Introduction

The CCNA Security certification program is one of the elective paths you can take when achieving the CCNA. It requires passing the CCENT exam (100-105) and then passing the CCNA Security exam (210-260).

The Cisco Security exam objectives are periodically updated to keep the certification applicable to the most recent hardware and software. This is necessary because a technician must be able to work on the latest equipment. The most recent revisions to the objectives—and to the whole program—were introduced in 2016 and are reflected in this book.

This book and the Sybex CCNA Security+ Complete Study Guide (both the Standard and Deluxe editions) are tools to help you prepare for this certification—and for the new areas of focus of a modern server technician’s job.

What Is the CCNA Security Certification?

Cisco Certified Network Associate Security (CCNA Security) validates associate-level knowledge and skills required to secure Cisco networks. With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security curriculum emphasizes core security technologies; the installation, troubleshooting, and monitoring of network devices to maintain integrity, confidentiality, and availability of data and devices; and competency in the technologies that Cisco uses in its security structure.

The CCNA Security certification isn’t awarded until you’ve passed the two tests. For the latest pricing on the exams and updates to the registration procedures, call Pearson VUE at (877) 551-7587. You can also go to Pearson VUE’s website at www.vue.com for additional for information or to register online. If you have further questions about the scope of the exams, see https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.

What Does This Book Cover?

Here is a glance at what’s in each chapter.

• Chapter 1: Understanding Security Fundamentals covers common security principles such as the CIA triad; common security terms such as risk, vulnerability, and threat; the proper application of common security zones, such as intranet, DMZ, and extranets; a discussion of network topologies as seen from the perspective of the Cisco Campus Area network; and methods of network segmentation such as VLANs.
• Chapter 2: Understanding Security Threats covers common network attacks and their motivations; attack vectors such as malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel; various methods used to perform network reconnaissance such as ping scans and port scans; types of malware; and the exfiltration of sensitive data such as IP, PII, and credit card data.
• Chapter 3: Understanding Cryptography covers symmetric and asymmetric key cryptography, the hashing process, major hashing algorithms, PKI and the components that make it function, and common attacks on cryptography.
• Chapter 4: Securing the Routing Process covers methods of securing administrative access to the router, IOS privilege levels, IOS role-based CLI access, Cisco IOS resilient configuration, authentication for router updates for both OSPF and EIGRP, and control plane policing.
• Chapter 5: Understanding Layer 2 Attacks covers STP attacks such as rogue switches, ARP spoofing, MAC spoofing, and CAM overflow. It also discusses both the value and the danger in using CDP and LLDP. Finally, you will learn how VLAN hopping attacks are performed.
• Chapter 6: Preventing Layer 2 Attacks covers DHCP snooping, DAI and how it can prevent ARP poisoning attacks, preventing MAC overflow attacks and the introduction of unauthorized devices to switch ports by using port security, and the use of BPDU Guard, Root Guard, and Loop Guard, all STP features designed to prevent changes to the STP topology.
• Chapter 7: VLAN Security covers preventing VLAN hopping attacks that take advantage of the native VLAN; private VLANs; setting ports as promiscuous, community, and isolated; the PVLAN Edge feature; and using ACLs to prevent a PVLAN proxy attack.
• Chapter 8: Securing Management Traffic covers managing devices in-band and out-of-band, methods of securing management interfaces including enabling the HTTPS server, securing SNMP v3 with a security policy, applying passwords to all management interfaces, and using SSH for remote management, types of banner message, and securing the NTP protocol.
• Chapter 9: Understanding 802.1x and AAA covers AAA service that can be provided by TACACS+ and RADIUS servers, configuring administrative access to a router using TACACS+, how AAA can be integrated with Active Directory, the Cisco implementations of a RADIUS server including the Cisco Secure Access Control Server (ACS) and the Cisco Identity Services Engine (ISR), and the functions of various 802.1X components.
• Chapter 10: Securing a BYOD Initiative covers challenges involved in supporting a BYOD initiative, components provided by Cisco for this including the Cisco Integrated Services Engine (ISE), and the Cisco TrustSec provisioning and management platform. It also covers advanced features of Cisco ISE, including downloadable ACLs (dACLs), automatic VLAN assignment, security group access (SGAs), change of authorization (COA), and posture assessment. Further we discuss the authentication mechanisms ISE can accept, including 802.1x, MAC authentication bypass (MAB), and web authentication (WebAuth). Finally, we end the chapter covering the three main functions of TrustSec.
• Chapter 11: Understanding VPNs covers IPsec and the security services it provides; the components of IPsec such as ISAKMP, IKE, AH, and ESP; how to use hairpinning to allow traffic between two hosts to connect to the same VPN interface; and split tunneling and its benefits.
• Chapter 12: Configuring VPNs covers the value of the Cisco clientless SSL VPN and the steps required to configure it, the Cisco AnyConnect SSL VPN, modules in the Cisco AnyConnect client that can provide endpoint posture assessment, and how to implement an IPsec site-to-site VPN with preshared key authentication.
• Chapter 13: Understanding Firewalls covers various firewall technologies such as proxy, application, personal, and stateful firewalls, with stateful firewalls covered in greater detail and described in relation to the operation of these firewalls and the TCP three-way handshake. Finally you learn what is contained in the state table of a stateful firewall.
• Chapter 14: Configuring NAT and Zone-Based Firewalls covers three forms of NAT: static NAT, dynamic NAT, and PAT; the NAT options available in the ASA, the benefits of NAT; and how to configure it and verify its operation. You will learn about class maps, policy maps, and service policies and their respective functions in a zone-based firewall. Finally, the steps to configure and verify a zone-based firewall end the chapter.
• Chapter 15: Configuring the Firewall on an ASA covers how to set up the ASA so you can remotely administer it using the ASDM, the default security policies that are in place, how the default global policy interacts with configured policies, how interface security levels affect traffic flows, how the Cisco Modular Policy framework is used to create policies; the difference between a transparent and route firewall; and high availability solutions including active-active, active-passive, and clustering approaches.
• Chapter 16: Intrusion Prevention covers general IPS concepts such as network-based and host-based deployments; modes of deployment such as inline, SPAN, and tap; the positioning options available; false positives and false negatives; how rules and signatures are used in the process of identifying potential attacks; and trigger actions of which an IPS might be capable, such as dropping, resetting, and alerting.
• Chapter 17: Content and Endpoint Security covers mitigation techniques available when using the Cisco Email Security Appliance, including reputation and context-based filtering, and the Cisco Web Security Appliance, which uses blacklisting, URL filtering, and malware scanning to secure web traffic and web applications. Finally, the chapter discusses endpoint protection provided by the Cisco Identity Services Engine and Cisco TrustSec technology.

Interactive Online Learning Environment and Test Bank

We’ve put together some really great online tools to help you pass the CCNA Security exam. The interactive online learning environment that accompanies the CCNA Security exam certification guide provides a test bank and study tools to help you prepare for the exam. By using these tools you can dramatically increase your chances of passing the exam on your first try.

The online test bank includes the following:

Sample Tests Many sample tests are provided throughout this book and online, including the Assessment Test, which you’ll find at the end of this introduction, and the Chapter Tests that include the review questions at the end of each chapter. In addition, there are two bonus practice exams. Use these questions to test your knowledge of the study guide material. The online test bank...