Exam #642-502: Securing Networks with Cisco Routers and Switches (SNRS) Vendor Cisco Systems Status Live. Available at Pearson Vue and Prometric testing centers worldwide. Reviewer's Rating "You’ll need to have a solid grasp of how to configure and troubleshoot Cisco routers, switches and firewalls to mitigate common network attacks by using technologies such as CBAC, IPSec, VPN, AAA and SDM." Test Information 60-70 questions, 90 minutes. Cost: $125 (U.S.). Who Should Take This Exam? Candidates for CCSP. Test Objectives Click here

The CCSP requires you pass five exams with a current Cisco Certified Network Associate (CCNA) certification. These exams have been updated recently and are generically referred to as: SNRS, SNPA, IPS, SND, and HIPS or CSVPN. Recertification is accomplished by passing the CCSP exam 642-541 CSI: Cisco SAFE Implementation, or a Cisco Certified Internetwork Expert (CCIE) written exam. Cisco certifications are valid for a period of three years.

It doesn’t necessarily matter (in my opinion) which of the five exams you take first or in what order. They don’t necessarily build upon one another, but this exam tends to create a foundation. Together they make for a well-rounded CCSP. And you will also receive the INFOSEC letter of recognition from the NSA and CNSS. (Very cool, if you ask me!) For more information, go here.

I completed my CCNP and Cisco Certified Design Professional (CCDP) a few years back but had yet to tackle a Cisco security certification. In this time, I also took and reviewed the vendor-neutral Security+ and CISSP exams, and I have to say vendor-specific security exams are quite different in many respects. Earlier this year, I passed and reviewed the retiring CSPFA (PIX Firewall) exam (and plan to review its replacement, SNPA, in the coming months). Vendor-specific security exams, like the CSPFA exam, are all about understanding the vendors’ viewpoint on security and how their sales, marketing and products fit within the field.

For the new SNRS exam, I found many very specific questions about how to configure and troubleshoot Cisco routers, switches and firewalls to mitigate common network attacks by using technologies such as CBAC, IPSec, VPN, AAA and the SDM. I received 63 questions and was given 90 minutes to complete the exam, which included three simulation questions. The passing score was 860 on a scale of 300 to 1,000 points possible. Like all Cisco exams that I’ve ever taken, you can’t move back through the question set or mark or review your answers like you can on most other certification exams. But I find Cisco exams easier overall, with most of their questions in the form of one or two lines with only one correct answer to choose from.

I truly think the simulation questions are where exam takers can really get “hung up.” These are questions that present a hypothetical company’s network scenario, topology and usually a partial configuration. You are required to complete the remaining configuration, by navigating the Cisco device command-line environment. The opening screen of the simulation-based exams warns you about spending too much time on any one simulator-based question; it recommends no more than 10 minutes each. Running short on time within an exam can be an issue if you’re not paying attention. The last thing you want to do is find two minutes remaining on the clock with 10 questions still left to go, even if they are multiple choice. Unanswered questions really count against you!

Naturally, people ask: Do you receive partial credit? If you don’t save your configuration, will it be marked incorrect? I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or firewall, show the configuration, save and verify my work. Many times the question mark command is available, and limited help is there if you need it. The simulation questions are generally more difficult than the more common multiple-choice questions, but let’s face it; you really can’t braindump the sims!

Recommended Reading
At the time of this article, though the official Cisco instructor-led course SNRS was available, no self-study guides had been published. Cisco includes Web links to recommended reading found near the bottom of the official exam objectives page for each exam. I found most everything I needed to study with split between three Cisco Press books:

• Managing Cisco Network Security (ISBN 1578701031)
• Network Security Principals and Practices (ISBN 1587050250)
• Designing Network Security (ISBN 1587051176)

Cisco Press is scheduled to publish a new study guide specific to this exam by early 2006.

There was some overlap between the first two books, with the second one being a CCIE series study guide, but I like to study more than I’ll ever need to pass a particular exam. For self-study I prefer the books from Cisco Press, although nothing makes a better resource for the CCNA exam than the popular self-study guide written by Todd Lammle and published by Sybex.

Exam Objectives
Since you must hold a valid CCNA to obtain the CCSP, that’s where you should start to obtain the fundamental knowledge about how to configure and troubleshoot Cisco devices. The CCNA will also introduce LANs, WANs, ACLs, and many other fundamentals that are essentials before taking this exam. This exam’s objectives are broken down into six main areas:

• Implement Layer 2 security.
• Configure Cisco IOS Firewall features to meet security requirements.
• Configure Cisco IOS-based IPS to identify and mitigate threats to network resources.
• Configure basic IPSec VPNs to secure site-to-site and remote access to network resources.
• Configure authentication, authorization and accounting to provide basic secure access control for networks.
• Use management applications to configure and monitor IOS security features.

A CCSP requires knowledge and hands-on experience with many Cisco network security technologies. The SNRS exam covers these from a high-level implementation, configuration and troubleshooting perspective. The other four exams required for CCSP certification are quite specific. I recommend beginning your quest for CCSP with this exam. In this article, I’ll address some of the main areas to study for this new exam by mapping to the official exam objectives, which you’ll find here.

Implement Layer 2 Security
The core topics for this exam section include:

• Utilize Cisco IOS commands and Cat OS commands to mitigate Layer 2 attacks.
• Implement Cisco Identity-Based Networking Services.
• Implement Cisco 802.1X Port-Based Authentication.
• Identify and describe Layer 2 security best practices.

As you may already know, network security usually begins at the Physical layer, or with physical security. Securing the data center, wiring closets and the like are imperative as a barrier to prevent those who might access the physical network and carry out an attack by simply stealing equipment or connecting to a console port. There are many methods and theories to implementing physical security not tested on this exam, but you should be familiar with locking down console ports, and configuration register settings to prevent password recovery if physical access is gained by an attacker. Specific to this exam, you’ll want to know how to also configure virtual terminal lines (VTY), the privileged mode password and service passwords with these commands:

line con 0
password password
login
line vty 0 4
password password
login
enable secret password
service password-encryption

Tip: The default configuration register setting of 0x2102 must be changed to 0x2142 to allow for password recovery. It can also be changed to prevent the crtl-break function and password recovery.

Layer 2 security is typically implemented within the network’s switches. Here you can use MAC filtering, 802.1X authentication and configuration to prevent CAM table overflow and MAC address spoofing. You’ll most certainly want to read and study this Cisco SAFE white paper regarding the last two and pay particular attention to the configuration required as you may be required on the exam to configure a switch in a simulated environment.

In this same white paper, you’ll want to study 802.1X, paying particular attention to the IOS and Cat OS commands to complete configuration. You’ll also want to understand the communication and interaction between supplicant and authenticator. And don’t forget to study and understand the Layer 2 security best practices at the end of the paper. STP, VLANs or CDP can be the target or victim of Layer 2 attacks but aren’t necessarily tested on this exam. Most of this is referred to in the generic sense as Identity-Based Networking Services (IBNS).

Configure Cisco IOS Firewall Features To Meet Security Requirements
The core topics for this exam section include:

• Identify and describe the capabilities of the IOS firewall feature set.
• Configure, verify and troubleshoot CBAC to dynamically mitigate identified threats to the network.
• Configure, verify and troubleshoot authentication proxy to apply security policies on a per-user basis.

I was fortunate enough to have a CBAC-based router in my lab network. By combining router and firewall functionality, Cisco offers many small office, home office and branch office routers with a firewall built in. There are many security professionals who sneer at this type of configuration and only recommend a separate router and firewall such as the Cisco PIX. They have a very valid point, because if the CBAC router/firewall is compromised there may be no other layers of security in place to protect the LAN. Most enterprise networks use separate devices for routing and firewall. Nevertheless, this exam expects you to know both! The Cisco IOS firewall feature set doesn’t offer all the same functionality as the PIX, and the command set and configuration can be quite different.

Hands-on experience is the best, but if you don’t have a lab that includes this router/firewall combination, you should start by reading this document, as you may be required on the exam to configure a router in a simulated environment.

Tip: Configuring an access list using CBAC and EIGRP is done using an extended access list and the line permit eigrp any any.

You’ll also need to be familiar with and able to spot an incorrectly configured CBAC router. I recommend you take a look at this white paper.

For authentication proxy, see this document.

Tip: The IOS command aaa new-model enables authentication, authorization and accounting on a Cisco router.

Configure Cisco IOS-Based IPS To Identify and Mitigate Threats to Network Resources
The exam topics found here include:

• Identify and describe the capabilities of the IOS-IPS feature set.
• Configure the IPS features to identify threats and dynamically block them from entering the network.
• Verify, troubleshoot, maintain and update the IDS and its signatures.

I recommend you start by reviewing this document.

IPS, or intrusion prevention system, is the latest in the Cisco arsenal for detecting and reacting to network and device-based attacks. Similar to an intrusion detection system (IDS), IPS uses the same attack signature database and the ability to send an alarm, drop the packet or reset the connection when an active attack is detected. A Signature Definition File (SDF) is downloaded to the router’s flash memory and used to make real-time comparative checks against all traffic entering the router.

Tip: Atomic-based attacks can be detected in a single IP packet, but complex-based attacks may be embedded within many packets.

You should read this document as you may be required on the exam to configure or examine a router for active signatures loaded and in use in a simulated environment.

Configure Basic IPSec VPNs To Secure Site-to-Site and Remote Access to Network Resources
The exam topics found here include:

• Select the correct IPSec implementation based on specific stated requirements.
• Configure, verify and troubleshoot IPSec encryption using pre-shared keys and certificate authorities.
• Configuring and troubleshooting both hardware and software EZ-VPN server clients.

This exam only covers the fundamentals of IPSec configuration. For that, there’s the new 642-511 CSVPN (Cisco Secure Virtual Private Networks) exam which covers VPNs in much greater detail. Configuring IPSec can be a daunting task. There are usually many lines of configuration required and you’ll need to understand the basics of IPSec design and implementation to boot.

Tip: IPSec operates at the Network layer of the OSI model and offers both transport and tunnel modes of configuration.

One of the best resources I found online is Cisco.com, which provides many documents you should read and review:

• SAFE VPN (PDF)
• Deploying IPSec VPNs, site-to-site

Finally, two real-world Easy VPN configuration guides are located here:

• Cisco Easy VPN Client for the Cisco 1700 Series Routers
• Cisco Easy VPN Remote

Pay particular attention to the configuration tasks, examples and screenshots for the product if you’re not fortunate enough to have Cisco router or PIX that supports VPNs and a copy of the client software!

Tip: Split tunneling refers to the ability of a client to use the network for both IPSec secure/encrypted connections for access to a corporate network and non-IPSec connections such as those for surfing the Web.

DES, 3DES, AES, MD5 and Diffie-Hellman are all acronyms and technologies you should be intimately familiar with for this exam. The first three are encryption algorithms for message confidentiality; MD5 is a hashing algorithm for message integrity; and Diffie-Hellman is used for IPSec peer authentication. These make up what is often referred to as CIA.

Configuring IPSec involves four primary steps:

• Prepare by determining the encryption policy for hosts and networks by examining existing access lists and packet filtering.
• Configure IKE by creating policies and validating configuration.
• Configure IPSec by defining transform sets, creating crypto access lists, map entries and applying them to interfaces.
• Testing and verifying IPSec operation using show and debug commands.

  Tip: Crypto access lists are type extended with permit statements that control which traffic will be encrypted and should mirror each other between IPSec configured peers.

Configure Authentication, Authorization and Accounting To Provide Basic Secure Access Control for Network
The exam topics found here include:

• Configure administrative access to the Cisco Secure ACS server.
• Configure AAA clients on the Cisco Secure ACS for routers.
• Configure users, groups and access rights.
• Configure router to enable AAA to use TACACS+ and RADIUS.
• Verify and troubleshoot AAA operation.

I found many questions on the exam relating to authentication, authorization and accounting. Securing a security server such as the CSACS is imperative; configuring it for local access only, securing data communications and perhaps even a firewall.

Tip: CSACS runs on Windows, UNIX and NetWare.

If you download a 90-day trial version of CSACS (with a Cisco.com registered account), you should get as much hands-on experience on it as possible. You should also read and review the following documents:

• Configuring Basic AAA on an Access Server
• Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 3.x for Windows Using RADIUS
• Sample Configuration: Local Authentication for HTTP Server Users
• User Guide for Cisco Secure ACS for Windows Server Version 3.3

Use Management Applications To Configure and Monitor IOS Security Features
The exam topics found here include:

• Initialize SDM communications on Cisco routers and perform a LAN interface configuration.
• Use SDM to define and establish a site-to-site VPN.

The Security Device Manager found on many Cisco routers is a Web-based interface that can certainly help with the complexities of VPN configuration. It’s also available as a free download to install on almost any Cisco router.

I would also recommend you read this real-world case study and configuration guide (PDF), paying particular attention to the example screenshots, product navigation and configuration.

To Be Continued
That wraps it up for this exam review. Next month I’ll review the new CCSP exam 642-522 Securing Cisco Network Devices (SND). Good luck and study hard!

Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .

More articles by Andy Barkl:

• 70-623: A Vista Exam for Consumer Support Techs
  
• Securing Networks with PIX and ASA (SNPA 642-522)
  
• Cisco’s IPS Exam (#642-532): Get Your Network Secure
  
• Securing Virtual Private Networks (642-511)