CCNA Security

• Describe confidentiality, integrity, availability (CIA)
• Describe SIEM technology
• Identify common security terms
• Identify common network security zones

• Identify common network attacks
• Describe social engineering
• Identify malware
• Classify the vectors of data loss/exfiltration

• Describe key exchange
• Describe hash algorithm
• Compare and contrast symmetric and asymmetric encryption
• Describe digital signatures, certificates, and PKI

• Campus area network (CAN)
• Cloud, wide area network (WAN)
• Data center
• Small office/home office (SOHO)
• Network security for a virtual environment

• Compare in-band and out-of band
• Configure secure network management
• Configure and verify secure access through SNMP v3 using an ACL
• Configure and verify security for NTP
• Use SCP for file transfer

• Describe RADIUS and TACACS+ technologies
• Configure administrative access on a Cisco router using TACACS+
• Verify connectivity on a Cisco router to a TACACS+ server
• Explain the integration of Active Directory with AAA
• Describe authentication and authorization using ACS and ISE

• Identify the functions 802.1X components

• Describe the BYOD architecture framework
• Describe the function of mobile device management (MDM)
• VPN concepts
• Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
• Describe hairpinning, split tunneling, always-on, NAT traversal

• Implement basic clientless SSL VPN using ASDM
• Verify clientless connection
• Implement basic AnyConnect SSL VPN using ASDM
• Verify AnyConnect connection
• Identify endpoint posture assessment

• Implement an IPsec site-to-site VPN with pre-shared key authentication on Cisco routers and ASA firewalls
• Verify an IPsec site-to-site VPN
• Security on Cisco routers
• Configure multiple privilege levels
• Configure Cisco IOS role-based CLI access
• Implement Cisco IOS resilient configuration

• Implement routing update authentication on OSPF

• Explain the function of control plane policing

• Implement DHCP snooping
• Implement Dynamic ARP Inspection
• Implement port security
• Describe BPDU guard, root guard, loop guard
• Verify mitigation procedures

• Describe the security implications of a PVLAN
• Describe the security implications of a native VLAN
• Describe operational strengths and weaknesses of the different firewall technologies
• Proxy firewalls
• Application firewall
• Personal firewall

• Operations
• Function of the state table

• Proxy firewalls
• Application firewall
• Personal firewall

• Operations
• Function of the state table

• Zone to zone
• Self-zone

• Configure ASA access management
• Configure security access policies
• Configure Cisco ASA interface security levels
• Configure default Cisco Modular Policy Framework (MPF)
• Describe modes of deployment (routed firewall, transparent firewall)
• Describe methods of implementing high availability
• Describe security contexts
• Describe firewall services
• Describe IPS deployment considerations
• Network-based IPS vs. host-based IPS
• Modes of deployment (inline, promiscuous – SPAN, tap)
• Placement (positioning of the IPS within the network)
• False positives, false negatives, true positives, true negatives

• Rules/signatures
• Detection/signature engines
• Trigger actions/responses (drop, reset, block, alert, monitor/log, shun)
• Blacklist (static and dynamic)
• Describe mitigation technology for email-based threats
• SPAM filtering, anti-malware filtering, DLP, blacklisting, email encryption

• Local and cloud-based web proxies
• Blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, TLS/SSL decryption
•  

Anti-virus/anti-malware

• Personal firewall/HIPS
• Hardware/software encryption of local data