Foothill CollegeApproved Course Outlines

Physical Sciences, Mathematics & Engineering Division
C S 50EINTRODUCTION TO IP NETWORK SECURITYWinter 2014
4 hours lecture, 3 hours laboratory.5 Units

Total Quarter Learning Hours: 84 (Total of All Lecture, Lecture/Lab, and Lab hours X 12)
 
 Lecture Hours: 4 Lab Hours: 3 Lecture/Lab:
 Note: If Lab hours are specified, see item 10. Lab Content below.

Repeatability -
Statement: Not Repeatable.

Status -
 Course Status: ActiveGrading: Letter Grade with P/NP option
 Degree Status: ApplicableCredit Status: Credit
 Degree or Certificate Requirement: AS Degree
 GE Status: Non-GE

Articulation Office Information -
 Transferability: CSUValidation: 11/14/11

1. Description -
Next step for students who want to enhance their CCNA-level skill set and help meet the growing demand for network security professionals. Provides an introduction to the core security concepts and skills needed for the installation, troubleshooting, and monitoring of network devices to maintain the integrity, confidentiality, and availability of data and devices. Prepares students for entry-level security career opportunities and the globally recognized Cisco CCNA Security certification.
Prerequisite: None
Co-requisite: None
Advisory: C S 50A, 50B, 50C and 50D or equivalent knowledge and skills.

2. Course Objectives -
The student will be able to:
  1. Characterize the security threats facing modern network infrastructures.
  2. Explain and demonstrate the techniques used to secure Cisco routers.
  3. Demonstrate the implementation of AAA on Cisco routers using local router database and external ACS
  4. Describe how to Mitigate threats to Cisco routers and networks using ACLs
  5. Explain the need for and techniques to implement secure network management and reporting
  6. Describe common Layer 2 attacks and mitigation techniques
  7. Illustrate the operation and demonstrate the use of the Cisco IOS firewall feature set.
  8. Explain the Cisco IOS Intrusion Prevention Systems feature set.
  9. Demonstrate the implementation of a site-to-site VPN using Cisco Routers.
3. Special Facilities and/or Equipment -
  1. Access to a network laboratory with current Cisco network equipment host computers required to support the class.
  2. Website or course management system with an assignment posting component (through which all lab assignments are to be submitted) and a forum component (where students can discuss course material and receive help from the instructor). This applies to all sections, including on-campus (i.e., face-to-face) offerings.
  3. When taught via Foothill Global Access on the Internet, the college will provide a fully functional and maintained course management system through which the instructor and students can interact.
  4. When taught via Foothill Global Access on the Internet, students must have currently existing e-mail accounts and ongoing access to computers with internet capabilities.

4. Course Content (Body of knowledge) -
  1. Security threats facing modern network infrastructures
    1. Mitigation methods for common network attacks
    2. Mitigation methods for Worm, Virus, and Trojan Horse attacks
    3. Self Defending Network architectures
  2. Secure Cisco routers
    1. Auditing security events on a router
    2. One-Step Lockdown of a router
    3. Securing administrative access to Cisco routers by setting
      1. strong encrypted passwords,
      2. exec timeout,
      3. login failure rate and
      4. using a variety of login enhancements
  3. AAA (Authentication, authorization, and accounting
    1. The functions and importance of AAA
    2. The TACACS+ and RADIUS protcols and AAA
    3. AAA Authentication
    4. AAA Authorization
    5. AAA Accounting
  4. Mitigating threats to routers and networks using access control lists
    1. The function of standard, extended, and named IP ACLs used by routers to filter packets
    2. Configuring and verifying of IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI
    3. Configuring and verifying of IP ACLs to prevent IP address spoofing using CLI
    4. General considerations when building and deploying ACLs
  5. Secure network management and reporting
    1. Using SSH on Cisco routers to enable secured management access
    2. Using Syslog servers to store network events
  6. Prevent layer 2 attacks by configuring basic Catalyst switch security features
    1. Port Security
    2. DHCP Snooping
    3. Bridge PPDU Guard
  7. Firewall implementation
    1. The operational strengths and weaknesses of the various firewall technologies
    2. Stateful firewall operations and the function of the state table
    3. Zone Based Firewall
  8. Intrusion Prevention Systems
    1. Network based vs. host based intrusion detection and prevention
    2. IPS technologies, attack responses, and monitoring options
    3. The configuration and verification of Cisco IOS IPS operations
  9. Site-to-site VPNs using Cisco Routers
    1. Methods used in cryptography
    2. IKE protocol functionality and phases
    3. The building blocks of IPSec and the security functions it provides
    4. The configuration and verification of an IPSec site-to-site VPN with pre-shared key authentication
5. Repeatability - Moved to header area.
 
6. Methods of Evaluation -
  1. Tests and quizzes
  2. Written laboratory assignments.
  3. Final examination
7. Representative Text(s) -
Watkins, Michael. CCNA Security Official Exam Certification Guide (Exam 640-553), Indianapolis:Cisco Press, 2008.

8. Disciplines -
Computer Science
 
9. Method of Instruction -
  1. Lectures which include motivation for the architecture of the specific topics being discussed.
  2. In-person or On-line labs (for all sections, including those meeting face-to-face/on campus) consisting of
    1. An assignment web-page located on a college-hosted course management system or other department-approved Internet environment. Here, the students will review the specification of each assignment and submit their completed lab work.
    2. A discussion web-page located on a college hosted course management system or other department-approved Internet environment. Here, students can request assistance from the instructor and interact publically with other class members.
  3. Detailed review of laboratory assignments which includes model solutions and specific comments on the student submissions.
  4. In person or on-line discussion which engages students and instructor in an ongoing dialog pertaining to all aspects of designing, implementing and analyzing programs.
  5. When course is taught fully on-line:
    1. Instructor-authored lecture materials, handouts, syllabus, assignments, tests, and other relevant course material will be delivered through a college hosted course management system or other department-approved Internet environment.
    2. Additional instructional guidelines for this course are listed in the attached addendum of CS department on-line practices.
 
10. Lab Content -
  1. Securing the Router for Administrative Access
    1. Basic Network Device Configuration
      1. Cable the network as shown in the topology.
      2. Configure basic IP addressing for routers and PCs.
      3. Configure static routing, including default routes.
      4. Verify connectivity between hosts and routers.
    2. Control Administrative Access for Routers
      1. Configure and encrypt all passwords.
      2. Configure a login warning banner.
      3. Configure enhanced username password security.
      4. Configure enhanced virtual login security.
      5. Configure an SSH server on a router.
      6. Configure an SSH client and verify connectivity.
    3. Configure Administrative Roles
      1. Create multiple role views and grant varying privileges.
      2. Verify and contrast views.
    4. Configure Cisco IOS Resilience and Management Reporting
      1. Secure the Cisco IOS image and configuration files.
      2. Configure a router as a synchronized time source for other devices using NTP.
      3. Configure Syslog support on a router.
      4. Install a Syslog server on a PC and enable it.
      5. Configure trap reporting on a router using SNMP.
      6. Make changes to the router and monitor syslog results on the PC.
    5. Configure Automated Security Features
      1. Lock down a router using AutoSecure and verify the configuration.
      2. Use the SDM Security Audit tool to identify vulnerabilities and lock down services.
      3. Contrast the AutoSecure configuration with SDM.
  2. Securing Administrative Access Using AAA and RADIUS
    1. Basic Network Device Configuration
      1. Configure basic settings such as host name, interface IP addresses, and access passwords.
      2. Configure static routing.
    2. Configure Local Authentication
      1. Configure a local database user and local access for the console, vty, and aux lines.
      2. Test the configuration.
    3. Configure Local Authentication Using AAA
      1. Configure the local user database using Cisco IOS.
      2. Configure AAA local authentication using Cisco IOS.
      3. Configure AAA local authentication using SDM.
      4. Test the configuration.
    4. Configure Centralized Authentication Using AAA and RADIUS
      1. Install a RADIUS server on a computer.
      2. Configure users on the RADIUS server.
      3. Configure AAA services on a router to access the RADIUS server for authentication using Cisco IOS.
      4. Configure AAA services on a router to access the RADIUS server for authentication using SDM.
      5. Test the AAA RADIUS configuration.
  3. Configuring CBAC and Zone-Based Firewalls
    1. Basic Router Configuration
      1. Configure host names, interface IP addresses, and access passwords.
      2. Configure the EIGRP dynamic routing protocol.
      3. Use the Nmap port scanner to test for router vulnerabilities
    2. Configuring a Context-Based Access Control (CBAC) Firewall
      1. Configure CBAC using AutoSecure.
      2. Examine the resulting CBAC configuration.
    3. Configuring a Zone-Based Policy Firewall (ZBF, ZPF or ZFW)
      1. Configure a Zone-Based Policy Firewall using SDM.
      2. Examine the resulting CBAC configuration.
      3. Use SDM Monitor to verify configuration.
  4. Configuring an Intrusion Prevention System (IPS)
    1. Basic Router Configuration
      1. Configure hostname, interface IP addresses and access passwords.
      2. Configure the static routing.
    2. Configuring an IOS Intrusion Prevention System (IPS) using CLI
      1. Configure IOS IPS using CLI.
      2. Modify IPS Signatures.
      3. Examine the resulting IPS configuration.
      4. Verify IPS functionality.
      5. Log IPS messages to a Syslog server.
    3. Configuring an Intrusion Prevention System (IPS) using SDM
      1. Configure IPS using SDM.
      2. Modify IPS Signatures.
      3. Examine the resulting IPS configuration.
      4. Use a scanning tool to simulate an attack.
      5. Use the SDM Monitor to verify IPS functionality.
  5. Securing Layer 2 Switches
    1. Configure Basic Switch Settings
      1. Build the topology.
      2. Configure the host name, IP address, and access passwords.
    2. Configure SSH Access to the Switches
      1. Configure SSH access on the switch.
      2. Configure an SSH client to access the switch.
      3. Verify the configuration.
    3. Secure Trunks and Access Ports
      1. Configure trunk port mode.
      2. Change the native VLAN for trunk ports.
      3. Verify trunk configuration.
      4. Enable storm control for broadcasts.
      5. Configure access ports.
      6. Enable PortFast and BPDU guard.
      7. Verify BPDU guard.
      8. Enable root guard.
      9. Configure port security.
      10. Verify port security.
      11. Disable unused ports.
    4. Configure SPAN and Monitor Traffic
      1. Configure Switched Port Analyzer (SPAN).
      2. Monitor port activity using Wireshark.
      3. Analyze a sourced attack.
  6. Exploring Encryption Methods
    1. Build the Network and Configure the PCs
    2. Decipher a Pre-encrypted Message Using the Vigen?Ūre Cipher
      1. Given an encrypted message, a cipher key, and the Vigen?Ūre cipher square, decipher the message.
    3. Create a Vigen?Ūre Cipher Encrypted Message and Decrypt It
      1. Work with a lab partner and agree on a secret password.
      2. Create a secret message using the Vigen?Ūre cipher and the key.
      3. Exchange messages and decipher them using the pre-shared key.
      4. Use an interactive Vigen?Ūre decoding tool to verify decryption.
    4. Use Steganography to Embed a Secret Message in a Graphic
      1. Create a secret message and save it as a .txt file.
      2. Use S-Tools to embed the secret text message into a .bmp graphic.
      3. Send the graphic to a lab partner to reveal the embedded message.
  7. Configuring a Site-to-Site VPN
    1. Basic Router Configuration
      1. Configure host names, interface IP addresses, and access passwords.
    2. Configure a Site-to-Site VPN Using Cisco IOS
      1. Configure IPsec VPN settings on R1 and R3
      2. Verify site-to-site IPsec VPN configuration
      3. Test IPsec VPN operation
    3. Configure a Site-to-Site VPN Using SDM
      1. Configure IPsec VPN settings on R1
      2. Create a mirror configuration for R3
      3. Apply the mirror configuration to R3
      4. Verify the configuration
      5. Test the VPN configuration using SDM
  8. Security Policy Development and Implementation
    1. Create a Basic Security Policy
      1. Use Cisco Security Policy Builder to create a policy.
      2. Develop a network device configuration policy.
    2. Basic Network Device Configuration
      1. Configure host names, interface IP addresses, and passwords.
      2. Configure static routing.
    3. Secure Network Routers
      1. Configure passwords and a login banner.
      2. Configure SSH access and disable Telnet.
      3. Configure HTTP secure server access.
      4. Configure a synchronized time source using NTP.
      5. Configure router syslog support.
      6. Configure centralized authentication using AAA and RADIUS.
      7. Use Cisco IOS to disable unneeded services and secure against login attacks.
      8. Use SDM to disable unneeded services.
      9. Configure a CBAC firewall.
      10. Configure a ZBF firewall.
      11. Configure Intrusion Prevention System (IPS) using Cisco IOS and SDM.
      12. Back up and secure the Cisco IOS image and configuration files.
    4. Secure Network Switches
      1. Configure passwords, and a login banner.
      2. Configure management VLAN access.
      3. Configure a synchronized time source Using NTP.
      4. Configure syslog support.
      5. Configure SSH access.
      6. Configure AAA and RADIUS.
      7. Secure trunk ports.
      8. Secure access ports.
      9. Protect against STP attacks.
      10. Configure port security and disable unused ports.
 
11. Honors Description - No longer used. Integrated into main description section.
 
12. Types and/or Examples of Required Reading, Writing and Outside of Class Assignments -
  1. Reading
    1. Textbook assigned reading averaging 30 pages per week.
    2. Online curriculum averaging 20 pages per week.
    3. On-line resources as directed by instructor though links pertinent to networking.
    4. Library and reference material directed by instructor through course handouts.
  2. Writing
    1. Technical prose documentation that supports and describes the laboratory exercises that are submitted for a grades.
13. Need/Justification -
The course is a required core course for the AS Degree in Enterprise Networking.


Course status: Active
Last updated: 2014-06-19 12:32:16


Foothill CollegeApproved Course Outlines