Cisco has announced big changes to its certification program.
As of February 24, 2020, all current certifications will be retired, and Cisco will begin offering new certification programs.
The good news is if you’re working toward any current CCNA certification, keep going. You have until February 24, 2020 to complete your current CCNA. If you already have CCENT/ICND1 certification and would like to earn CCNA, you have until February 23, 2020 to complete your CCNA certification in the current program. Likewise, if you’re thinking of completing the current CCENT/ICND1, ICND2, or CCNA Routing and Switching certification, you can still complete them between now and February 23, 2020.
Lay the foundation for a successful career in network security
CCNA Security Study Guide offers comprehensive review for Exam 210-260. Packed with concise explanations of core security concepts, this book is designed to help you successfully prepare for the exam. Expert instruction guides you through critical concepts relating to secure network infrastructure, access management, VPN encryption, Firewalls, intrusion prevention and more, with complete coverage of the CCNA exam objectives. Practical examples allow you to apply your skills in real-world scenarios, helping you transition effectively from "learning" to "doing". You also get access to the Sybex online learning environment, featuring the tools you need to maximize your study time: key terminology and flash cards allow you to study anytime, anywhere, while chapter tests and practice exams help you track your progress and gauge your readiness along the way.
The CCNA Security certification tests your knowledge of secure network installation, monitoring, and troubleshooting using Cisco security hardware and software solutions. When you're ready to get serious about preparing for the exam, this book gives you the advantage of complete coverage, real-world application, and extensive learning aids to help you pass with confidence.
- Master Cisco security essentials, standards, and core technologies
- Work through practical examples drawn from real-world examples
- Track your progress with online study aids and self-tests
- Develop critical competencies in maintaining data integrity, confidentiality, and availability
Earning your CCNA Security certification validates your abilities in areas that define careers including network security, administrator, and network security support engineer. With data threats continuing to mount, the demand for this skill set will only continue to grow—and in an employer's eyes, a CCNA certification makes you a true professional. CCNA Security Study Guide is the ideal preparation resource for candidates looking to not only pass the exam, but also succeed in the field.
Table of Contents:
Introduction xxi
Assessment Test xxxi
Chapter 1 Understanding Security Fundamentals 1
Goals of Security 2
Confidentiality 2
Integrity 3
Availability 3
Guiding Principles 3
Common Security Terms 6
Risk Management Process 7
Network Topologies 15
CAN 15
WAN 16
Data Center 16
SOHO 17
Virtual 17
Common Network Security Zones 17
DMZ 17
Intranet and Extranet 18
Public and Private 18
VLAN 18
Summary 19
Exam Essentials 19
Review Questions 20
Chapter 2 Understanding Security Threats 25
Common Network Attacks 26
Motivations 26
Classifying Attack Vectors 27
Spoofing 28
Password Attacks 29
Reconnaissance Attacks 30
Buffer Overflow 34
DoS 34
DDoS 36
Man-in-the-Middle Attack 37
ARP Poisoning 37
Social Engineering 38
Phishing/Pharming 38
Prevention 38
Malware 39
Data Loss and Exfiltration 39
Summary 40
Exam Essentials 40
Review Questions 42
Chapter 3 Understanding Cryptography 45
Symmetric and Asymmetric Encryption 46
Ciphers 46
Algorithms 48
Hashing Algorithms 53
MD5 54
SHA-1 54
SHA-2 54
HMAC 55
Digital Signatures 55
Key Exchange 57
Application: SSH 57
Public Key Infrastructure 57
Public and Private Keys 58
Certificates 60
Certificate Authorities 61
PKI Standards 63
PKI Topologies 64
Certificates in the ASA 65
Cryptanalysis 67
Summary 68
Exam Essentials 68
Review Questions 69
Chapter 4 Securing the Routing Process 73
Securing Router Access 74
Configuring SSH Access 74
Configuring Privilege Levels in IOS 76
Configuring IOS Role-Based CLI 77
Implementing Cisco IOS Resilient Configuration 79
Implementing OSPF Routing Update Authentication 80
Implementing OSPF Routing Update Authentication 80
Implementing EIGRP Routing Update Authentication 82
Securing the Control Plane 82
Control Plane Policing 83
Summary 84
Exam Essentials 85
Review Questions 86
Chapter 5 Understanding Layer 2 Attacks 91
Understanding STP Attacks 92
Understanding ARP Attacks 93
Understanding MAC Attacks 95
Understanding CAM Overflows 96
Understanding CDP/LLDP Reconnaissance 97
Understanding VLAN Hopping 98
Switch Spoofing 98
Double Tagging 99
Understanding DHCP Spoofing 99
Summary 101
Exam Essentials 101
Review Questions 102
Chapter 6 Preventing Layer 2 Attacks 107
Configuring DHCP Snooping 108
Configuring Dynamic ARP Inspection 110
Configuring Port Security 112
Configuring STP Security Features 114
BPDU Guard 114
Root Guard 115
Loop Guard 115
Disabling DTP 116
Verifying Mitigations 116
DHCP Snooping 116
DAI 117
Port Security 118
STP Features 118
DTP 120
Summary 120
Exam Essentials 121
Review Questions 122
Chapter 7 VLAN Security 127
Native VLANs 128
Mitigation 128
PVLANs 128
PVLAN Edge 131
PVLAN Proxy Attack 132
ACLs on Switches 133
Port ACLs 133
VLAN ACLs 133
Summary 134
Exam Essentials 134
Review Questions 136
Chapter 8 Securing Management Traffic 141
In-Band and Out-of-Band Management 142
AUX Port 142
VTY Ports 143
HTTPS Connection 144
SNMP 144
Console Port 145
Securing Network Management 146
SSH 146
HTTPS 146
ACLs 146
Banner Messages 147
Securing Access through SNMP v3 149
Securing NTP 150
Using SCP for File Transfer 151
Summary 151
Exam Essentials 152
Review Questions 153
Chapter 9 Understanding 802.1x and AAA 157
802.1x Components 158
RADIUS and TACACS+ Technologies 159
Configuring Administrative Access with TACACS+ 160
Local AAA Authentication and Accounting 160
SSH Using AAA 161
Understanding Authentication and Authorization Using ACS and ISE 161
Understanding the Integration of Active Directory with AAA 162
TACACS+ on IOS 162
Verify Router Connectivity to TACACS+ 164
Summary 164
Exam Essentials 165
Review Questions 166
Chapter 10 Securing a BYOD Initiative 171
The BYOD Architecture Framework 172
Cisco ISE 172
Cisco TrustSec 174
The Function of Mobile Device Management 177
Integration with ISE Authorization Policies 177
Summary 178
Exam Essentials 179
Review Questions 180
Chapter 11 Understanding VPNs 185
Understanding IPsec 186
Security Services 186
Protocols 189
Delivery Modes 192
IPsec with IPV6 194
Understanding Advanced VPN Concepts 195
Hairpinning 195
Split Tunneling 196
Always-on VPN 197
NAT Traversal 198
Summary 199
Exam Essentials 199
Review Questions 200
Chapter 12 Configuring VPNs 203
Configuring Remote Access VPNs 204
Basic Clientless SSL VPN Using ASDM 204
Verify a Clientless Connection 207
Basic AnyConnect SSL VPN Using ASDM 207
Verify an AnyConnect Connection 209
Endpoint Posture Assessment 209
Configuring Site-to-Site VPNs 209
Implement an IPsec Site-to-Site VPN with Preshared Key Authentication 209
Verify an IPsec Site-to-Site VPN 212
Summary 212
Exam Essentials 213
Review Questions 214
Chapter 13 Understanding Firewalls 219
Understanding Firewall Technologies 220
Packet Filtering 220
Proxy Firewalls 220
Application Firewall 221
Personal Firewall 221
Stateful vs. Stateless Firewalls 222
Operations 222
State Table 223
Summary 224
Exam Essentials 224
Review Questions 225
Chapter 14 Configuring NAT and Zone-Based Firewalls 229
Implementing NAT on ASA 9.x 230
Static 231
Dynamic 232
PAT 233
Policy NAT 233
Verifying NAT Operations 235
Configuring Zone-Based Firewalls 236
Class Maps 237
Default Policies 237
Configuring Zone-to-Zone Access 239
Summary 240
Exam Essentials 240
Review Questions 241
Chapter 15 Configuring the Firewall on an ASA 245
Understanding Firewall Services 246
Understanding Modes of Deployment 247
Routed Firewall 247
Transparent Firewall 247
Understanding Methods of Implementing High Availability 247
Active/Standby Failover 248
Active/Active Failover 248
Clustering 249
Understanding Security Contexts 249
Configuring ASA Management Access 250
Initial Configuration 250
Configuring Cisco ASA Interface Security Levels 251
Security Levels 251
Configuring Security Access Policies 253
Interface Access Rules 253
Object Groups 254
Configuring Default Cisco Modular Policy Framework (MPF) 256
Summary 257
Exam Essentials 257
Review Questions 259
Chapter 16 Intrusion Prevention 263
IPS Terminology 264
Threat 264
Risk 264
Vulnerability 265
Exploit 265
Zero-Day Threat 265
Actions 265
Network-Based IPS vs. Host-Based IPS 266
Host-Based IPS 266
Network-Based IPS 266
Promiscuous Mode 266
Detection Methods 267
Evasion Techniques 267
Packet Fragmentation 267
Injection Attacks 270
Alternate String Expressions 271
Introducing Cisco FireSIGHT 271
Capabilities 271
Protections 272
Understanding Modes of Deployment 273
Inline 275
Positioning of the IPS within the Network 275
Outside 275
DMZ 276
Inside 277
Understanding False Positives, False Negatives, True Positives, and True Negatives 277
Summary 278
Exam Essentials 278
Review Questions 280
Chapter 17 Content and Endpoint Security 285
Mitigating Email Threats 286
Spam Filtering 286
Context-Based Filtering 287
Anti-malware Filtering 287
DLP 287
Blacklisting 288
Email Encryption 288
Cisco Email Security Appliance 288
Putting the Pieces Together 290
Mitigating Web-Based Threats 292
Understanding Web Proxies 292
Cisco Web Security Appliance 293
Mitigating Endpoint Threats 294
Cisco Identity Services Engine (ISE) 294
Antivirus/Anti-malware 294
Personal Firewall 294
Hardware/Software Encryption of Local Data 294
HIPS 295
Summary 295
Exam Essentials 295
Review Questions 296
Appendix Answers to Review Questions 301
Chapter 1: Understanding Security Fundamentals 302
Chapter 2: Understanding Security Threats 304
Chapter 3: Understanding Cryptography 305
Chapter 4: Securing the Routing Process 307
Chapter 5: Understanding Layer 2 Attacks 309
Chapter 6: Preventing Layer 2 Attacks 311
Chapter 7: VLAN Security 312
Chapter 8: Securing Management Traffic 314
Chapter 9: Understanding 802.1x and AAA 316
Chapter 10: Securing a BYOD Initiative 317
Chapter 11: Understanding VPNs 319
Chapter 12: Configuring VPNs 321
Chapter 13: Understanding Firewalls 322
Chapter 14: Configuring NAT and Zone-Based Firewalls 324
Chapter 15: Configuring the Firewall on an ASA 325
Chapter 16: Intrusion Prevention 327
Chapter 17: Content and Endpoint Security 328
Index 331
