Integrated Security Technologies and Solutions - Volume II Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization CCIE Professional Development Series

The essential reference for security pros and CCIE Security candidates: identity, context sharing, encryption, secure connectivity and virtualization

Integrated Security Technologies and Solutions ? Volume II brings together more expert-level instruction in security design, deployment, integration, and support. It will help experienced security and network professionals manage complex solutions, succeed in their day-to-day jobs, and prepare for their CCIE Security written and lab exams.

Volume II focuses on the Cisco Identity Services Engine, Context Sharing, TrustSec, Application Programming Interfaces (APIs), Secure Connectivity with VPNs, and the virtualization and automation sections of the CCIE v5 blueprint. Like Volume I, its strong focus on interproduct integration will help you combine formerly disparate systems into seamless, coherent, next-generation security solutions.

Part of the Cisco CCIE Professional Development Series from Cisco Press, it is authored by a team of CCIEs who are world-class experts in their Cisco security disciplines, including co-creators of the CCIE Security v5 blueprint. Each chapter starts with relevant theory, presents configuration examples and applications, and concludes with practical troubleshooting.

• Review the essentials of Authentication, Authorization, and Accounting (AAA)
• Explore the RADIUS and TACACS+ AAA protocols, and administer devices with them
• Enforce basic network access control with the Cisco Identity Services Engine (ISE)
• Implement sophisticated ISE profiling, EzConnect, and Passive Identity features
• Extend network access with BYOD support, MDM integration, Posture Validation, and Guest Services
• Safely share context with ISE, and implement pxGrid and Rapid Threat Containment
• Integrate ISE with Cisco FMC, WSA, and other devices
• Leverage Cisco Security APIs to increase control and flexibility
• Review Virtual Private Network (VPN) concepts and types
• Understand and deploy Infrastructure VPNs and Remote Access VPNs
• Virtualize leading Cisco Security products
• Make the most of Virtual Security Gateway (VSG), Network Function Virtualization (NFV), and microsegmentation
  

Introduction xix
Part I Knock, Knock! Who’s There? 1
Chapter 1 Who and What: AAA Basics 3
Fundamentals of AAA 3
Understanding the Concept of Triple-A in the Real World 4
Compare and Select AAA Options 4
TACACS+ 7
RADIUS 12
Comparing RADIUS and TACACS+ 15
Summary 16
Chapter 2 Basic Network Access Control 17
What Is Cisco ISE? 17
ISE Architecture for Network Access AAA 18
Configuring ISE for Single/Standalone and Multinode Deployments 23
ISE Configuration for Network Access 32
802.1X and Beyond 54
Configuring Wired Network Access with ISE 71
Configuring Wireless Network Access with ISE 115
Verifying Dot1X and MAB 140
Summary 148
Chapter 3 Beyond Basic Network Access Control 149
Profiling with ISE 149
ISE Profiler and CoA 175
Profiles in Authorization Policies 178
Passive Identities and EasyConnect 180
Summary 191
Chapter 4 Extending Network Access with ISE 193
Get Ready, Get Set, Prerequisites 194
BYOD Onboarding with ISE 197
MDM Onboarding and Enforcement with ISE 236
Posture Assessment and Remediation with ISE 244
Guest Access with ISE 265
TrustSec with ISE 287
Summary 306
Chapter 5 Device Administration Control with ISE 307
The Case for Centralized AAA 307
RADIUS Versus TACACS+ for Device Administration 308
Using TACACS+ for Device Administration 309
Using RADIUS for Device Administration 343
Summary 352
Part II Spread the Love! 353
Chapter 6 Sharing the Context 355
The Many Integration Types of the Ecosystem 356
pxGrid in Depth 361
Summary 406
Chapter 7 APIs in Cisco Security 407
APIs 101 407
Firepower Management Center APIs 413
Identity Services Engine APIs 424
Advanced Malware Protection APIs 428
Threat Grid APIs 433
Umbrella APIs 435
Summary 437
References 437
Part III c2889775343d1ed91b 439
Chapter 8 Security Connectivity 441
Hashing, Ciphers, Cryptography, and PKI 441
Virtual Private Networks 461
Layer 2 Encryption: IEEE 802.1AE/MACsec 470
Summary 474
References 474
Chapter 9 Infrastructure VPN 477
IPsec with IKEv1 478
IPsec with IKEv2 484
EzVPN 492
DMVPN 500
FlexVPN 514
GETVPN 532
Summary 541
References 541
Chapter 10 Remote Access VPN 543
Remote Access VPN Overview 543
Cisco AnyConnect Secure Mobility Client 546
Client-Based Remote Access VPN 554
Clientless Remote Access VPN 586
Summary 595
References 595
Part IV The Red Pill 597
Chapter 11 Security Virtualization and Automation 599
Cisco Virtual Solutions and Server Virtualization 599
Virtualization and Automation Solutions 602
Summary 613
References 614
97815877147074, TOC, 2/28/19

Aaron Woland, CCIE® No. 20113, is a principal engineer in Cisco’s Advanced Threat Security group and works with Cisco’s largest customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security, and futures.

Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a consultant and technical trainer.

Aaron’s other publications include Integrated Security Technologies and Solutions - Volume I; both editions of Cisco ISE for BYOD and Secure Unified Access; Cisco Next- Generation Security Solutions: All-in-one Cisco ASA FirePOWER Services, NGIPS and AMP; CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides.

Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and he is a security columnist for Network World, where he blogs on all things related to security. His other certifications include GHIC, GCFE, GSEC, CEH, MCSE, VCP, CCSP, CCNP, and CCDP, among others.

You can follow Aaron on Twitter: @aaronwoland.

Vivek Santuka, CCIE® No. 17621, is a consulting systems engineer at Cisco and is a security consultant to some of Cisco’s largest customers. He has over 13 years of experience in security, focusing on identity management and access control. Vivek is a member of multiple technical advisory groups.

Vivek holds two CCIE certifications: Security and Routing and Switching. In addition, he holds RHCE and CISSP certifications and is a Distinguished Speaker at Cisco Live.

Vivek is also the coauthor of the Cisco Press books AAA Identity Management Security

• Second of two volumes: Volume 2 focuses on identity, context sharing, encryption, secure connectivity and virtualization security
• Discover how ACS, ISE, pxGrid, WSA, FMC, WLC, ASA/FTD, ACI, APIC-EM, VSG, and related technologies integrate, and help you safeguard your network
• Includes verification and troubleshooting sections for each topic, designed specifically to help you prepare for the CCIE Security lab exam