Exam #642-511: Cisco Secure Virtual Private Networks (CSVPN) Vendor Cisco Systems Status Live. Available at Pearson Vue and Prometric testing centers worldwide. Reviewer's Rating "You’ll need to be familiar with the Cisco VPN 3000 series concentrator, 3002 hardware client and the architecture of IPSec." Test Information 55 to 65 questions, 75 minutes, passing score of 790 out of 1,000 points. Cost: $125 (U.S.). Who Should Take This Exam? Candidates for CCSPcertification. Test Objectives Click here

As I've said in past CCSP exam reviews, it doesn't necessarily matter (in my opinion) which of the five exams you take first or in what order. They don't always build upon one another. The CCSP exams make for a well-rounded Cisco security professional; you'll also receive an INFOSEC letter of recognition from the National Security Agency (NSA) and the Committee on National Security Systems (CNSS). Very cool! For more information see on this, go here.

Just to give you some background on where I'm coming from for this exam…I completed my Cisco Certified Network Professional (CCNP) and Cisco Certified Design Professional (CCDP) a few years ago but have yet to complete a Cisco security certification. I've also taken and reviewed the vendor-neutral CompTIA Security+ exam and the (ISC)2's CISSP title, so I have to say vendor-specific security exams are quite different in many respects.

Exam Basics
Last year I passed and reviewed an older Cisco security exam, the now-retired Cisco PIX Firewall exam, which was very product-centric. (I'll review its replacement SNPA in the coming months.) Similarly, the CSVPN security exam is all about Cisco's VPN products. Most Cisco security exams are about understanding Cisco's viewpoint on security, and how their sales, marketing and products fit within the network.

This exam is the most product-specific of the series and requires an understanding of the Cisco VPN 3000 series concentrator, 3002 hardware client and the architecture of IPSec. Hands-on experience will be a plus! Exam questions covered how to configure the Cisco VPN 3000 series concentrator, 3002 hardware client, and IPSec in a Cisco network.

I received 58 questions and was given 75 minutes to complete the exam, including two simulation questions. The passing score was 790 on a scale of 300 to 1,000 possible points. Like all Cisco exams that I've ever taken, you can't move back through the question set or mark or review your answers like you can on most other vendor certification exams. I find Cisco exams easier overall, with many of the questions in the form of one or two sentences with only one correct answer.

This exam does include simulation-based questions, and they were similar in complexity and configuration to those I found on the CCSP SNRS and retired CSPFA exams -- with one exception. These simulation-based questions will require you to write down or memorize logins, passwords and configuration requirements. I found that once I clicked passed the opening screen of configuration data, I was unable to return. These types of questions present a company's network scenario, topology and usually a partial configuration. You're required to complete the remaining configuration by navigating the Cisco device's command-line environment. The opening screen of these types of exams warns you about spending too much time in any one simulator; it recommends no more than 10 minutes each. Running short on time for this exam shouldn't be an issue for most candidates, but you'll need to pace yourself during the simulators.

People usually ask about the simulator questions: Is there partial credit? If you don't save your configuration, will it be marked incorrect? I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or VPN device, show the configuration, save and verify my work. Many times a help function is available if you need it, but usually it's limited. The simulation questions are generally more difficult than the more common multiple-choice questions. This exam also includes a couple of pick-and-place type questions.

Exam Preparation
There is an official Cisco instructor-led course CSVPN and self-study guides available. I found everything I needed to within the Cisco Press book "The Complete Cisco VPN Configuration Guide" (ISBN 1587052040). Cisco Press has also published CCSP Flash Cards and Exam Practice Pack. I didn't find them necessary for this exam, but I believe it varies for candidates based on experience, individual test-taking skills and comfort level. If you don't have access to the previously mentioned book, I highly recommend you read the VPN 3000 Concentrator (PDF) and VPN Client Administrator (PDF) guides from Cisco.com.

Exam Objectives
A CCSP requires knowledge and hands-on experience with many Cisco network security products and technologies. The CSVPN exam covers these from an identification, implementation and configuration point-of-view. In this article, I'll address some of the main areas to study for this new exam by mapping to the official exam objectives, which you'll find here.

The main objectives of the CSVPN exam are to describe, configure, verify and manage the Cisco VPN 3000 Concentrator, Cisco VPN Software Client, and Cisco VPN 3002 Hardware Client feature set. Because the CCNA is a prerequisite (i.e., you must hold a valid CCNA to obtain the CCSP), that's where you should start to obtain the fundamental knowledge about how to configure and troubleshoot Cisco devices. The CCNA will also introduce LANs, WANs, ACLs and many other fundamentals that are essential before taking this exam.

The exam's subtopics include understanding VPNs, IPSec, remote access, NAT and digital certificates. If you've studied for, understood and passed the CompTIA Security+ exam, you'll have a good foundation.

Configuring the Cisco VPN 3000 Series Concentrator
The Cisco VPN 3000 Series Concentrator is accessed and controlled using the VPN Concentrator Manager, an HTML-based interface that enables you to configure, administer, monitor and manage the VPN 3000 Series Concentrator via a Web browser. To use it, connect to the concentrator with a PC and browser on the same private network as the concentrator. The manager uses the standard client/server protocol HTTP, which is a cleartext protocol. You can also connect to the manager securely using an encrypted HTTP connection over SSL. The default login for the manager is "username admin" and the password is simply "admin." From the Configuration screen, you can configure interfaces, system-wide parameters, users and groups, policies, tunneling and security. Being familiar with each of these is imperative for the exam!

Typically, you configure at least two network interfaces for the concentrator to operate as a VPN device: Usually Ethernet 1 is designated as private and Ethernet 2, public. The concentrator uses filters to control data traffic passing through the device. They control group and user data traffic, whereas interface filters control all data traffic. The VPN concentrator's network interfaces usually connect to a router that routes data traffic to other networks. The concentrator supports static routes, RIP version 1 and 2, and OSPF version 2.

Exam Tip: You can apply filters to both interfaces and to groups and users.

Configuring an interface includes an IP address, applying a filter, setting the speed and transmission modes and configuring routing protocols. This can be accomplished by either clicking the interface link in the status table or by using the mouse pointer to select the module on the device image.

System configuration involves configuring parameters associated with the concentrator's system-wide functions:

• Servers: Identifying servers for authentication, authorization, accounting, DNS, DHCP, firewall and NTP.
• Address Management: Assigning addresses to clients as a VPN tunnel is established.
• IP Routing: Configuring static routes, default gateways, OSPF, global DHCP and so on.
• Management Protocols: Configuring and enabling built-in servers for FTP, HTTP/HTTPS, TFTP and so on.
• Events: Handling system events via logs, FTP backup, SNMP traps, syslog, SMTP and e-mail.
• Client Update: Automatically updates client software.

The VPN 3000 Concentrator supports RADIUS authentication/authorization servers such as CSACS and an internal server configured within the concentrator. The latter limits the number of groups and users to 100. RADIUS can also be used for user authentication when requesting VPN access. If you're authorizing a Cisco VPN 3002 Hardware Client, the VPN Concentrator authorizes it itself, not the hosts behind it. More on hardware clients later.

The manager also lets you configure options for assigning addresses to clients as a tunnel is established. A client must have an IP address to function as a tunnel endpoint and connect to the internal network. However, this is not its routable public address; that is assigned and managed separately by its ISP or other public network entity. Client-requested DHCP, static pools and authentication server-assigned addresses are all available choices.

If you recall, IP routing support comes in three options with the concentrator: static, RIP, and OSPF. One thing to keep in mind is that encrypted-routed packets must first be sent to the tunneling-protocol subsystem, such as IPSec, L2TP and so on, before Layer 3 header information can be read. Default gateways, OSPF areas and even a feature called reverse route injection, whereby the concentrator adds static routes to the advertised RIP or OSPF, updates out the public network interface based on configured and supporting VPN 3002 hardware clients.

Management protocols come in many forms: FTP, HTTP/HTTPS, TFTP, etc. This is where the concentrator administrator enables and configures it for flash memory and software updates, remote management and telnet using the protocol required.

Event handling is defined as an event with significant meaning within or affecting the VPN 3000 Concentrator, such as an alarm, SNMP trap error condition, network problem, task completion, threshold limit or status change. The concentrator records events in an event log, which is stored in NVRAM. You can also configure specific events to trigger a console message, a syslog record or an e-mail message. There are many classes and severity levels supported by the concentrator's event-handling facility but not necessarily tested on this exam. The event notification types and destinations such as SNMP or e-mail are configured through the browser screen Configuration-System-Events.

Configuring the Cisco VPN Software Client
Managing VPN Client software in a network with many devices in different locations can require a whole lot of time. The VPN 3000 Concentrator includes a client update feature that simplifies the process. This process works slightly different when comparing the software-based VPN clients and the Cisco VPN 3002 client. The client software update feature allows you from a central location to automatically notify VPN client users when it's time to update their VPN client software. When the client update feature is enabled, and the VPN client connects, the concentrator sends an IKE packet that contains an encrypted message notifying the client about acceptable versions of system software. This message includes a location that contains the new version of software for the client to download. The administrator for that client can retrieve the new software version and update the client software. You configure parameters that specify the acceptable versions of software based on location. Updates are supported per user group.

Exam Tip: If the VPN 3002 client is not running an acceptable version, its software is automatically updated via TFTP.

If you have a remote-client configuration in which you're using two or more VPN concentrators connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Supported clients include: Cisco VPN client, VPN 3002 hardware client, and the Cisco PIX 501/506E acting as an Easy VPN client.

All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The role of master is not tied to a physical device; it can shift among devices. This is done through a virtual cluster IP address. For example, if the current master fails, one of the secondary devices in the cluster takes over that role and immediately becomes the new master.

Configuring the Cisco VPN Firewall Feature
The Cisco VPN client stateful firewall policy (Always On) is enabled by default. This can only be changed by the VPN client administrator, who can enable this option under the Options menu. When turned on, no inbound tunneled or non-tunneled sessions are allowed whether or not a VPN connection is in effect.

Exam Tip: Stateful Firewall (Always On) is the most basic VPN Client firewall and provides the highest level of security.

The Cisco VPN 3000 Series Concentrator also supports VPN clients with administrator chosen and installed third-party firewall software. Some of the most common are BlackIce, Sygate and ZoneAlarm. When not using the Cisco VPN client stateful firewall, the VPN software sends a polling message to the locally installed firewall software known as the Are You There feature. The firewall policies at the concentrator can be defined and enforced to require clients have and are running a firewall. This is a part of what's called the Central Policy Protection feature.

NAT
NAT Traversal lets the VPN concentrator establish IPSec tunnels with a VPN Client when there is a NAT device between them. It does this by encapsulating ESP traffic in UDP datagrams, which provides ESP with the port information that NAT devices require. And this can be enabled globally for on the concentrator or for users and groups.

Certificate Services and Group Authentication
Cisco expects candidates for this exam to understand certificate services and group authentication using a method of pre-shared keys for mutual authentication. In this case, the VPN client and the VPN concentrator use a group name and password to validate the connection. This is a symmetrical form of authentication since both sides use the same authentication method.

Pre-shared authentication occurs in two stages: During the first stage, the two sides exchange security parameters and create a secure channel. During the second stage, user authentication takes place. The VPN concentrator then asks for username and password to verify that the remote user is a legitimate member of a group configured on the VPN concentrator.

Mutual group authentication is asymmetrical in that each side uses a different method to authenticate the other while establishing a secure tunnel to form the basis for authentication. With this method, authentication happens in two stages. During the first stage, the VPN concentrator authenticates itself using a public-key or digital signature, and the two sides negotiate and establish a secure channel for communication. During the second stage, the authentication of the VPN client user by the concentrator VPN device takes place. This method does not use pre-shared keys for peer authentication; it provides greater security than group authentication alone as it is not vulnerable to a man-in-the-middle attack.

To use mutual group authentication, the remote user's VPN client software must have a root certificate installed. It can be install automatically by placing it on the VPN client.

Exam Tip: The certificate must be in a file named rootcert, with no extension and must be placed in the installation directory for the remote user's VPN Client system.

Groups of configuration parameters define the connection entries that remote users use to connect to the VPN concentrator. Together these parameters form files called profiles. There are two kinds of profiles: global and individual:

• A global profile sets rules for all remote users; it contains parameters for the VPN client. The name of the global profile file is vpnclient.ini.
• Individual profiles contain the specific settings for each connection. Individual profiles have a .PCF extension. For Windows platforms, these files are stored by default in the c:\Program Files\Cisco Systems\VPN client directory.

IPSec Overview
The purpose, function and operation of IPSec is something you should be somewhat familiar with when pursuing CCSP certification. You'll find references to it and questions about it many times in the CCSP's five required exams.

IPSec is a bundle of protocols and algorithms and is a flexible framework that allows vendors who build it into their products to select the algorithms, keys and authentication methods. Out of the standard dozen or so protocols that make up the suite, the two protocols worth understanding first are AH and ESP. AH is used to authenticate users, and ESP applies cryptographic protections that provide authentication, integrity and confidentiality of messages.

There are two modes of operation for IPSec: transport mode and tunnel mode. In transport mode only the payload of the message is encrypted. In tunnel mode the payload, the header and the routing information are all encrypted.

IPSec VPNs are network connections that are based on public and private key cryptography. Users of IPSec implementations are issued public keys and private keys that are associated with their identity. When a message is sent from one user to another it is automatically signed with the user's private key. The receiver uses the sender's public key to decrypt the message. VPN endpoints essentially act as databases that manage and distribute keys and security associations in similar ways that a Certificate Authority does. IPSec provides a private channel for sending and exchanging vulnerable data whether the data is e-mail, FTP traffic, partner and supply chain data or any other type of TCP/IP-based data.

To learn more about remote access configuration, as it relates to this exam, read this sample chapter from the Cisco Press book "CCSP Cisco Secure VPN Exam Certification Guide (CCSP Self-Study)".

That's a Wrap
That wraps it up for this exam review. Next month I'll review the new CCSP exam 642-532: Implementing Cisco Intrusion Prevention System (IPS). Good luck!

Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .

More articles by Andy Barkl:

• 70-623: A Vista Exam for Consumer Support Techs
  
• Securing Networks with PIX and ASA (SNPA 642-522)
  
• Cisco’s IPS Exam (#642-532): Get Your Network Secure
  
• Securing Cisco Network Devices (642-551)