In this article, we will be talking about the CCNA Security exam. Just a few years back, things were relatively more straightforward: There was just one major Cisco Associate exam, the CCNA, even though you could actually split it into two exams. There was also the less famous CCDA, and the Professional level exams, such as the CCNP, CCSP, CCDP, etc., and the Expert level exams (CCIE variants). Cisco saw the need to improve on the associate level exams and created variants of the CCNA, which is how we have the CCNA Security today.
GENERAL INFORMATION ABOUT THE CCNA SECURITY EXAM
So what is this exam about? According to Cisco, with the CCNA Security certification, “a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.” The current exam version is 650-554 Implementing Cisco IOS Network Security (IINSv2).
CCNA Training – Resources (Intense)
The exam verifies the candidate’s knowledge on five major areas: General security technologies and attacks, Security on routers and switches, Firewall technologies, Intrusion Prevention Systems (IPS) and Virtual Private Network (VPN) technologies.
A prerequisite for taking the exam is any valid Cisco CCENT, CCNA Routing and Switching, or any CCIE certification. Once you pass the exam, the certification is valid for three years and there are various recertification methods.
BREAKING DOWN THE SYLLABUS
Before we continue, I’d like to clarify this: Certification exams are not to be seen as end goals but as a means to an end. There’s hardly any point holding a certificate if you can’t do anything with it when called upon. In order words, read to understand and to know. If you know, your exam will be a walkover.
We will look at the syllabus of this exam, delve into the knowledge required for passing the examination and then discuss what it gives you in the real world where you will be working on real networks. Now let’s begin.
Exam Topic 1: Common Security Threats
This exam topic tests the candidate’s understanding of common security threats to an organisation’s network. As a security administrator, you have to understand the core concepts of security and its building blocks of Confidentiality, Integrity and Availability. You also have to understand the difference between Risk, Threat and Vulnerability, because even though these terminologies are sometimes used interchangeably, they are indeed different.
Coming to the real world, you need to understand that security is not a product(s). So, it is not about installing firewalls, and creating access control lists without proper understanding. Security is more of a process, and to properly implement security, other parts of the network must be understood. Security policies need to be drafted, legal consequences of security breaches have to be considered and purchasing the right kind of security device must be well thought out.
As a network security administrator, one may be tempted to focus only on securing the network, but what happens when someone walks into the datacentre and switches off the firewall? This is the reason security controls should be considered from three perspectives: Administrative (security policies, etc.), Physical (access doors, fences, etc.), and Logical controls (Access control lists, intrusion prevention systems, etc.) controls.
You also need to be aware of the security threats that are particular to your organization’s environment. For example, a security administrator for an Intelligence Agency’s network should be concerned with security against terrorists and possible man-in-the-middle attacks while an administrator for a financial institution needs to ensure the security of the financial databases and so on.
Exam Topic 2: Security and Cisco Routers
The subtopics under this include: Implement security on Cisco routers, Describe securing the control, data, and management plane, Describe Cisco Security Manager, and Describe IPv4 to IPv6 transition.
The Cisco IOS routers and switches are made up of three major planes: Management Plane, Control Plane and Data Plane. There are different security features that can be applied to these planes and the candidate of the CCNA Security must understand these planes, the attacks that can occur at each plane, and how to mitigate these attacks. Some of these topics have been dealt with on this site (please refer to the further reading section at the end of this article).
As you may be aware, IPv6 has been gaining momentum in recent times. But what is IPv6 and why do we need it? IPv4 addresses are made up of 32 bits, meaning we can only have 232 addresses. Now that even refrigerators can have IP addresses, this address range was officially exhausted in February 2011. This is one of the reasons for IPv6, which is made up of 128 bits meaning more addresses. Also, as a security administrator, you need to understand that IPv6 was built with security in mind unlike v4. Although IPv6 is becoming more widespread, features like Network Address Translation (NAT) have slowed down its adoption. Many organizations today still use IPv4 but to keep ahead of your game (and pass your exam of course), understand IPv6.
Exam Topic 3: AAA on Cisco Devices
AAA (sometimes called ‘Triple A’) stands for Authentication, Authorization and Accounting. Authentication refers to verifying that someone is who they say they are; Authorization deals with what the person can do once authenticated; Accounting is recording what they did while on the network (logging).
AAA can be as simple as enabling AAA on a device and using its local database for username/password authentication or as complex as using external servers and authorizing commands performed by different users. You need to be able to implement AAA on Cisco devices, describe the two main protocols – RADIUS (open standard, uses UDP) and TACACS+ (Cisco-proprietary, uses TCP), and also verify AAA configuration.
Exam Topic 4: IOS ACLs
In the simplest form, Access Control Lists are logical controls for packet filtering. But these lists can be used for much more, like matching the traffic to be used for VPN tunnels, policy-based routing, Quality of Service (QoS) and so on. However, for the CCNA Security exam, you are to be familiar only with its packet filtering capabilities and how this can be used to mitigate attacks.
Understanding ACLs is a skill that will always be required all throughout your network and security study. While you may not have to remember the number range of standard (1–99, 1300–1999) versus extended (100–199, 2000–2699) ACLs in the real world, you would need to do so for the exam. On a real network, you will probably use named access lists more often.
Exam Topic 5: Secure Network Management and Reporting
This topic deals with two protocols: SSH and Syslog. SSH (Secure Shell) is the secure way for network management. There are two versions: 1 and 2. Of course, version 2 is more secure than version 1 and should be used whenever possible. The CCNA Exam: Security Topics Hands-on (Part 2) article in the Further reading section describes SSH in detail.
Syslog is quite a simple protocol that can be used for reporting (logging) and is very useful for troubleshooting purposes. There are various message severity levels (0-7) and it is quite useful to be familiar with these levels even in the real world.
Exam Topic 6: Common Layer 2 Attacks
Virtual LANs (VLANs) allow switch ports to be grouped logically even when these ports are in different locations. VLANs in themselves can be security features because traffic in different VLANs are separate from each other. However, attacks still occur in VLANs and in layer 2 in general. These attacks can be more dangerous and be even easier to perform. For example, why would an attacker go through the stress of fighting to get through your firewall when he can just come into the building and connect his laptop to a free LAN port?
Layer 2 attacks that you should be aware of include CAM Table overflow, VLAN Hopping, and ARP Spoofing. Mitigation techniques against these attacks include Port Security, BPDU Guard and so on. Port security is discussed at length in one of the further reading materials.
Exam Topic 7: Cisco Firewall Technologies
If there’s one area of security where you will need to be well-versed, this topic will definitely make the list. Here, Cisco expects the candidate to be familiar with the types of firewalls (packet filtering, proxy, stateful, etc.), Network Address Translation (NAT), Zone-based policy firewall (ZBF) and the ‘mighty’ Adaptive Security Appliance (ASA).
In all honesty, I have not seen many organizations that use the Cisco IOS ZBF; instead, many deploy standalone firewall devices like the Cisco ASA. The ZBF will be useful for smaller organizations that do not really need a full-blown firewall device though it has a lot of cool features.
NAT can be another interesting topic. Apart from Public IP addresses being expensive, many organizations do not need every device on their network to have a public presence. This is where NAT comes in. The security administrator needs be familiar with when to use NAT versus PAT and also which one to use to allow bidirectional communication and so on.
The Cisco ASA can be a standalone device or a module that is placed into devices like the Cisco 6500 switch chassis. This is Cisco’s main network security device and it is quite different from the familiar Cisco IOS devices. The basic knowledge about the ASA is that it operates using “zones” and security levels and by default, traffic can only flow from a higher security interface to a lower security interface and not vice versa.
Exam Topic 8: Cisco IPS
Many Cisco IOS devices are restricted to layers 2-4 of the OSI model (although deep packet inspection is available in some devices) but many attacks occur at the higher levels. This is where Intrusion Prevention Systems (IPS) are useful. There are various methods employed in IPS for identifying malicious packets including Signature-based, Anomaly-based, Policy-based and Reputation-based.
When a malicious packet is encountered on a network, what should be done? This is the basic difference between an Intrusion Detection System (IDS) and an IPS. An IDS only tells you that something has been detected but does not do anything about it. An IPS on the other hand can take action automatically.
There are also certain terms to be understood when dealing with IPS: True positive, True Negative, False Positive and False Negative. The best way to remember these terms is this: True means the IPS did the right thing (passed). False means it did the wrong thing (failed). Positive means it generated an alert. Negative means it didn’t.
While you should be familiar with configuring the Cisco IOS IPS for the exam, it is similar to the Cisco IOS ZBF with respect to its real world deployment: not many organizations deploy it as the main intrusion prevention system. The Cisco IPS appliances and modules for ASA or 6500 switch are more common.
Exam Topic 9: VPN Technologies
Virtual Private Networks (VPNs) are a means of creating a secure channel over an insecure medium such as the Internet, so that resources can be accessed. There are two main types of VPN: Site-to-Site VPN and Remote-access VPN. Remote-access VPNs are becoming increasing popular with more people working from outside the four walls of the organization.
A network security administrator has to understand the basics of cryptography including Symmetric and Asymmetric algorithms, hashing and Ciphers. The protocols involved in VPNs like IPsec, ESP, and AH, should also be thoroughly understood, not only for the exam but also for the real world environment.
PREPARING FOR THE EXAM
Depending on the path you want to take – self-study or taking a certification course – the information in this section will vary in usefulness to you. The first point of call is of course to visit the Cisco site and familiarise yourself with the study materials and possibly join a group discussion.
For practise, my recommendation is to use GNS3 if you can’t get access to real gear. GNS3 gets you as close to the real thing as possible. It may be argued that GNS3 is too complex for the CCNA but remember again that you should be reading to learn and amass knowledge rather than just passing the exam. 95% of what you need to prepare for this exam can be done using GNS3, the remaining 5% being Switch features. GNS3 does not currently have a Cisco IOS switch simulator although there’s a workaround which then increases GNS3 usage to about 97%.
FURTHER READING AND RESOURCES
Cisco Pages for CCNA Security Certification: http://www.cisco.com/web/learning/certifications/associate/ccna_security/index.html, https://learningnetwork.cisco.com/community/certifications/security_ccna/iins?tab=overview
The Cisco Learning Network CCNA Security Study Group: https://learningnetwork.cisco.com/groups/ccna-security-study-group?view=discussions