Cisco - CCNA Security

Curriculum

The following are the topics covered on the CCNA Security course:

1.0 Security Concepts

1.1 Common security principles

• Describe confidentiality, integrity, availability (CIA)
• Describe SIEM technology
• Identify common security terms
• Identify common network security zones

1.2 Common security threats

• Identify common network attacks
• Describe social engineering
• Identify malware
• Classify the vectors of data loss/exfiltration

1.3 Cryptography concepts

• Describe key exchange
• Describe hash algorithm
• Compare and contrast symmetric and asymmetric encryption
• Describe digital signatures, certificates, and PKI

1.4 Describe network topologies

• Campus area network (CAN)
• Cloud, wide area network (WAN)
• Data center
• Small office/home office (SOHO)
• Network security for a virtual environment

2.0 Secure Access

2.1 Secure management

• Compare in-band and out-of band
• Configure secure network management
• Configure and verify secure access through SNMP v3 using an ACL
• Configure and verify security for NTP
• Use SCP for file transfer

2.2 AAA concepts

• Describe RADIUS and TACACS+ technologies
• Configure administrative access on a Cisco router using TACACS+
• Verify connectivity on a Cisco router to a TACACS+ server
• Explain the integration of Active Directory with AAA
• Describe authentication and authorisation using ACS and ISE

2.3 802.1X authentication

• Identify the functions 802.1X components

2.4 BYOD

• Describe the BYOD architecture framework
• Describe the function of mobile device management (MDM)

3.0 VPN

3.1 VPN concepts

• Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
• Describe hairpinning, split tunneling, always-on, NAT traversal

3.2 Remote access VPN

• Implement basic clientless SSL VPN using ASDM
• Verify clientless connection
• Implement basic AnyConnect SSL VPN using ASDM
• Verify AnyConnect connection
• Identify endpoint posture assessment

3.3 Site-to-site VPN

• Implement an IPsec site-to-site VPN with pre-shared key authentication on Cisco routers and ASA firewalls
• Verify an IPsec site-to-site VPN

4.0 Secure Routing and Switching

4.1 Security on Cisco routers

• Configure multiple privilege levels
• Configure Cisco IOS role-based CLI access
• Implement Cisco IOS resilient configuration

4.2 Securing routing protocols

• Implement routing update authentication on OSPF

4.3 Securing the control plane

• Explain the function of control plane policing

4.4 Common Layer 2 attacks

• Describe STP attacks
• Describe ARP spoofing
• Describe MAC spoofing
• Describe CAM table (MAC address table) overflows
• Describe CDP/LLDP reconnaissance
• Describe VLAN hopping
• Describe DHCP spoofing

4.5 Mitigation procedures

• Implement DHCP snooping
• Implement Dynamic ARP Inspection
• Implement port security
• Describe BPDU guard, root guard, loop guard
• Verify mitigation procedures

4.6 VLAN security

• Describe the security implications of a PVLAN
• Describe the security implications of a native VLAN

5.0 Cisco Firewall Technologies

5.1 Describe operational strengths and weaknesses of the different firewall technologies

• Proxy firewalls
• Application firewall
• Personal firewall

5.2 Compare stateful vs. stateless firewalls

• Operations
• Function of the state table

5.3 Implement NAT on Cisco ASA 9.x

• Static
• Dynamic
• PAT
• Policy NAT
• Verify NAT operations

5.4 Implement zone-based firewall

• Zone to zone
• Self zone

5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x

• Configure ASA access management
• Configure security access policies
• Configure Cisco ASA interface security levels
• Configure default Cisco Modular Policy Framework (MPF)
• Describe modes of deployment (routed firewall, transparent firewall)
• Describe methods of implementing high availability
• Describe security contexts
• Describe firewall services

6.0 IPS

6.1 Describe IPS deployment considerations

• Network-based IPS vs. host-based IPS
• Modes of deployment (inline, promiscuous - SPAN, tap)
• Placement (positioning of the IPS within the network)
• False positives, false negatives, true positives, true negatives

6.2 Describe IPS technologies

• Rules/signatures
• Detection/signature engines
• Trigger actions/responses (drop, reset, block, alert, monitor/log, shun)
• Blacklist (static and dynamic)

7.0 Content and Endpoint Security

7.1 Describe mitigation technology for email-based threats

• SPAM filtering, anti-malware filtering, DLP, blacklisting, email encryption

7.2 Describe mitigation technology for web-based threats

• Local and cloud-based web proxies
• Blacklisting, URL filtering, malware scanning, URL categorisation, web application filtering, TLS/SSL decryption

7.3 Describe mitigation technology for endpoint threats

• Anti-virus/anti-malware
• Personal firewall/HIPS
• Hardware/software encryption of local data