Год выпуска: 2013
Производитель: CBT Nuggets
Автор: Keith Barker
Продолжительность: 10:27:36
Тип раздаваемого материала: Видеоурок
Язык: Английский
Стоимость: 1999 рублей
Описание:
This Cisco video training course with Keith Barker covers securing virtual private networks, including topics such as VPN profiles and policies, Cisco Secure Desktop, GNS3, and more.
Related area of expertise:
Cisco security
Virtual Private Networks (VPNs) allow millions of remote users to safely and securely access corporate resources. Learn to design, implement and troubleshoot ASA-based SSL and IPsec VPN solutions.
From clientless SSL VPNs to high availability, including troubleshooting, Keith guides you through each topic on the 642-648 exam. Plus, he shows you how to get crucial hands-on practice of every VPN for real-world implementation.
If you’re working towards a CCNP, this course is for you. Keith maps his training to all objectives of the 642-648 exam, which goes towards CCNP Security, ASA Specialist and IPS Specialist certifications. Network pros who support VPN users will also find significant value in this course, which is packed with content that directly applies to real-world implementation of VPNs. To take full advantage of this course, the learner should be familiar with the fundamentals of the ASA, which is available in CBT Nuggets' CCNP Security Firewall course.
[wpspoiler name="Подробное описание" ] 1. Welcome to Virtual Private Networks (VPNs): Getting the Most from this Course (00:11:10)
Welcome to the Firewall VPN course! In this opening Nugget, Keith describes what to expect from this course and how to get the most from it. Lets get started!
2. ASA VPN Options (00:41:19)
Knowing the choices available, based on the business need, is an important first step to implementing the correct Virtual Private Network (VPN) on the ASA. In this video, Keith reviews the benefits of using VPNs, and discusses the multiple types of VPNs, including Remote Access (RA), Site to Site along with options regarding using a client (such as SSL AnyConnect or the IPsec VPN client), and the clientless SSL VPN.
Maps to VPN v2 (exam 642-648) objectives: Implement a security high-level design according to policy and environmental requirements by identifying Cisco ASA AnyConnect client features and supporting technologies
3. VPN Profiles and Policies (00:35:26)
When remote access customers connect to a VPN gateway, a connection profile, user profile and up to three separate group policies can all be used to implement the rules that govern the user's VPN session. What happens when these policies conflict with each other, and how do we determine which of the policies will take precedence? In this video, Keith discusses all those questions and more as you learn about the policy flow for remote access VPNs, with examples of how to implement and verify each of the policies involved and see where they are configured.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles, group policies, and user policies.
4. Implementing Clientless SSL VPNs (00:44:45)
In this video, Keith walks you through implementing a Clientless SSL VPN configuration on the ASA, based on a set of policy requirements. The process of creating a user, connection profile and policy group (and how to correctly integrate them together) will be discussed, demonstrated and verified.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles, group policies, and user policies; Implement a security high level design according to policy and environmental requirements by identifying Cisco ASA clientless SSL VPN features and supporting technologies; Implement basic Clientless SSL VPN operations using ASDM
5. SSL and IPsec Technologies (00:30:01)
Both SSL and IPsec can be used to implement the authentication, data integrity and confidentiality for our VPNs. In this video, Keith takes you behind the scenes to discover how these protocols implement these features.
Maps to VPN v2 (exam 642-648) concepts: Describe SSL and IPsec technolgies
6. Plugging into the PKI (00:25:41)
One of the big benefits of SSL is that a client can authenticate a server by verifying the signature on a digital certificate. But what happens when a browser message informs the user that the certificate may not be valid? An educated user would not accept the certificate, and the SSL process would stop there. To avoid a certificate error message, our SSL VPN gateway needs to have its own identity certificate, which is correctly signed by a trusted CA server. If that trusted CA server is participating in the Public Key Infrastructure (PKI), then most of the web browsers on the planet will already trust the CA and be able to verify the CA signature on certificates the client receives (including the one sent to the client from the ASA). In this video Keith walks you through the process of adding a new CA to the ASA (authenticating the CA), and requesting an identity certificate from the CA (enrolling) with the CA. This video also demonstrates how to associate the new identity certificate with the SSL VPN server function on the ASA.
Maps to VPN v2 (exam 642-648) objectives: Implement Simple Certificate Enrollment Protocol (SCEP) operations using Cisco Adaptive Security Device Manager (ASDM); Monitor and verify the resulting CLI commands resulting from the various VPN configurations on the ASA
7. AnyConnect SSL VPNs (00:40:17)
The AnyConnect SSL VPN client software is the primary full tunnel client used for SSL VPN connections in a Cisco remote access VPN solution. In this video, Keith walks you through the logic of how the AnyConnect client works and the step-by-step process for installing and verifying that it is working correctly. Split tunneling is also introduced, explained and demonstrated in this video.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles, group policies, and user policies; Monitor and verify the resulting CLI commands resulting from the various VPN configurations on the ASA; Implement a security high-level design according to policy and environmental requirements by identifying Cisco ASA AnyConnect client features and supporting technologies; Implement basic AnyConnect 3.0 full tunnel SSL VPN operations.
8. Smart Tunnels and Plugins (00:25:06)
The Clientless SSL VPN can be tweaked to allow more than just HTTP/S, FTP and CIFS through the use of plugins and smart tunnels, and still not require the end user to have local administrator rights on the local computer. The functionality of RDP, VNC, SSH and more can be facilitated through the Clientless SSL VPN. In this video, Keith discusses the features available, and how to configure and test these features.
Maps to VPN v2 (exam 642-648) objectives: Implement advanced applications access for the Clientless SSL VPN using ASDM.
9. IPsec RA VPNs (00:41:50)
IPsec Remote Access VPNs using the traditional VPN software client is still a very popular option being used to connect customers to the resources they need. In this video, Keith reviews the details of IPsec and then walks through the implementation on both the ASA and the remote computer, as well as the verification of IPsec RA VPNs from ASDM and the CLI of the ASA.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles, group policies, and user policies; Monitor and verify the resulting CLI commands resulting from the various VPN configurations on the ASA; Implement basic EZVPN server operations on the ASA using ASDM
10. Digital Certificates with IPsec Clients (00:28:52)
Pre-shared keys don't scale, and the solution is to use the PKI and digital certificates on both the ASA and the clients for the authentication of IKE phase 1. In this video, Keith walks you through the step by step process of adding a digital certificate to the IPsec VPN software client, and then configuring both the client and the server to correctly use the certificates. Troubleshooting (an ever-important skill when working with VPNs) is also introduced to identify issues that might otherwise cause an IPsec VPN to fail.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles; Implement certificate maps using ASDM
11. Site to Site IPsec VPNs (00:56:20)
Using the Internet, companies can build VPN tunnels between two sites, leveraging IPsec's ability to provide authentication, data integrity and authentication services. In this video Keith discusses the traditional IPsec of IKE version 1, as well as the newer IKE version 2. This Nugget includes the implementation and verification of the IKEv2 site to site technology.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles and group policies; Implement a security high-level design and identify ASA IPsec S2S VPN features and supporting technologies; Implement basic IPsec S2S VPN operations with PSK using ASDM; Implement basic IKEv2 based IPsec S2S VPN operations using ASDM; Troubleshoot the initial provisioning of IPsec S2S VPNs due to misconfiguration.
12. AAA VPN Authentication (00:24:12)
(Musical intro) Whooooo are you.....who who, who who? It's a question that needs to be answered by every incoming VPN connection. In this video, Keith walks you through setting up the ASA to use a centralized RADIUS server, and how associate that server with a specific VPN connection profile. Multi-factor authentication and implementing policy from a AAA server is also discussed and demonstrated.
Maps to VPN v2 (exam 642-648) objectives: Implement local and external VPN authorization using ASDM; Implement VPN session accounting using ASDM; Implement advanced authentication using ASDM.
13. Troubleshooting Clientless SSL VPNs (00:24:52)
Why is the policy I just configured and saved, not being implemented on the VPN users who are connecting? A fine question indeed. 🙂 It could be due to SSL Clientless VPN users who are connecting on an incorrect connection profile. In this video, you join Keith as a troubleshooting team, to identify and correct several specific configuration issues that are preventing users from enjoying their SSL VPN.
Maps to VPN v2 (exam 642-648) objectives: Implement ASA VPN connection profiles, group policies, and user policies; Troubleshoot the initial provisioning of Clientless SSL VPN applications due to misconfiguration.
14. Troubleshooting AnyConnect Client SSL VPNs (00:21:26)
Is getting a virtual IP address from the ASA all that important? The answer: Yes, if you are running the AnyConnect. Will users want to access the Internet at the same time they are browsing on the Internet? The answer: Yes, definitely. In this video, you join Keith again on a troubleshooting mission, this time focused on the customer who is trying to use the AnyConnect client for access.
Maps to VPN v2 (exam 642-648) objectives: Troubleshoot the initial provisioning client-based SSL VPN applications due to misconfiguration; Troubleshoot AnyConnect SSL VPN operations using DART.
15. Troubleshooting IPsec Client VPNs (00:31:42)
Trouble, trouble and more trouble. In this Nugget, Keith walks you through troubleshooting the traditional IPsec VPN Client issues that prevent users from accessing their network resources. Many of these issues would not only cause harm to IPsec VPNs but also to the AnyConnect SSL VPNs as well. Failures investigated and solved in this video include centralized AAA services via RADIUS, incorrect user configuration, incorrect cert-to-profile mappings, incorrect group restrictions and more.
Maps to VPN v2 (exam 642-648) objectives: Troubleshoot VPN Operations; troubleshoot initial provisioning of VPNs; and implement certificate maps using ASDM.
16. Troubleshooting IPsec Site-to-Site VPNs (00:21:28)
Site-to-Site IPsec tunnels, whether using IKEv1 or IKEv2, can fail to establish due to basic connectivity or incompatible policies. In this video, you join Keith in troubleshooting why the Site-to-Site tunnel, (that normally should allow protected traffic to flow between the 10.0.0.0/24 and 10.2.0.0/24 networks), isn't working.
Maps to VPN v2 (exam 642-648) objectives: Troubleshoot VPN Operations; troubleshoot initial provisioning of VPNs.
17. Cisco Secure Desktop and DAP (00:30:50)
Cisco Secure Desktop (CSD) and Dynamic Access Polices (DAP) can be used as a powerful one/two punch to limit remote SSL Clientless and/or SSL AnyConnect users from being able to use the VPN unless the computer they are on meets certain standards, such as having antivirus or a personal firewall in place. In this Nugget, Keith walks you through the reasons for, and implementation of, CSD and DAP to improve the overall security posture of a network.
Maps to VPN v2 (exam 642-648) objectives: Implement DAP operations using ASDM; Implement Cisco Secure Desktop using ASDM; Implement a security high level design by identifying SSL VPN features and supporting technologies.
18. High Availability VPNs (00:33:49)
Users want the network to work, and when it doesn't the downtime can cause loss of revenue and frustration. In this video Keith discusses 3 options for fault tolerance for VPN users, and how to dynamically push down policies to the AnyConnect and IPsec VPN clients.
Maps to VPN v2 (exam 642-648) objectives: Implement SSL and IPsec VPN high availability features.
19. VPN Pieces and Parts (00:32:48)
There are several topics that didn't need an entire Nugget, but are still important to be aware of. In this video, Keith addresses a list of these items including more details on the Client Profile, customizing the clientless portal, additional AAA server group options and much more.
Maps to VPN v2 (exam 642-648) objectives: Identify ASA VPN licensing requirements, Implement local and external VPN authorization; Implement LOCAL CA operations; Identify IPv6 VPN capabilities; Implement the SSO features for clientless VPNs; Implement basic portal customization.
20. GNS3 and the ASA (00:31:22)
Combining this VPN video course with your own hands-on practice is key for success in certification, and more importantly, for your real-world implementation and troubleshooting of VPNs on the ASA. In this video, Keith shows you all the ingredients to build your own virtual practice lab. You are STRONGLY ENCOURAGED to practice each and every VPN that you and Keith discuss and configure in this video course.
Maps to VPN v2 (exam 642-648) objectives: Every objective that has the word "implement", "troubleshoot", or "manage" in it. (Which is close to 100 percent of the published objectives).[/wpspoiler]
