642-736 IAUWS Exam Topics (Blueprint)

642-736 IAUWS Exam Topics (Blueprint)

Exam Description

The 642-736 IAUWS Implementing Advanced Cisco Unified Wireless Security exam is the exam associated with the CCNP Wireless certification. This exam assesses a candidate's capability to secure the wireless network from security threats via appropriate security policies and best practices, to properly implement security standards, and to properly configure wireless security components. Candidates can prepare for this exam by taking the IAUWS Implementing Advanced Cisco Unified Wireless Security course.

Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.

I.  Integrate client device security

A.  Configure client for secure EAP authentication (EAP-FAST, TLS, PEAP, two factor authentication)

B.  Configure the CSSC.

C.  Understand impact of security configurations on application and client roaming.

D.  Troubleshoot client wireless connectivity issues (packet analyzers, debugs, logs, WCS, ACS)

• Understand client security risks (driver update, MS hot fixes)

II. Design and integrate wireless network with NAC

A.  Understand the architectures; inband, out-of-band

• Agent vs. agent less

B.  Describe the high level authentication process flow

• NAC Appliance Server
• NAC Appliance Manager
• WLC

C.  Configure the WLC for NAC

III.Implement secure wireless connectivity services

A.  Configure authentication

• Controller with or without external LDAP database
• H-REAP APs for WAN failure
• 802.1X authentication for APs

B.  Configure management frame protection on clients and controllers

C.  Configure IBN (RADIUS based VLAN and ACLs,  AAA override)

D.  Configure ACS for integration with wireless network

E.  Configure client and server side digital certificate services

F.  Implement ACLs on controller

• CPU ACLs
• WLAN,  interface, client identity ACLs

G.  Troubleshoot secure wireless connectivity services:

• Packet analyzers, debugs, logs, WCS, ACS
• Firewall ports

IV.Design and implement Guest Access services

A.  Understand the architectures for guest access services

• VLAN-based
• Anchor/DMZ/redundancy/scaling
• Wired guest access
• Bandwidth limiting

B.  Configure guest access accounts

• Lobby ambassador (controller, WCS-based)
• Static
• NAC guest server

C.  Configure controller web auth

• Pass through
• Internal/external
• Authentication
• Email
• Custom splash page (internal/external/per WLAN)
• Understand design considerations (DNS, proxy)
• Pre-authentication ACL
• Wired guest access

D.  Configure the anchor and internal controllers

E.  Troubleshoot guest access issues:

• Debugs, logs, WCS, ACS
• Firewall ports
• Mping and eping
• Proxies

V.Translate organizational and regulatory security policies and enforce security compliances

A.  Describe regulatory compliance considerations, such as: HIPAA, PCI, SOX

• PCI Audit

B.  Segment traffic into different VLANS, based upon:

• Security
• Application
• QoS

C.  Configure admin security on controller:

• TACACS+
• Local
• Radius
• Access point admin credential

D.  Manage WLC/WCS alarms:

• SNMP/Trap receivers
• Syslog
• SMTP
• MARS
• ACS log

E.  Describe security audit tools

• AirMagnet
• Penetration testing

VI.Configure native WLC security feature sets - IPS/IDS

A.  Utilize WCS or controller for IDS and threat mitigation strategies, such as:

• Signature
• Custom signature
• Rogue classification management/(auto) containment
• Rogue reporting/location (WCS only)
• Switchport tracing (WCS only)
• Integrate Cisco spectrum expert to WCS
• Client exclusion

B.  Categorize and mitigate wireless vulnerabilities, such as:

• 802.11 client driver fuzzing (can't be mitigated)
• Client misconfiguration
• DoS (RF jamming)
• Anomalous behavior attacks (i.e. association/authentication attacks)
• Signature attacks (i.e. NetStumbler - undetectable at this time)
• Eavesdropping (i.e. wild packets, Honeypot)
• High jacking (mimicry) (i.e. evil Twin, HoneyPotting)
• Social engineering (i.e. human attack)

VII.Integrate wireless network with advanced security platforms - IPS/IDS

A.  Understand Cisco's end-to-end security solutions and how they integrate with Cisco's wireless solutions, such as:

• CS-Mars
• NAC appliance
• NAC guest server
• Wired IPS
• ACS, CSA,  etc.

B.  Understand the CUWN firewall port configuration requirements

• ACLs
• IP port pass-through
• DMZ
  

C.  Configure the controller for wired IPS/IDS

• Including adaptive IDS (MSE)

D.  Configure CSA

출처 : www.cisco.com