Title: CCNP Security VPN 642-648 Official Cert Guide (2nd Edition)
Authors: Howard Hooper
Publisher: Cisco Press
Published: July 2nd, 2012
Edition: 2nd Edition
Reviewer: Arani Mukherjee
The Cisco CCNP Security VPN title is aimed at network administrators, network security administrators, network architects and experienced network professionals who need to apply security principles and features to their networks. In the complex world of network security, it is a prerequisite to have an in-depth experience and understanding of networking before one can start applying security principles.
This book is a product of the Cisco VPN program which was geared towards remote-access and site-to-site VPN features and products. These features or products have been integrated into the Cisco ASA family of devices, associated softwares. As always this book serves the dual purpose of knowledge on one hand and primary text for the CCNP Security VPN certification on the other. So let’s take a round trip of the chapters and understand the key benefits of pursuing the certification and gathering the expertise.
A word of caution before embarking on the trip: this book deals a lot with Cisco ASA devices, however, it should not be mistaken as a guide or a manual for the ASA family. The author has made a safe assumption that the reader already has adequate knowledge, experience and expertise on various types of Virtual Private Networks and the ASA architecture. If you don’t tick any of those boxes, look away now before you find yourself confused beyond recovery!!!
The book, being part of the Cisco family of technical documentation, obviously has the inherent DNA of its peers. So as a routine let me emphasise the presence of the usual feature winners like ‘Do I already know this?”, quizzes after each chapter, key topic pointers, note sections, and a very clear topical approach about the entire subject matter. Expect this from every Cisco publication. Any deviation from this approach and I would strongly recommend you check whether you are actually reading a genuine Cisco title.
The formative chapters do dedicate a sufficient amount to explaining the concept of VPN and their key benefits. As mentioned before, this publication uses the ASA family extensively (and yet it is not an ASA manual) and it serves the purpose of covering VPN methods and associated protocols supported by the ASA devices. One of the key objectives of a VPN is to allow remote access to resources and, for that to be managed securely, an administrator should be able to control access to such resources. This is where the concept of group policies and inheritance models come into play. Once these issues have been dealt with, the title comes to a close as far as conceptualisation of VPN technologies is concerned. From here onwards, the book starts dealing with implementation and deployment of various VPN solutions. Each VPN solution is discussed in depth in order to ensure the reader has no holes in their understanding.
The author has taken special care and explained every facet of VPN technologies. The approach is rather simplistic. Once a particular VPN type has been explained along with the circumstances under which such a VPN can be implemented, the author goes about how to deploy a vanilla version of such a VPN. Then comes a detailed explanation of some advanced techniques followed by customisation. This is then followed by a very important topic, one that deals with authentication and authorisation of users on that particular type of VPN. As an administrator, once you have established an all-singing, all-dancing VPN, you can start working on availability and performance aspects of the VPN. This treatment has been done for Clientless SSL VPN and AnyConnect Remote Access VPN.
Once the issue of allowing remote users access into network resources has been dealt with, it is time to ensure that users are not posing a security threat once they are connected to these resources. As a network administrator, you will have control over who connects to a network resource. You enforce that by deploying security, authentication and authorisation. What you must consider as part of your security objectives is how to manage devices that users are using to connect to the network resources via the VPN. The subsequent chapters deal with this issue. They discuss the concept of Cisco Secure Desktop, which has been built specifically for the purpose of providing a secure local environment while users access network resources. When a user has disconnected from that resource, any cached settings and credentials that were used can be cleared to prevent any replay or session-based attacks, or identity theft etc.
Up until now all discussion has been inside the arena of the VPN service provider. Nothing has been said about the clients who would be using the VPN technology to connect to the remote network and associated resources. From here onwards, the book starts dealing with that issue. Firstly, the good old Cisco VPN Client is discussed.
Topics covered are based on deploying, installation, setup and management of this software on the client side. The concept of the Easy VPN Solution has been introduced here as well. And here again, the author has followed the trajectory of explanation that starts from introduction → deployment → advanced techniques → customisation → authorisation → availability and performance. Topics related to implementation of VPN using ASA hardware are discussed along with IPSEC site-to-site VPN deployment. And again it follows the same path all the way to availability and performance. The regular exam-related resources are present as well i.e. Exam Preparation, Appendixes, CD media with memory tables etc, which is the last pitstop for this book.
Ensuring network security is a long and arduous journey and, with an increasing number of people going around with the intent on network disruption and jeopardising network resources, it is imperative that as a network administrator you ring fence what is valuable. This title, and the associated certification, is an essential tool for that very purpose. This not a beginner’s guide, the author has done a brilliant job of ensuring the concepts are clear and the understanding of the technologies is solid.
This is a ‘must have’ weapon in your arsenal of network security.