subtopic provides an overview of how the course is organized. The course contains thesecomponents:
Course Introduction
Network Platform Security with Switches
Network Platform Security with Routers
Secure Site-to-Site Communications
Secure Remote Access Communications
Threat Control and Containment
Detailed Course Outl ine
Module 1: Network Platform Security with Switches
Upon completing this module, the learner will be able to implement Layer 2 security featureson a network using Cisco IOS commands.
Lesson 1: Configurin g Advanced Layer 2 Security
This lesson describes how to implement some of the advanced security features of Cisco IOSswitches. Upon completing this lesson, the learner will be able to meet these objectives:
Describe and configure the different types of ACLs available on switches
Explain how to use PVLANs to partition the Layer 2 broadcast domain of a VLAN intosubdomains to improve scalability and security
Mitigate DHCP attacks using the Cisco DHCP snooping feature
Mitigate ARP spoofing using DAI
Configure IP Source Guard to provide source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host
Describe Layer 2 best practices
The lesson includes these topics:
Examining Switch ACLs
Understanding PVLANs
Mitigating DHCP Server Attacks
Mitigating ARP Spoofing Using DAI
Examining IP Source Guard
Layer 2 Best Practices
The lesson includes this activity:
Lab 1-1: Configure Advanced Layer 2 Security
-
7/28/2019 Cisco Security Curriculum-Course outlines
24/92
24 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Lesson 2: Introduci ng Cisco IBNS
This lesson describes the Cisco Identity Based Networking Services (IBNS) model and explains how IEEE 802.1X helps to control network access. Upon completing this lesson, thelearner will be able to meet these objectives:
Explain how Cisco IBNS improves the security of physical and logical access to LANswith the capabilities defined in 802.1X
Describe the 802.1X standard and 802.1X components
Examine Cisco Secure Services Client Version 5.0 and its enterprise management tools
Explain the processes used in 802.1X
Explain the different EAP types that are available for an 802.1X implementation
Explain how various logs, such as ACS logs and Cisco Security MARS logs, can be used toexamine 802.1X events
The lesson includes these topics:
Cisco IBNS Overview
802.1X Components
Cisco Secure Services Client Version 5.0
802.1X Operations
EAP Types
Reporting and Monitoring Cisco IBNS
Lesson 3: Implementing Basic 802.1X Authentication
This lesson describes how to configure basic IEEE 802.1X port-based authentication usingCisco Secure Access Control Server (ACS) and a Cisco Catalyst 2960 Series Switch from thecommand-line interface (CLI). Upon completing this lesson, the learner will be able to meet
these objectives: Describe the functions and features of Cisco Secure ACS for Windows Server
Configure simple 802.1X authentication using the Windows supplicant
Explain the different 802.1X host modes
Configure 802.1X timers
Use show and debug commands to verify and test 802.1X operation
The lesson includes these topics:
Cisco Secure ACS for Windows Overview
Configuring 802.1X Authentication
802.1X Host Modes
Configuring 802.1X Timers
Verify 802.1X Operation
The lesson includes this activity:
Lab 1-2: Configure Basic 802.1X Authentication
-
7/28/2019 Cisco Security Curriculum-Course outlines
25/92
2008 Cisco Systems, Inc. Course Administration Guide 25
Lesson 4: Configu ring A dvanced 802.1X Authentication and Au thorization
This lesson describes how to configure advanced 802.1X port-based authentication and authorization on a Cisco Catalyst 2960 Series Switch using the command-line interface (CLI).Upon completing this lesson, the learner will be able to meet these objectives:
Describe methods you can use to support devices that do not support 802.1X
Configure guest VLANs to support hosts that do not have a supplicant
Configure restricted VLANs to support hosts that have a supplicant but fail to authenticate
Configure MAC authentication bypass for hosts that have known MAC addresses but donot have an 802.1X supplicant
Configure inaccessible authentication bypass to support an unavailable RADIUS server
Explain how to configure web authentication
Configure 802.1X dynamic VLAN assignment
Use show commands to verify the MAC authentication bypass and inaccessibleauthentication bypass operation
Explain several special situations that can occur with 802.1X deployments
The lesson includes these topics:
Authenticating Without 802.1X
Guest VLANs
Restricted VLANs
MAC Authentication Bypass
Inaccessible Authentication Bypass
Web Authentication Proxy
802.1X Dynamic VLAN Assignments
Testing and Verifying 802.1X
Special Situations with 802.1X
The lesson includes these activities:
Lab 1-3: Configure Advanced 802.1X Authentication
Lab 1-4: Configure 802.1X VLAN Assignments
Module 2: Network Platform Security w ith Routers
Upon completing this module, the learner will be able to implement Cisco Network FoundationProtection on Cisco IOS routers.
Lesson 1: Examining t he Cisco Network Foundation Protection Strategy
This lesson describes the Cisco Network Foundation Protection strategy. Upon completing thislesson, the learner will be able to meet these objectives:
Describe Cisco Network Foundation Protection in general
Describe the features and benefits of Cisco Network Foundation Protection
Describe the Cisco AutoSecure feature of Cisco routers
-
7/28/2019 Cisco Security Curriculum-Course outlines
26/92
26 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
List the platforms that support Cisco Network Foundation Protection
The lesson includes these topics:
Cisco Network Foundation Protection Overview
Cisco Network Foundation Protection Services and Benefits
Cisco AutoSecure
Supported Platforms
Lesson 2: Securing the Control Plane
This lesson describes tools that are used to secure the control plane of a Cisco router. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the control plane of a router
Describe the basic function and benefits of CPPr
Explain the benefit of routing protocol authentication and how to configure routers
Describe CPU and memory threshold notifications
The lesson includes these topics:
The Control Plane
Control Plane Protection
Routing Protocol Protection
CPU and Memory Thresholding
Lesson 3: Securing the Management Plane
This lesson describes how to protect the management plane of Cisco devices. Upon completingthis lesson, the learner will be able to meet these objectives:
Describe the management plane and configure common secure management protocols
Configure HTTPS
Describe and configure the Role-Based CLI Access feature
Describe and configure the Cisco MPP feature
Describe and configure SNMPv3
The lesson includes these topics:
The Management Plane
Secure Management Services
Role-Based Access Control
Cisco IOS MPP
SNMP v3 Architecture
Lesson 4: Securing the Data Plane
-
7/28/2019 Cisco Security Curriculum-Course outlines
27/92
2008 Cisco Systems, Inc. Course Administration Guide 27
This lesson describes tools that are used to protect the data plane of a Cisco router. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the data plane, data plane attacks, and the effects these attacks have on network devices
Explain NetFlow and how to configure it
Describe and configure uRPF
Describe and configure Cisco IOS FPM
The lesson includes these topics:
The Data Plane
NetFlow
Configuring uRPF
Cisco IOS FPM
The lesson includes this activity:
Lab 2-1: Configure the Cisco Network Foundation Protection Strategy
Module 3: Secure Site-to-Site Communic ations
Upon completing this module, the learner will be able to design, install, configure, and troubleshoot site-to-site VPNs using Cisco Integrated Services Routers.
Lesson 1: Examining VPN and IPsec Fundamentals
This lesson describes basic characteristics and protocols used in IPsec configurations and describe the various types of VPNs available using Cisco IOS Software, including IPsec,Dynamic Multipoint Virtual Private Network (DMVPN), Group Encrypted Transport VPN(GET VPN), Cisco Easy VPN, and Cisco IOS Secure Sockets Layer (SSL) VPN. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the basic functionality and protocols involved with IPsec VPNs
Describe different types of site-to-site VPNs, including fully-meshed, hub-and-spoke,IPsec, Cisco Easy VPN with VTI, GRE over IPsec, DMVPN, and GET VPN
Describe Cisco Easy VPN and Cisco IOS SSL VPNs
Explain the VPN design guide that is available in Cisco SDM
Configure global VPN router settings in Cisco SDM
The lesson includes these topics:
IPsec Overview
Site-to-Site VPNs
Cisco Easy VPN and Cisco IOS SSL VPNs
VPN Design Guide
Global VPN Settings
Lesson 2: Implementing IPsec VPNs with PKI
-
7/28/2019 Cisco Security Curriculum-Course outlines
28/92
28 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
This lesson describes how to configure a Cisco IOS certificate authority (CA) and an IPsec site-to-site VPN using digital certificates. Upon completing this lesson, the learner will be able tomeet these objectives:
Describe Cisco IOS PKI support
Describe the use of CAs and RAs
Describe how SCEP manages the certificate lifecycle
Describe and configure the Cisco IOS CA Server
Configure CA interoperability on a Cisco router using Cisco SDM
Configure a PKI-based IPsec site-to-site VPN on a router using Cisco SDM
Troubleshoot CA interoperability using the CLI
Test and verify IPsec configurations using the CLI
The lesson includes these topics:
Cisco IOS PKI Overview
Certificate Authorities
Examining SCEP Cisco IOS CA Server
Configuring CA support
Configuring a PKI-Based IPsec Site-to-Site VPN
Testing and Verifying CA Support
Testing and Verifying IPsec
The lesson includes this activity:
Lab 3-1: Configure A Site-To Site VPN Using Certificates
Lesson 3: Implementing GRE over IPsec
This lesson describes how to configure Generic Routing Encapsulation (GRE)-over-IPsectunnels. Upon completing this lesson, the learner will be able to meet these objectives:
Describe GRE tunnels
Configure a GRE tunnel
Configure a GRE tunnel with IPsec encryption using Cisco SDM and verify the resultingCLI configurations
Generate mirror configurations
Verify GRE-over-IPsec operations using the CLI
The lesson includes these topics:
Examining GRE Tunnels
Configuring a GRE Tunnel
Configuring a GRE-Over-IPsec Tunnel
Generate a Mirror Configuration
-
7/28/2019 Cisco Security Curriculum-Course outlines
29/92
2008 Cisco Systems, Inc. Course Administration Guide 29
Testing and Verifying GRE Over IPsec
The lesson includes this activity:
Lab 3-2: Configure a GRE over IPsec Tunnel
Lesson 4: Configuring High-Availability VPNs and VTI
This lesson describes how to configure high-availability VPN technologies. Upon completingthis lesson, the learner will be able to meet these objectives:
Describe high availability for IPsec VPNs
Explain how to achieve high availability with IPsec VPNs using redundant peers and howto configure it
Describe HSRP, the role it plays in high availability, and how to configure it
Describe Cisco IOS stateful failover and how to configure it
Explain how to back up WAN links using VPNs
Describe the benefit of using static or dynamic VTI and how to configure VTIs for site-to-
site IPsec VPNs
The lesson includes these topics:
High Availability for Cisco IOS IPsec VPNs
IPsec Backup Peer
Hot Standby Router Protocol
IPsec Stateful Failover
Backing Up a WAN Connection with an IPsec VPN
Static and Dynamic VTIs
Lesson 5: Implementing DMVPN
This lesson describes how to configure a DMVPN. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the overall requirements, features, operation, and high availability design for DMVPN
Describe how dynamic routing protocols operate over DMVPN
Configure a DMVPN hub using the Cisco SDM DMVPN hub wizard
Configure a DMVPN spoke using the Cisco SDM DMVPN spoke wizard
Edit DMVPN settings in Cisco SDM
Verify DMVPN connectivity
The lesson includes these topics:
Dynamic Multipoint VPN
Dynamic Routing Protocols over DMVPN
Configuring a DMVPN Hub
-
7/28/2019 Cisco Security Curriculum-Course outlines
30/92
30 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Configuring a DMVPN Spoke
Editing DMVPN Settings
Verifying DMVPN
The lesson includes this activity:
Lab 3-3: Configure a DMVPN Spoke Using Cisco SDM
Lesson 6: Implementing GET VPN
This lesson describes how to configure GET VPNs. Upon completing this lesson, the learner will be able to meet these objectives:
Describe problems that are encountered scaling tunnel-based VPNs
Describe GET VPN
Describe how dynamic routing protocols work over GET VPN
Describe the security measures that are built into the GET VPN solution
Describe GET VPN operations
Configure the GET VPN key server
Configure GET VPN group members
Verify GET VPN settings and operation
The lesson includes these topics:
VPN Limitations
GET VPN Overview
GET VPN Architecture
GET VPN Security
GET VPN Operations
Configuring GET VPN Key Servers
Configuring GET VPN Group Members
Verifying GET VPN Settings
The lesson includes this activity:
Lab 3-4: Configure GET VPN Using CLI
Module 4: Secure Remote Access Communications
Upon completing this module, the learner will be able to design, install, configure, and troubleshoot remote-access communications using Cisco IOS security features.
Lesson 1: Implementing Cisco IOS Remote Access Using Cisco Easy VPN
This lesson describes how to configure Cisco Easy VPN for remote access. Upon completingthis lesson, the learner will be able to meet these objectives:
-
7/28/2019 Cisco Security Curriculum-Course outlines
31/92
2008 Cisco Systems, Inc. Course Administration Guide 31
Describe the role of each component of Cisco Easy VPN including Cisco Easy VPNRemote and Cisco Easy VPN Server
Explain how to configure the Cisco VPN Client
Explain how to configure a Cisco Easy VPN Remote using Cisco SDM
Explain how to configure a Cisco Easy VPN Server using Cisco SDM
Verify the Cisco Easy VPN configuration
The lesson includes these topics:
Introduction to Cisco Easy VPN
Configuring the Cisco VPN Client
Configuring Cisco Easy VPN Remote
Configuring Cisco Easy VPN Server
Verify the Cisco Easy VPN Configuration
The lesson includes these activities:
Lab 4-1: Configure Cisco Easy VPN Remote Lab 4-2: Configure Cisco Easy VPN Server
Lesson 2: Examining a Cisco IOS SSL VPN
This lesson describes how to configure a Cisco IOS SSL VPN and verify its operation usingCisco Router and Security Device Manager (SDM). Upon completing this lesson, the learner will be able to meet these objectives:
Describe the Cisco IOS SSL VPN feature, including clientless mode, thin-client mode, full-tunnel client mode, and Cisco Secure Desktop
Describe the different client packages for the Cisco IOS SSL VPN
Configure the prerequisites for Cisco IOS SSL VPN
Configure Cisco IOS SSL VPN
Edit Cisco IOS SSL VPN configurations
Monitor and verify Cisco IOS SSL VPN
-
7/28/2019 Cisco Security Curriculum-Course outlines
32/92
32 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
The lesson includes these topics:
Overview of Cisco IOS SSL VPN
Client Software
Configuring Cisco IOS SSL VPN Prerequistes
Cisco IOS SSL VPN Configuration
Editing Cisco IOS SSL VPNs
Verifying SSL VPN Functionality
The lesson includes this activity:
Lab 4-3: Configure a Cisco IOS SSL VPN
Module 5: Threat Contro l and Containment
Upon completing this module, the learner will be able to install, configure, and troubleshootURL filtering, NAT and PAT, Cisco IOS Classic Firewall, Cisco IOS Zone-Based PolicyFirewall, and Cisco IOS IPS on a Cisco Integrated Services Router.
Lesson 1: Configuri ng NAT and PAT
This lesson describes how to configure inside and outside static and dynamic NAT and PAT aswell as port forwarding. Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe static and dynamic NAT and PAT
Configure PAT using the Cisco SDM NAT Basic wizard
Configure NAT and PAT using the Cisco SDM NAT Advanced wizard
Verify NAT and PAT configuration using the CLI
Troubleshoot a NAT configuration to resolve issues
The lesson includes these topics:
Network Address Translation Overview
Configuring PAT Using the Basic NAT Wizard
Configuring NAT and PAT Using the Advanced NAT Wizard
Verifying NAT and PAT
Troubleshooting NAT and PAT
Lesson 2: Configuring a Cisco IOS Classic Firewall
This lesson describes how to configure a Cisco IOS Classic Firewall using Cisco SDM. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the features and benefits of a Cisco IOS Classic Firewall
Use the Cisco SDM Basic Firewall wizard to configure a Cisco IOS Classic Firewall
Use the Cisco SDM Advanced Firewall wizard to configure a Cisco IOS Classic Firewall
Edit a basic or advanced firewall configuration, including global settings
-
7/28/2019 Cisco Security Curriculum-Course outlines
33/92
2008 Cisco Systems, Inc. Course Administration Guide 33
Verify a Cisco IOS Firewall configuration using the CLI
The lesson includes these topics:
Cisco IOS Classic Firewall Overview
Basic Firewall Wizard
Advanced Firewall Wizard
Editing Firewall Rules
Verifying Firewall Configuration
The lesson includes this activity:
Lab 5-1: Configure Cisco IOS Classic Firewall on a Cisco Router
Lesson 3: Configuring a Cisco IOS Zoned-Based Policy Firewall
This lesson describes how to configure a Cisco IOS Zone-Based Policy Firewall on a CiscoIntegrated Services Router. Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe the general features of a Cisco IOS Zone-Based Policy Firewall
Configure Cisco IOS Zone-Based Policy Firewall using the Cisco SDM Advanced Firewallwizard
Edit the Cisco IOS Zone-Based Policy Firewall
Create zone-based policies without the Cisco SDM wizard
Verify the Cisco IOS Zone-Based Policy Firewall configuration using the CLI and CiscoSDM
The lesson includes these topics:
Cisco IOS Zone-Based Policy Firewall Overview Advanced Firewall Wizard
Editing Cisco IOS Zone-Based Policy Firewall
Configuring Zone-Based Policies
Verifying the Cisco IOS Zone-Based Policy Firewall Configuration
The lesson includes this activity:
Lab 5-2: Configure Cisco IOS Zone-Based Policy Firewall with URL Filtering
Lesson 4: Configuring Cisco IOS IPS
This lesson describes how to configure a Cisco IOS IPS Software Version 5.x signaturesupport, Risk Rating (Signature Event Action Processing [SEAP]), tuning, and customsignatures. Upon completing this lesson, the learner will be able to meet these objectives:
Describe the features, functions, limitations, and applications of Cisco IOS IPS
Describe the different IPS management products
Describe SDF and built-in signature operation
-
7/28/2019 Cisco Security Curriculum-Course outlines
34/92
34 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Migrate from Cisco IOS IPS Version 4.x to Cisco IOS IPS Version 5.x
Configure Cisco IOS IPS using 5.x signatures
Configure Auto Signature Update
Configure SEAP, including Risk Ratings, Events Action Overrides, and Events ActionFilters
Perform a basic configuration of Cisco IOS IPS
Tune more advanced signature settings Create custom signatures
Use show , debug , and clear commands to test and verify Cisco IOS IPS configurations
Explain various scenarios and deployment options
-
7/28/2019 Cisco Security Curriculum-Course outlines
35/92
2008 Cisco Systems, Inc. Course Administration Guide 35
The lesson includes these topics:
Cisco IOS IPS Overview
IPS Management Products
SDF and Built-In Signature Overview
Migrating from Cisco IOS IPS Version 4 to Version 5
Configuring Cisco IOS IPS Using 5.x Signatures
Auto Update
Signature Event Action Processing
Configuring, Disabling, and Excluding Signatures
Signature Tuning
Custom Signatures
Verifying Cisco IOS IPS Configuration
IPS Case Studies
The lesson includes this activity:
Lab 5-3: Configure a Cisco IOS IPS on a Cisco Router
-
7/28/2019 Cisco Security Curriculum-Course outlines
36/92
36 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
IPS - Course Outline
Overview Implementing Cisco Intrusion Prevention Systems (IPS) v6.0 provides the knowledge and skillsneeded to design, install, configure, and maintain a Cisco IPS sensor for small, medium, and enterprise networks. The course also describes the procedures for managing intrusion
prevention system (IPS) alarms.
Course ObjectivesUpon completing this course, the learner will be able to meet these overall objectives:
Explain how the Cisco IPS protects network devices from attacks
Install and configure the basic settings on a Cisco IPS 4200 Series Sensor
Use the Cisco IDM to configure built-in signatures to meet the requirements of a givensecurity policy
Configure some of the more advanced features of the Cisco IPS product line Initialize and install into your environment the rest of the Cisco IPS family of products
Use the CLI and the Cisco IDM to obtain system information, and configure the Cisco IPSsensor to allow an SNMP NMS to monitor the Cisco IPS sensor
High-Level Course OutlineThis subtopic provides an overview of how the course is organized. The course contains thesecomponents:
Course Introduction
Intrusion Prevention Overview
Installation of a Cisco IPS 4200 Series Sensor
Cisco IPS Signatures
Advanced Cisco IPS Configuration
Additional Cisco IPS Devices
Cisco IPS Sensor Maintenance
-
7/28/2019 Cisco Security Curriculum-Course outlines
37/92
2008 Cisco Systems, Inc. Course Administration Guide 37
Detailed Course OutlineThis in-depth outline of the course structure lists each module, lesson, and topic.
Module 1: Intrusion Prevention OverviewThis module explains how the Cisco IPS protects network devices from attacks.
Lesson 1: Explaining Intrusion Prevention
This lesson describes how to discuss intrusion detection and intrusion prevention along withrelated terms and concepts. Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain the difference between intrusion detection and intrusion prevention
Describe the similarities and differences among the various intrusion detection technologies
Explain the terminology used in intrusion prevention and detection
Explain the difference between promiscuous and inline intrusion protection
Describe the new features included in the Cisco IPS Sensor Software Version 6.0
The lesson includes these topics:
Intrusion Detection vs. Intrusion Prevention
Intrusion Prevention Technologies
Intrusion Prevention Terminology
Promiscuous and Inline Modes
Features of Cisco IPS Sensor Software Version 6.0
Lesson 2: Examining Cisco IPS ProductsThis lesson describes the Cisco IPS solutions and explains how Cisco IPS protects network devices from attacks. Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain the various models available in the Cisco family of IPS sensors
Describe network IPS and list its features and limitations
Describe host IPS and list its features and limitations
Explain the considerations necessary for selection, placement, and deployment of anetwork IPS
Describe the Cisco Self-Defending Network and how the Cisco IPS products fit in to thatstructure
The lesson includes these topics:
Cisco Network Sensors
Network IPS
Host-Based IPS
-
7/28/2019 Cisco Security Curriculum-Course outlines
38/92
38 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Sensor Deployment
Cisco Self-Defending Network
Lesson 3: Examining Cisco IPS Sensor Software Solutions
This lesson describes the Cisco monitoring solutions and suggests how to utilize them. Uponcompleting this lesson, the learner will be able to meet these objectives:
Describe the Cisco IPS Sensor Software architecture List the Cisco IPS management products for single device management
List the Cisco IPS management products that you can use for the enterprise
The lesson includes these topics:
Cisco IPS Sensor Software Architecture
Cisco IPS Element Management Products
Cisco IPS Enterprise Management Products
Lesson 4: Examining Evasive Techniques
This lesson describes major evasion techniques in order to justify several intrusion preventionsystem (IPS) features. Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain what an evasive technique is and provide examples of evasive techniques
Explain how attackers use string match attacks to avoid detection by intrusion detectionand intrusion prevention products
Explain how attackers use fragmentation attacks to avoid detection by intrusion detectionand intrusion prevention products
Explain how attackers use session attacks to avoid detection by intrusion detection and intrusion prevention products
Explain how attackers use insertion attacks to avoid detection by intrusion detection and intrusion prevention products
Explain how attackers use evasion attacks to avoid detection by intrusion detection and intrusion prevention products
Explain how attackers use TTL-based attacks to avoid detection by intrusion detection and intrusion prevention products
Explain how attackers use encryption-based attacks to avoid detection by intrusiondetection and intrusion prevention products
Explain how attackers use resource exhaustion attacks to avoid detection by intrusiondetection and intrusion prevention products
The lesson includes these topics:
Evasive Techniques
String Match Attacks
Fragmentation Attacks
-
7/28/2019 Cisco Security Curriculum-Course outlines
39/92
2008 Cisco Systems, Inc. Course Administration Guide 39
Session Attacks
Insertion Attacks
Evasion Attacks
TTL-Based Attacks
Encryption-Based Attacks
Resource Exhaustion Attacks
Module 2: Installation of a Cisco IPS 4200 Series Sensor
This module describes how to install and configure the basic settings on a Cisco IPS 4200Series Sensor.
Lesson 1: Inst alling a Cisco IPS Sensor Using the CLI
This lesson describes how to install and initialize a Cisco IPS sensor appliance in the network using the command-line interface (CLI). Upon completing this lesson, the learner will be ableto meet these objectives:
Explain the CLI of the Cisco IPS sensor
Gain management access and initialize a sensor
Explain some of the administrative tasks that are done from the CLI
Explain some of the additional commands that are available from the CLI
The lesson includes these topics:
Introducing the CLI
Initializing the Sensor
Performing Administrative Tasks
Additional Administrative Commands
Lesson 2: Using the Cisco IDM
This lesson describes how to use the Cisco IPS Device Manager (IDM) to launch, navigate,manage, and monitor a Cisco IPS device. Upon completing this lesson, the learner will be ableto meet these objectives:
Explain the features, benefits, and system requirements of the Cisco IDM
Log into and navigate the Cisco IDM
Configure SSH
Reboot and shutdown a Cisco IPS
The lesson includes these topics:
Introducing the Cisco IDM
Getting Started with the Cisco IDM
How to Configure SSH
How to Reboot and Shut Down the Sensor
-
7/28/2019 Cisco Security Curriculum-Course outlines
40/92
40 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Lesson 3: Configuring Basic Sensor Settings
This lesson describes how to use the Cisco IDM to configure basic sensor settings. Uponcompleting this lesson, the learner will be able to meet these objectives:
Configure hosts that are authorized to administer the sensor
Configure the time settings of a Cisco IPS sensor
Configure certificates of a Cisco IPS sensor
Configure user accounts Describe the different roles that a sensor interface can play
Configure the interfaces of a Cisco IPS sensor in promiscuous and inline mode
Describe and configure software and hardware bypass
Explain how to view events from the Cisco IDM
The lesson includes these topics:
How to Configure Allowed Hosts
How to Set the Time
How to Configure Certificates
How to Configure User Accounts
Defining Interface Roles
How to Configure the Interfaces
How to Configure Software and Hardware Bypass Mode
Viewing Events in the Cisco IDM
The lesson includes these activities:
Lab 2-1: Install and Configure an IPS Sensor from the CLI Lab 2-2: Use the Cisco IDM to Perform a Basic Sensor Configuration
Module 3: Cisco IPS Signatures
This module describes how to use the Cisco IDM to configure built-in signatures to meet therequirements of a given security policy.
Lesson 1: Configuring Cisco IPS Signatures and Alerts
This lesson describes how to use the Cisco IDM to configure built-in signatures to meet therequirements of a given security policy. Upon completing this lesson, the learner will be able tomeet these objectives:
Describe the different types, features, and actions of signatures
Locate information about specific signatures and describe the Cisco Intrusion PreventionAlert Center
Enable, disable, and assign actions to signatures
Configure additional settings for denying and blocking actions
-
7/28/2019 Cisco Security Curriculum-Course outlines
41/92
2008 Cisco Systems, Inc. Course Administration Guide 41
The lesson includes these topics:
Cisco IPS Signatures
How to Locate Signature Information
How to Configure Basic Signatures
Special Considerations for Signature Actions
Lesson 2: Examining the Signature EnginesThis lesson describes the functions of signature engines and their parameters. Upon completingthis lesson, the learner will be able to meet these objectives:
Describe the different signature engines used by the sensor
Describe the configuration parameters common to all signature engines
Describe the ATOMIC signature engines
Describe the FLOOD signature engines
Describe the SERVICE signature engines, including the new TNS and SMB advanced signature engines
Describe the STRING signature engines
Describe the SWEEP signature engines
Describe the TROJAN signature engines
Describe the TRAFFIC signature engines
Describe the AIC signature engines
Describe the STATE signature engine
Describe the META signature engine
Describe the NORMALIZER engine
The lesson includes these topics:
Introducing Cisco IPS Signature Engines
Common Signature Engine Parameters
ATOMIC Signature Engines
FLOOD Signature Engines
SERVICE Signature Engines
STRING Signature Engines
SWEEP Signature Engines TROJAN Signature Engines
TRAFFIC Signature Engines
AIC Signature Engines
STATE Signature Engine
META Signature Engine
NORMALIZER Engine
-
7/28/2019 Cisco Security Curriculum-Course outlines
42/92
42 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Lesson 3: Customizing Signatures
This lesson describes how to use the Cisco IDM to tune and customize signatures to meet therequirements of a given security policy. Upon completing this lesson, the learner will be able tomeet these objectives:
Explain the need to tune signatures
Tune and create signatures to accomplish noise reduction
Tune and create signatures to accomplish false positive reduction
Tune and create signatures to accomplish false negative reduction
Tune and create signatures to focus a Cisco IPS sensor on the environment
Describe examples of different signature tuning scenarios
Design and create custom signatures
Describe examples of creating custom signatures
The lesson includes these topics:
Tuning Signatures
Noise Reduction False Positive Reduction
False Negative Reduction
Focusing Cisco IPS Sensors
Customizing Built-in Signatures
How to Create Custom Signatures
Custom Signature Scenarios
The lesson includes these activities:
Lab 3-1: Working with Signatures and Alerts
Lab 3-2: Customizing Signatures
Module 4: Advanced Cisco IPS Configuration
This module describes how to configure some of the more advanced features of the Cisco IPS product line.
Lesson 1: Performing Advanced Tuning of Cisco IPS Sensors
This lesson describes how to use the Cisco IDM to tune a Cisco IPS sensor to work optimally
in the network. Upon completing this lesson, the learner will be able to meet these objectives: Explain how to tune the sensor to avoid evasive techniques and provide network-specific
intrusion prevention
Explain the logging capabilities of the sensor, how to configure logging, and the performance ramifications of logging
Describe the concept of IP fragment and TCP stream reassembly
Define and configure event variables
Explain and configure TVRs
-
7/28/2019 Cisco Security Curriculum-Course outlines
43/92
2008 Cisco Systems, Inc. Course Administration Guide 43
Describe and configure event action overrides
Describe and configure event action filters
Describe the risk rating system and the values that it uses to calculate the risk ratingnumber
Introduce and configure the general settings for event action rules
The lesson includes these topics:
Sensor Configuration
IP Logging
Reassembly Options
How to Define Event Variables
Target Value Rating
Event Action Overrides
Event Action Filters
Risk Rating System
General Settings of Event Action Rules
The lesson includes this activity:
Lab 4-1: Tune a Cisco IPS Sensor Using the Cisco IDM
Lesson 2: Monitoring and Managing Alarms
This lesson describes how to use additional monitoring tools to maximize alarm managementefficiency. Upon completing this lesson, the learner will be able to meet these objectives:
Explain the Cisco IEV, its features, benefits, and specifications
Explain the installation procedure for Cisco IEV
Add devices to the Cisco IEV
Use Cisco IEV to view events
Explain the Cisco Security Management Suite, its features, benefits, and specifications
Explain the external product interface, its benefits, and specifications
Explain how a Cisco Security Agent installation can be integrated into a Cisco IPS sensor installation using Cisco Security Monitor
Explain the Cisco ICS
The lesson includes these topics:
Cisco IEV Overview
Installing Cisco IEV
Configuring Cisco IEV
Viewing Events
Cisco Security Management Suite Overview
-
7/28/2019 Cisco Security Curriculum-Course outlines
44/92
44 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
External Product Interface
Integrating Cisco Security Agent into an IPS Installation
Cisco ICS
The lesson includes this activity:
Lab 4-2: Monitor and Manage Alarms
Lesson 3: Configurin g a Virtual Sensor
This lesson describes how to explain the virtual sensor, its settings, and advantages. Uponcompleting this lesson, the learner will be able to meet these objectives:
Explain the principles behind virtual sensors
Prepare for creating virtual sensors by creating inline pairs, signature polices, event actionrules, and anomaly detection policies
Create a virtual sensor by giving it a name and assigning interfaces
The lesson includes these topics: Virtual Sensor Overview
Preparing for Virtual Sensors
Creating Virtual Sensors
The lesson includes this activity:
Lab 4-3: Configure a Virtual Sensor (Optional)
Lesson 4: Configuring Advanced Features
This lesson describes how to explain and configure some of the new advanced features of theCisco IPS Sensor Software. Upon completing this lesson, the learner will be able to meet theseobjectives:
Explain the principles behind anomaly detection
Explain the components used by anomaly detection
Configure anomaly detection
Monitor and troubleshoot problems with anomaly detection
Explain the principles behind POSFP
Explain the different methods available to identify operating systems
Explain the available configuration options for POSFP
Examine the results of POSFP
The lesson includes these topics:
Anomaly Detection Overview
Anomaly Detection Components
-
7/28/2019 Cisco Security Curriculum-Course outlines
45/92
2008 Cisco Systems, Inc. Course Administration Guide 45
Configuring Anomaly Detection
Monitoring Anomaly Detection
POSFP Overview
Operating System Identification
Configuring POSFP
Monitoring POSFP
The lesson includes this activity:
Lab 4-4: Configure Anomaly Detection and POSFP
Lesson 5: Configuring Blockin g
This lesson describes how to explain blocking concepts and use Cisco IDM to configure blocking for a given scenario. Upon completing this lesson, the learner will be able to meetthese objectives:
Explain the principles behind blocking
Describe the things that should be taken into account before applying ACLs Explain how to configure a sensor to perform automatic blocking
Explain how to configure a sensor to perform manual blocking
Explain how to configure a master blocking scenario
The lesson includes these topics:
Blocking Overview
ACL Considerations
How to Configure Automatic Blocking
How to Configure Manual Blocking
How to Configure a Master Blocking Scenario
Module 5: Additional Cisco IPS Devices
This module describes how to initialize and install into your environment the rest of the CiscoIPS family of products.
Lesson 1: Installin g th e Cisco Catalyst 6500 Series IDSM-2
This lesson describes how to explain the basics of how to install the Cisco Catalyst 6500 SeriesIntrusion Detection System Services Module 2 (IDSM-2) in a Cisco Catalyst 6500 SeriesSwitch and initialize it. Upon completing this lesson, the learner will be able to meet theseobjectives:
Describe the Cisco Catalyst 6500 Series IDSM-2
Install the Cisco Catalyst 6500 Series IDSM-2
Configure the Cisco Catalyst 6500 Series IDSM-2 interfaces
Monitor the Cisco Catalyst 6500 Series IDSM-2
-
7/28/2019 Cisco Security Curriculum-Course outlines
46/92
46 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Perform Cisco Catalyst 6500 Series IDSM-2 maintenance
The lesson includes these topics:
Cisco Catalyst 6500 Series IDSM-2 Overview
Installing the Cisco Catalyst 6500 Series IDSM-2
Configuring Cisco Catalyst 6500 Series IDSM-2 Interfaces
Monitoring the Cisco Catalyst 6500 Series IDSM-2 Maintaining the Cisco Catalyst 6500 Series IDSM-2
Lesson 2: Initializing the Cisco ASA AIP-SSM
This lesson describes how to initialize a Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM). Upon completing thislesson, the learner will be able to meet these objectives:
Describe the Cisco ASA AIP-SSM
Upload the IPS image to the Cisco ASA AIP-SSM
Perform the initial configuration of the Cisco ASA AIP-SSM using Cisco ASDM
Configure an IPS security policy using Cisco ASDM
The lesson includes these topics:
Cisco ASA AIP-SSM Overview
Loading the Cisco ASA AIP-SSM
Initial Cisco ASA AIP-SSM Configuration Using Cisco ASDM
Configuring an IPS Security Policy
Module 6: Cisco IPS Sensor Maintenance
This module describes how to use the CLI and the Cisco IDM to obtain system information,and how to configure the Cisco IPS sensor to allow a Simple Network Management Protocol(SNMP) network management system (NMS) to monitor the Cisco IPS sensor.
Lesson 1: Maintaining Cisco IPS Sensor s
This lesson describes how to install and recover the Cisco IPS Sensor Software and performservice pack and signature updates. Upon completing this lesson, the learner will be able tomeet these objectives:
Describe the Cisco IPS sensor licenses and how to install them Perform a Cisco IPS sensor upgrade or recovery
Install service pack and signature updates
Perform a password recovery on a Cisco IPS sensor
Restore a Cisco IPS sensor to its default configuration
The lesson includes these topics:
-
7/28/2019 Cisco Security Curriculum-Course outlines
47/92
2008 Cisco Systems, Inc. Course Administration Guide 47
Understanding Cisco IPS Licensing
How to Upgrade and Recover Sensor Images
How to Install Service Packs and Signature Updates
Password Recovery
How to Restore a Cisco IPS Sensor
Lesson 2: Managing Cisco IPS SensorsThis lesson describes how to use the CLI and the Cisco IDM to verify sensor configuration.Upon completing this lesson, the learner will be able to meet these objectives:
Explain the various CLI commands used for sensor monitoring
Describe the Cisco IDM as a tool to perform sensor monitoring
Describe Cisco Security Manager as a tool to perform sensor monitoring
Describe SNMP as a tool to perform sensor monitoring
The lesson includes these topics:
Using the CLI to Monitor the Sensor
Using the Cisco IDM to Monitor the Sensor
Monitoring Using Cisco Security Manager
Monitoring Using SNMP
The lesson includes this activity:
Lab 6-1: Maintain Sensors and Verify System Configuration
-
7/28/2019 Cisco Security Curriculum-Course outlines
48/92
48 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
SNAF - Course Outline
OverviewSecuring Networks with ASA Fundamentals (SNAF) v1.0 is a five-day, instructor-led, lab-intensive course, which will be delivered by Cisco Learning Partners. This task-oriented courseteaches the knowledge and skills needed to configure, maintain, and operate Cisco ASA 5500Series Adaptive Security Appliances.
Course ObjectivesUpon completing this course, the learner will be able to meet these overall objectives:
Explain the functions of the three types of firewalls used to secure computer networks
Describe the technology and features of Cisco security appliances
Given diagrams of networks protected by Cisco ASA and PIX security appliances, explainhow each appliance protects network devices from attacks and why each is an appropriatechoice for the example network
High-Level Course OutlineThis section provides an overview of how the course is organized. The course contains thesecomponents:
Introducing Cisco Security Appliance Technology and Features
Introducing the Cisco ASA and PIX Security Appliance Families
Getting Started with Cisco Security Appliances
Configuring a Security Appliance
Configuring Translations and Connection Limits
Using ACLs and Content Filtering
Configuring Object Grouping
Switching and Routing on Cisco Security Appliances
Configuring AAA for Cut-Through Proxy
Configuring the Cisco Modular Policy Framework
Configuring Advanced Protocol Handling
Configuring Threat Detection
Configuring Site-to-Site VPNs Using Pre-Shared Keys
Configuring Security Appliance Remote-Access VPNs
Configuring the Cisco ASA for SSL VPN
Configuring Transparent Firewall Mode
Configuring Security Contexts
-
7/28/2019 Cisco Security Curriculum-Course outlines
49/92
2008 Cisco Systems, Inc. Course Administration Guide 49
Configuring Failover
Managing the Security Appliance
Lab Guide
Detailed Course OutlineThis in-depth outline of the course structure lists each lesson and topic.
Lesson 1: Introducin g Cisco Security Appliance Technology and Features
This lesson introduces the general functionality provided by firewalls and security appliances.Upon completing this lesson, the learner will be able to meet these objectives:
Explain the functions of the three types of firewalls that are used to secure moderncomputer networks
Discuss the technology and features of Cisco security appliances
The lesson includes these topics:
Firewalls
Security Appliance Essentials
There is no lab for this lesson.
Lesson 2: Introducing the Cisco ASA and PIX Secur it y App li ance Famil ies
This lesson introduces Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX500 Series Security Appliances. Upon completing this lesson, the learner will be able to meetthese objectives:
Identify the Cisco ASA and PIX security appliance models
Explain the Cisco ASA security appliance licensing options
The lesson includes these topics:
Models and Features of Cisco Security Appliances
Cisco ASA Security Appliance Licensing
There is no lab for this lesson.
Lesson 3: Getting Started wi th Cisco Security Appliances
This lesson describes how to configure the security appliance for basic network connectivity.Upon completing this lesson, the learner will be able to meet these objectives:
Explain the four access modes
Describe the security appliance file management system
Discuss security appliance security levels
Describe Cisco ASDM requirements and capabilities
Use the CLI to configure and verify basic network settings, and prepare the securityappliance for configuration via Cisco ASDM
-
7/28/2019 Cisco Security Curriculum-Course outlines
50/92
50 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
Verify security appliance configuration and licensing via Cisco ASDM
The lesson includes these topics:
User Interface
File Management
Security Appliance Security Levels
Cisco ASDM Essentials and Operating Requirements Preparing to Use Cisco ASDM
Navigating Cisco ASDM Windows
The lesson includes this activity:
Lab 3-1: Prepare to Use Cisco ASDM to Configure the Security Appliance
Lesson 4: Configuring a Security Appliance
This lesson describes how to configure a security appliance for basic network connectivity.
Upon completing this lesson, the learner will be able to meet these objectives: Configure a security appliance for basic network connectivity
Verify the initial configuration
Set the clock and synchronize the time on a security appliance
Configure a security appliance to send syslog messages to a syslog server
The lesson includes these topics:
Basic Security Appliance Configuration
Examining Security Appliance Status
Time Setting and NTP Support
Syslog Configuration
The lesson includes this activity:
Lab 4-1: Configure the Security Appliance with Cisco ASDM
Lesson 5: Configuring Translations and Connection L imits
This lesson describes how to perform Network Address Translation (NAT) on a securityappliance. Upon completing this lesson, the learner will be able to meet these objectives:
Describe how the TCP and UDP protocols function within the security appliance
Describe how static and dynamic translations function
Configure dynamic address translation
Configure static address translation
Set connection limits
-
7/28/2019 Cisco Security Curriculum-Course outlines
51/92
2008 Cisco Systems, Inc. Course Administration Guide 51
The lesson includes these topics:
Transport Protocols
Understanding NAT
Understanding PAT
Static Translations
TCP SYN Cookies and Connection Limits
Connections and Translations
The lesson includes this activity:
Lab 5-1: Configure Translations
Lesson 6: Using ACLs and Content Filtering
This lesson describes how to configure security appliance access control. Upon completing thislesson, the learner will be able to meet these objectives:
Configure and explain the basic function of ACLs
Configure and explain additional functions of ACLs
Configure active code filtering (Microsoft ActiveX and Java applets)
Configure the security appliance for URL filtering
Use the Packet Tracer for troubleshooting
The lesson includes these topics:
ACL Configuration
Malicious Active Code Filtering
URL Filtering
Packet Tracer
The lesson includes this activity:
Lab 6-1: Configure ACLs
Lesson 7: Configuring Object Grouping
This lesson describes how to configure the object grouping feature of Cisco security appliances.Upon completing this lesson, the learner will be able to meet these objectives:
Describe the object grouping feature of the security appliance and its advantages
Configure object groups and use them in ACLs
The lesson includes these topics:
Essentials of Object Grouping
Configuring and Using Object Groups
-
7/28/2019 Cisco Security Curriculum-Course outlines
52/92
52 Security Curriculum Course Outline 2009 Cisco Systems, Inc.
The lesson includes this activity:
Lab 7-1: Configure Object Groups
Lesson 8: Switching and Routing on Cisco Security Appliances
This lesson describes how to co