1、- 1 -CCIE Security Lab Exam Topics v4.0System Hardening and AvailabilityRouting plane security features (e.g. protocol authentication, route filtering)Control Plane PolicingControl Plane Protection and Management Plane ProtectionBroadcast control and switchport securityAdditional CPU protection mech
2、anisms (e.g. options drop, logging interval)Disable unnecessary servicesControl device access (e.g. Telnet, HTTP, SSH, Privilege levels)Device services (e.g. SNMP, Syslog, NTP)Transit Traffic Control and Congestion ManagementThreat Identification and MitigationIdentify and protect against fragmentat
3、ion attacksIdentify and protect against malicious IP option usageIdentify and protect against network reconnaissance attacksIdentify and protect against IP spoofing attacksIdentify and protect against MAC spoofing attacksIdentify and protect against ARP spoofing attacksIdentify and protect against D
4、enial of Service (DoS) attacksIdentify and protect against Distributed Denial of Service (DDoS) attacksIdentify and protect against Man-in-the-Middle (MiM) attacksIdentify and protect against port redirection attacksIdentify and protect against DHCP attacksIdentify and protect against DNS attacksIde
5、ntify and protect against MAC Flooding attacksIdentify and protect against VLAN hopping attacksIdentify and protect against various Layer2 and Layer3 attacksNBARNetFlowCapture and utilize packet capturesIntrusion Prevention and Content Security- 2 -IPS 4200 Series Sensor Appliance(a) Initialize the
6、Sensor Appliance(b) Sensor Appliance management(c) Virtual Sensors on the Sensor Appliance(d) Implementing security policies(e) Promiscuous and inline monitoring on the Sensor Appliance(f) Tune signatures on the Sensor Appliance(g) Custom signatures on the Sensor Appliance(h) Actions on the Sensor A
7、ppliance(i) Signature engines on the Sensor Appliance(j) Use IDM/IME to the Sensor Appliance(k) Event action overrides/filters on the Sensor Appliance(l) Event monitoring on the Sensor ApplianceVACL/SPAN & RSPAN on Cisco switchesWSA(a) Implementing WCCP(b) Active Dir Integration(c)Custom Categories(
8、d) HTTPS Config(e) Services Configuration (Web Reputation)(f) Configuring Proxy By-pass Lists(g) Web proxy modes(h) App visibility and controlIdentity ManagementIdentity Based Authentication/Authorization/Accounting(a) Cisco Router/Appliance AAA(b) RADIUS(c)TACACS+Device Admin (Cisco IOS Routers, AS
9、A, ACS5.x)Network Access (TrustSec Model)(a) Authorization Results for Network Access (ISE)- 3 -(b) 802.1X (ISE)(c)VSAs (ASA / Cisco IOS / ISE)(d) Proxy-Authentication (ISE/ASA/Cisco IOS)Cisco Identity Services Engine (ISE)(a) Profiling Configuration (Probes)(b) Guest Services(c)Posture Assessment(d
10、) Client Provisioning (CPP)(e) Configuring AD Integration/Identity SourcesPerimeter Security and ServicesCisco ASA Firewall(a) Basic firewall Initialization(b) Device management(c ) Address translation (nat, global, static)(d) Access Control Lists(e) IP routing/Route Tracking(f) Object groups(g) VLA
11、Ns(h) Configuring Etherchannel(i) High Availability and Redundancy(j) Layer 2 Transparent Firewall(k) Security contexts (virtual firewall)(l) Modular Policy Framework(j) Identity Firewall Services(k) Configuring ASA with ASDM(l) Context-aware services(m) IPS capabilities(n) QoS capabilitiesCisco IOS
12、 Zone Based Firewall(a) Network, Secure Group and User Based Policy(b) Performance Tuning- 4 -(c) Network, Protocol and Application InspectionPerimeter Security Services(a) Cisco IOS QoS and Packet marking techniques(b) Traffic Filtering using Access-Lists(c)Cisco IOS NAT(d) uRPF(e) PAM - Port to Ap
13、plication Mapping(f) Policy Routing and Route MapsConfidentiality and Secure AccessIKE (V1/V2)IPsec LAN-to-LAN (Cisco IOS/ASA)Dynamic Multipoint VPN (DMVPN)FlexVPNGroup Encrypted Transport (GET) VPNRemote Access VPN(a) Easy VPN Server (Cisco IOS/ASA)(b) VPN Client 5.X(c)Clientless WebVPN(d) AnyConnect VPN(e) EasyVPN Remote(f) SSL VPN GatewayVPN High AvailabilityQoS for VPNVRF-aware VPNMacSecDigital Certificates (Enrollment and Policy Matching)Wireless Access(a) EAP methods(b) WPA/WPA-2(c)WIPS
