BRKSEC-3001 - Advanced IKEv2 Protocol
BRKSEC-3001 - Advanced IKEv2 Protocol
BRKSEC-3001 - Advanced IKEv2 Protocol
Protocol
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• IP Security overview
• IKEv1 – Protocol Overview
• IKEv1 – Everything is good,
right?
• IKEv2 – Protocol Overview &
Comparison
• Summary
IP Security Overview
… or at least back to 1998
• A need for a standard secure method to communicate over the Internet
• Architecture needed:
• Multiple Strong Authentication Methods
• Anti-clogging (DoS)
• Prevent Connection Hijacking
• Linking key exchange with authentication
• Prevent Man-in-the-middle attacks
• Interception, insertion, deletion, replay, redirection
• Encryption
• Integrity
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
IP security overview
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
IP Security Overview Cipher/Hash
Traffic Encapsulation
Protocols Protocol Definition +many more minor additions
RFC2402
RFC2406 AH RFC2407 NAT-T
ESP IPsec DOI RFC3947+3948
RFC2409
IKEv1
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ISAKMP
• ISAKMP defines two phases:
• Phase 1
• Used for control plane
• Establish secure channel between peers
• Prove identities
• Negotiate data plane security settings
• Phase 2
• Used for data plane
• Transports the protected data
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IKEv1 – Protocol Overview
IKEv1
• There are two different ‘modes’ for building Phase 1
• Main Mode
• 6 packet exchange
• Full Identity protection (protects against passive surveillance)
• Better Anti-DoS protection
• Aggressive Mode
• 3 packet exchange
• Identities passed in the clear
• Responder must authenticate himself first
• PSK can be retrieved by an offline brute-force attack
• Trivial to DoS
• Faster session establishment
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IKEv1- Main Mode (message 1 and 2)
• The first two messages are used to negotiate the following cryptographic
attributes:
• Authentication method*
• Encryption cipher*
• Integrity hash*
• Lifetime of Security Association
• Diffie-Hellman Key Exchange Group *
• Initiator proposes a list of combinations of the starred (*) above
• Responder picks one of the combinations proposed
• Lifetime is MIN(initiator, responder)
• NOT encrypted – Peer NOT authenticated yet
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IKEv1- Main Mode (MM1)
Initiator Responder
HDR
cookie:
• initiator = X (randomly generated number per session)
• responder = 00000000,
SA (multiple crypto policies),
Vendor IDs – String or hash value. Used to advertise support
for capabilities not defined in standard (i.e. NAT-T)
MM1
Unencrypted – Unauthenticated
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IKEv1- Main Mode (MM2)
Initiator Responder
HDR
cookie:
• initiator = X (retained)
• responder = Y (randomly generated per session),
SA (the selected crypto policy),
Vendor IDs – String or hash value. Used to advertise support
for capabilities not defined in standard (i.e. NAT-T)
MM2
Unencrypted – Unauthenticated
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IKEv1- Main Mode (message 3 and 4)
• Exchange Diffie-Hellman key values
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
IKEv1- Main Mode (MM3)
Initiator Responder
HDR (cookie i=X,r=Y)
Diffie-Hellman Key Exchange material (g^xi)
Nonce from initiator (random data [entropy + anti-replay])
Additional Vendor IDs
NAT-Discovery Payloads
MM3
Unencrypted – Unauthenticated
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
IKEv1- Main Mode (MM4)
Initiator Responder
HDR (cookie i=X,r=Y)
Diffie-Hellman Key Exchange material (g^xr)
Nonce from responder (random data [entropy + anti-replay])
Additional Vendor IDs
NAT-Discovery Payloads
[Certificate Request] – Hints of which CAs the responder trusts
MM2
Unencrypted – Unauthenticated
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Diffie-Hellman Groups
Number Name
1 Group 1 - 768-bit MODP Group
2 Group 2 - 1024-bit MODP Group
5 1536-bit MODP Group
14 2048-bit MODP Group
15 3072-bit MODP Group
16 4096-bit MODP Group
17 6144-bit MODP Group
18 8192-bit MODP Group
19 256-bit random ECP group
20 384-bit random ECP group
21 521-bit random ECP group
22 1024-bit MODP Group with 160-bit Prime Order Subgroup
23 2048-bit MODP Group with 224-bit Prime Order Subgroup
24 2048-bit MODP Group with 256-bit Prime Order Subgroup
25 192-bit Random ECP Group
26 224-bit Random ECP Group
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Diffie-Hellman Primer
p=23 g=5 p and g are constants defined by DH Group
Alice Alice
g^a mod p = A = 5^6 mod 23 = 15,625 mod 23 = 8
a=6 b=15
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
IKEv1- Main Mode (message 5 and 6)
• Exchange certificate
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
IKEv1- Main Mode (MM5)
Initiator Responder
HDR (cookie i=X,r=Y)
Identity (a string value representing who I am)
Auth payload (cryptographic proof-of-possession built from pre-
shared-key or digital signature)
[Initial Connect] – Optional payload to help synchronize SAs
[Certificate] – Copy of initiator’s ID cert + chain
[Certificate Request] – Hints of which CAs the initiator trusts
MM5
Encrypted
Initiator: Proving identity
Responder: Unauthenticated Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
IKEv1- Main Mode (MM6)
Initiator Responder
HDR (cookie i=X,r=Y)
Identity (a string value representing who I am)
Auth payload (cryptographic proof-of-posession built from
preshared-key or digital signature)
[Certificate] – Copy of responder’s ID cert + chain
MM6
Encrypted
Initiator: Authenticated
Responder: Proving identity Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
IKEv1 – Main Mode Summary
Initiator Responder
crypto
Unencrypted +
Negotiate
Unencrypted +
crypto
AM1 (HDR, SA, KE, Nonce, IDi, VID) settings + 1st
½ of key
exchange
Unencrypted but
Negotiate crypto
Authenticated
AM2 (HDR, SA, KE, Nonce, VID, IDr, AUTH ) settings + 2st ½
Responder
of key exchange
AUTH payload hashed using portions of AM1+2 and derived SKEYID + responder
proves identity
Authenticated
Encrypted +
Initiator
AM3 (HDR, IDi, AUTH) proves
identity
Phase 1 complete – Encrypted & Authenticated
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
IKEv1 – Phase 1
• 1st Phase is already built: it provides security and proof with whom you are
communicating with
• The following operations occur over this Phase 1 SA:
• Dead Peer Detections (keepalive messages)
• Negotiation and Establishment of ESP and AH SAs (Phase 2)
• Notifications (Teardown/Deletion)
• Xauth (Username/Password Authentication) – Remote access
• Mode_CFG (IP address assignment, DNS, etc.) – Remote access
• In most deployments Phase 2 is IPsec, but other DOIs exist (e.g. GDOI).
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
IKEv1 – Quick Mode Phase 2
• Quick mode allows the establishment of an IPsec SA in three messages
• Things negotiated:
• Traffic to be protected
• How to be encapsulated
• How to be encrypted
• How to provide integrity
• How long the SA is valid for in time and volume of data
• If Perfect Forward Secrecy (PFS) is required
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
IKEv1- Quick Mode (QM1)
Initiator Responder
HASH(1)
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information
QM1
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
IKEv1- Quick Mode (QM2)
Initiator Responder
HASH(2)
SA (Transform set, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Selected Traffic Selectors
NAT address information
QM2
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
IKEv1- Quick Mode (QM3)
Initiator Responder
QM3
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IKEv1- Quick Mode Summary
Initiator Responder
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information
QM1 - Request
QM2 – Yes or No
Just an ACK
QM3
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IKEv1 – Everything’s good, right?
IKEv1 – Challenges
• NAT breaks things™
• What do you mean certificates don’t scale?
• Hello… Hello…
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IKEv1 – NAT breaks things™
• IPsec uses IP protocol 50 (ESP) and 51 (AH)
• 1:1 NAT
• AH can’t work – Integrity check performed over IP address fields + payload
• ESP can work – Integrity check performed only over payload
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IKEv1 – NAT-T
• Solution: Encapsulate ESP packets within UDP when going through NAT
• NAT/PAT devices only see UDP packets.
• Port 4500 is reserved for IPsec over UDP
• Support for NAT-T was added with RFC 3947 and 3948
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
IKEv1 – Determine if NAT is in path
IP Addr: A NAT device A->C IP Addr: B
Responder
MM3 – VID MM3 – VID Hash same ->
IP A->B Port 500->500 IP C->B Port 1434->500 not behind NAT
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IKEv1 – Determine if NAT is in path
IP Addr: A NAT device A->C IP Addr: B
Initiator Hash Initiator computes + compares Responder computes hashes and
different -> hashes against ones inside packet includes them inside packet
behind NAT Hash(IP A + Port 500) Hash(IP B + Port 500) Hash(IP C + Port 1434) Hash(IP B + Port 500)
Responder
Hash same -> MM4 – MM4 –
not behind NAT IP B->A Port 500->500 IP B->C Port 500->1434
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
IKEv1 – NAT-T
• Normal Case:
• UDP/500 for control channel
• ESP or AH for data channel
• Problem: Stateful firewalls (NAT devices) can prevent the control channel
communication due to inactivity even when data channel is actively used.
• NAT Case:
• Send both control channel and data channel over UDP/4500
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ESP Payload
SPI SEQ DATA TRAILER
ESP Payload
IP A->B | UDP Port 4500->4500 | ESP Payload IP C->B | UDP Port 6234->4500 | ESP Payload
Control Traffic
IP A->B | UDP Port 4500->4500 | 0000 + IKE Message IP C->B | UDP Port 6234->4500 | 0000 + IKE Message
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
IKEv1 – Certificates
• Authentication can use certificates
• Problem 1: Peer must know which CAs are trusted by peer
• Explicit configuration doesn’t scale
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
IKEv1 – Certificates
Initiator Responder
✗
Subject
CA4 CA1
ID4 CA2
✔
Subject
CA2 CA3
ID2
✗
Subject
CA5
MM4 (HDR, Nonce, KE, VID, [CERT-REQ])
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
IKEv1 – Pre-shared-keys
• Keys are linked to an identity
IP address, FQDN, Email, Distinguished Name
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
IKEv1 – Dead Peer Detection
• Problem: We haven’t received any packet from our peer.
Is he dead or just nothing to say?
• Solution: RFC 3706 - Send a message asking if he is alive
Peer1 Peer2
Notify(R-U-THERE)
Notify(R-U-THERE-ACK)
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
IKEv2 – Overview (Finally!)
IKEv2 – Goals (What did we learn)
• Define IKEv2 in one document rather than a combination of many
• Reduce setup latency by reducing number of messages
• More secure
• Always provide identity protection (No Aggressive mode)
• PSK is not used in crypto key generation*
• Provide additional authentication mechanisms (EAP)
• Allow more flexible authentication choices (asymmetrical)
• Exchange of routes and attributes
• Reduce number of options/methods – simplify implementations
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
IKEv2 – Session Establishment Overview
Initiator Responder
Negotiate
Unauthenticated
Unencrypted +
Prove
Unauthenticated
and
create
phase 2
IKE_AUTH (HDR, IDr, AUTH, CREATE_CHILD_SA, [CERT])
SA
IKE_AUTH Req
MM6 (IDr, AUTH, [CERT])
QM3
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
IKEv2 – 2nd Child SA Establishment
Initiator Responder
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information
CREATE_CHILD_SA Req
CREATE_CHILD_SA Res
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
IKEv2 is super-hero
fast right?
IKEv2 – Faster exchange right?
• “It depends!”
• Exponentiation is done after 1st packet
• Vulnerable to DOS spoofing attack!
• When IKEv2 *might* be under attack, add another exchange prior to
exponentiation to confirm source reachability hmmm… Am
✔
IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D, N(COOKIE)) +
=
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
IKEv2 – Faster exchange right? Part 2
• Key establishment is done in first two packets.
• Initiator must guess which DH group his peer will accept
• If wrong/unacceptable group is sent, responder will hint and say ‘try again’
DH mismatch.
Try again with
group 14
IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D) OK good this
time!
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
IKEv2 – Faster exchange right? Part 3
• EAP authentication of client
• EAP messages are carried within IKE_AUTH messages
• Adds multiple IKE exchanges back and forth between client and NAS
• N x exchanges – Depends on EAP method
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
IKEv2 – EAP Authentication
• EAP authentication of client.
• Adds N number of additional exchanges between peers
I AAA Server
n
i IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D)
t
i IKE_SA_INIT Res (HDR, SA, VID, KE, Nonce, NAT-D, [CERT-REQ])
a IKE_AUTH (HDR, IDi, CREATE_CHILD_SA, N(IC), [CERT],[CERT-REQ])
t
o IKE_AUTH (HDR, IDr, AUTH, [CERT],EAP)
r
IKE_AUTH (HDR, EAP) RADIUS
N N
times times
IKE_AUTH (HDR,EAP)
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
IKEv2 – Faster exchange right? Part 4
• 4 packets for basic exchange
• +2 for Anti-spoofing (if detected)
• +2 for incorrect DH group
• +(2 x N) exchanges for EAP Authentication
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
IKEv2’s shiny
super abilities
IKEv2 – More Secure!!!!!
• Reuses encapsulation model from ESP for all IKEv2 messages
• Certificate Request are obfuscated
• Support for combined mode ciphers (AEAD)
• EAP versus XAUTH
• No need for a group pre-shared-key
• NAS never sees user/password in clear
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
IKEv2 – Flexible Authentication Methods
• Unlike IKEv1, authentication is done uni-directionally in IKEv2
• Different pre-shared-keys can be used for local and remote
• Different authentication methods can be used for local and remote
• Example on IOS:
Peer can use either:
crypto ikev2 profile Profile1
EAP
identity local fqdn hub.example.com
Pre-Shared-Key
authentication remote pre-share
authentication remote eap
authentication local rsa-sig We will use certificate
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
IKEv2 – Rekeys
IKEv1 IKEv2
IPSec SAs can let parent Phase-1 expire. IKEv2 always-on SA. If IKEv2 dies it deletes child
New Phase-1 setup when DPD or rekey needed IPSec SAs.
Lifetimes are negotiated and tracked on both sides. Lifetimes are locally significant. Whichever peer’s timer
pops first sends a Delete for the SA
Phase-1 rekey is a complete whole new handshake Phase-1 rekey is handled in CREATE_CHILD_SA
(forces re-authentication). exchange (no re-authentication).
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
IKEv2 – Notifications/Deletes
• In IKEv1 Notifications are ‘fire and forget’
• In IKEv2 Notifications are exchanges – need to be ACKed
• Problem if peer has died!
• Need to wait until re-xmits complete before delete SA from DB
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
IKEv2 – Attribute Exchange
• Config Request/Reply - Solicited Typical DMVPN Tunnel Deployment
• Remote access use case:
• IP address Every 5 seconds send:
• DNS 74 byte EIGRP hello packet
• WINS
• Split-tunnel
168 byte ESP packet
• Config Set/Ack – Unsolicited
• IKEv2 routing 175 MegaBytes per spoke,
• Version info per month
• Extensible for future
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
IKEv2 – Fragmentation
• Large IKE messages make large UDP datagrams
• Packets get fragmented at IP layer
• Filtering/Blocking of fragments causes protocol failure
• Solution: Fragment at Application layer
• IKEv1 – Proprietary
• Encrypt then segment across multiple UDP packets
• IKEv2 – Standard, RFC7383
• Segment then encrypt
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Where to use?
FlexVPN – Simplified IOS implementation
• Smart defaults
• Virtual Tunnel Interface based (point-to-point)
• Interoperability
• Unified configuration
• Multiple redundancy options
• Simple config for basic topology
• Customizable for complex network requirements
• More explicit and easier to understand debugs
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Almost everything is already taken care for you!
hostname site1 Just provide:
!
interface Tunnel0
ip address 10.1.12.1 255.255.255.0 Who to connect to
tunnel source Ethernet0/1
tunnel destination 172.18.3.52
tunnel protection ipsec profile ipsecProf1 &
!
crypto ipsec profile ipsecProf1
set ikev2-profile ikev2Prof1 Password
!
crypto ikev2 profile ikev2Prof1
match identity remote address 172.18.3.52 255.255.255.255
authentication local pre-share key key2
authentication remote pre-share key key1
Site1 Site2
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FlexVPN Supported Deployment models:
Site-to-Site
Spoke-to-Spoke
IKEv2 also supported with:
• DMVPN/iWAN 2.x
• Crypto maps
• GET-VPN (G-IKEv2)
ISP-1 ISP-2
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
IKEv2 – IOS better debugs
• Debugs are well structured and explicit
• Mirrors the protocol flow
• Delineates the transitions in Finite State Machine
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Related Sessions
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett
Customer Reviews
One of the best technical books I've read
This book is the IKEv2 VPN equivalent of Jeff Doyle's Routing TCP/IP Vol 1 & 2 - a must read
for any network security engineer wanting to design and build secure VPN's. One of the best
technical books I've read.
Superb book and well worth the money for anyone even thinking about Cisco crypto
This book is the most comprehensive book on IKEv2 for Cisco network engineers that you
will find and is all about real-world scenarios.
Brilliant
Listed in the CCIE Security reading list It's well worth the money. I feel like I know the subject thoroughly now. I don't usually leave
https://learningnetwork.cisco.com/community/certifications/ reviews but was motivated to in this instance. Good job, highly recommended.
ccie_security/written_exam/study-material
Great Book
Very in depth and detail explanations. It has greatly enhanced my understanding of IKEv2,
IPSec, and Cisco's implementations.
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Summary
Summary
• IKEv1 works well, but needed many add-ons to shine
• IKEv2 built those add-ons into standard
• IKEv2 easier to understand + troubleshoot
• IKEv2 has better security model + SuiteB support
• v1 and v2 are incompatible
• IOS (FlexVPN) simplifies config, allows vendor interoperability and highly
scalable
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Thank you
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops
Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops
Operations (SECOPS) Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity
Detection and Analysis (SCYBER) Operations Center, the course covers essential areas of Specialist
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implementing Cisco Threat Control
Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Implementing Cisco Secure Access Web Security
Solutions (SISAS)
Deploy Cisco’s Identity Services Engine and 802.1X secure
Implementing Cisco Secure Mobility network access
Solutions (SIMOS)
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security
(IINS 3.0) comprehensive security policy, using Cisco IOS security features
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77