+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

CCNA Security Study Guide. Exam 210-260. Edition No. 2

  • Book

  • 384 Pages
  • March 2018
  • John Wiley and Sons Ltd
  • ID: 4342150

Cisco has announced big changes to its certification program.

As of February 24, 2020, all current certifications will be retired, and Cisco will begin offering new certification programs.

The good news is if you’re working toward any current CCNA certification, keep going. You have until February 24, 2020 to complete your current CCNA. If you already have CCENT/ICND1 certification and would like to earn CCNA, you have until February 23, 2020 to complete your CCNA certification in the current program.  Likewise, if you’re thinking of completing the current CCENT/ICND1, ICND2, or CCNA Routing and Switching certification, you can still complete them between now and February 23, 2020. 



Lay the foundation for a successful career in network security

CCNA Security Study Guide offers comprehensive review for Exam 210-260. Packed with concise explanations of core security concepts, this book is designed to help you successfully prepare for the exam. Expert instruction guides you through critical concepts relating to secure network infrastructure, access management, VPN encryption, Firewalls, intrusion prevention and more, with complete coverage of the CCNA exam objectives. Practical examples allow you to apply your skills in real-world scenarios, helping you transition effectively from "learning" to "doing". You also get access to the Sybex online learning environment, featuring the tools you need to maximize your study time: key terminology and flash cards allow you to study anytime, anywhere, while chapter tests and practice exams help you track your progress and gauge your readiness along the way.

The CCNA Security certification tests your knowledge of secure network installation, monitoring, and troubleshooting using Cisco security hardware and software solutions. When you're ready to get serious about preparing for the exam, this book gives you the advantage of complete coverage, real-world application, and extensive learning aids to help you pass with confidence.

  • Master Cisco security essentials, standards, and core technologies
  • Work through practical examples drawn from real-world examples
  • Track your progress with online study aids and self-tests
  • Develop critical competencies in maintaining data integrity, confidentiality, and availability

Earning your CCNA Security certification validates your abilities in areas that define careers including network security, administrator, and network security support engineer. With data threats continuing to mount, the demand for this skill set will only continue to grow - and in an employer's eyes, a CCNA certification makes you a true professional. CCNA Security Study Guide is the ideal preparation resource for candidates looking to not only pass the exam, but also succeed in the field.

Table of Contents

Introduction xxi

Assessment Test xxxi

Chapter 1 Understanding Security Fundamentals 1

Goals of Security 2

Confidentiality 2

Integrity 3

Availability 3

Guiding Principles 3

Common Security Terms 6

Risk Management Process 7

Network Topologies 15

CAN 15

WAN 16

Data Center 16

SOHO 17

Virtual 17

Common Network Security Zones 17

DMZ 17

Intranet and Extranet 18

Public and Private 18

VLAN 18

Summary 19

Exam Essentials 19

Review Questions 20

Chapter 2 Understanding Security Threats 25

Common Network Attacks 26

Motivations 26

Classifying Attack Vectors 27

Spoofing 28

Password Attacks 29

Reconnaissance Attacks 30

Buffer Overflow 34

DoS 34

DDoS 36

Man-in-the-Middle Attack 37

ARP Poisoning 37

Social Engineering 38

Phishing/Pharming 38

Prevention 38

Malware 39

Data Loss and Exfiltration 39

Summary 40

Exam Essentials 40

Review Questions 42

Chapter 3 Understanding Cryptography 45

Symmetric and Asymmetric Encryption 46

Ciphers 46

Algorithms 48

Hashing Algorithms 53

MD5 54

SHA-1 54

SHA-2 54

HMAC 55

Digital Signatures 55

Key Exchange 57

Application: SSH 57

Public Key Infrastructure 57

Public and Private Keys 58

Certificates 60

Certificate Authorities 61

PKI Standards 63

PKI Topologies 64

Certificates in the ASA 65

Cryptanalysis 67

Summary 68

Exam Essentials 68

Review Questions 69

Chapter 4 Securing the Routing Process 73

Securing Router Access 74

Configuring SSH Access 74

Configuring Privilege Levels in IOS 76

Configuring IOS Role-Based CLI 77

Implementing Cisco IOS Resilient Configuration 79

Implementing OSPF Routing Update Authentication 80

Implementing OSPF Routing Update Authentication 80

Implementing EIGRP Routing Update Authentication 82

Securing the Control Plane 82

Control Plane Policing 83

Summary 84

Exam Essentials 85

Review Questions 86

Chapter 5 Understanding Layer 2 Attacks 91

Understanding STP Attacks 92

Understanding ARP Attacks 93

Understanding MAC Attacks 95

Understanding CAM Overflows 96

Understanding CDP/LLDP Reconnaissance 97

Understanding VLAN Hopping 98

Switch Spoofing 98

Double Tagging 99

Understanding DHCP Spoofing 99

Summary 101

Exam Essentials 101

Review Questions 102

Chapter 6 Preventing Layer 2 Attacks 107

Configuring DHCP Snooping 108

Configuring Dynamic ARP Inspection 110

Configuring Port Security 112

Configuring STP Security Features 114

BPDU Guard 114

Root Guard 115

Loop Guard 115

Disabling DTP 116

Verifying Mitigations 116

DHCP Snooping 116

DAI 117

Port Security 118

STP Features 118

DTP 120

Summary 120

Exam Essentials 121

Review Questions 122

Chapter 7 VLAN Security 127

Native VLANs 128

Mitigation 128

PVLANs 128

PVLAN Edge 131

PVLAN Proxy Attack 132

ACLs on Switches 133

Port ACLs 133

VLAN ACLs 133

Summary 134

Exam Essentials 134

Review Questions 136

Chapter 8 Securing Management Traffic 141

In-Band and Out-of-Band Management 142

AUX Port 142

VTY Ports 143

HTTPS Connection 144

SNMP 144

Console Port 145

Securing Network Management 146

SSH 146

HTTPS 146

ACLs 146

Banner Messages 147

Securing Access through SNMP v3 149

Securing NTP 150

Using SCP for File Transfer 151

Summary 151

Exam Essentials 152

Review Questions 153

Chapter 9 Understanding 802.1x and AAA 157

802.1x Components 158

RADIUS and TACACS+ Technologies 159

Configuring Administrative Access with TACACS+ 160

Local AAA Authentication and Accounting 160

SSH Using AAA 161

Understanding Authentication and Authorization Using ACS and ISE 161

Understanding the Integration of Active Directory with AAA 162

TACACS+ on IOS 162

Verify Router Connectivity to TACACS+ 164

Summary 164

Exam Essentials 165

Review Questions 166

Chapter 10 Securing a BYOD Initiative 171

The BYOD Architecture Framework 172

Cisco ISE 172

Cisco TrustSec 174

The Function of Mobile Device Management 177

Integration with ISE Authorization Policies 177

Summary 178

Exam Essentials 179

Review Questions 180

Chapter 11 Understanding VPNs 185

Understanding IPsec 186

Security Services 186

Protocols 189

Delivery Modes 192

IPsec with IPV6 194

Understanding Advanced VPN Concepts 195

Hairpinning 195

Split Tunneling 196

Always-on VPN 197

NAT Traversal 198

Summary 199

Exam Essentials 199

Review Questions 200

Chapter 12 Configuring VPNs 203

Configuring Remote Access VPNs 204

Basic Clientless SSL VPN Using ASDM 204

Verify a Clientless Connection 207

Basic AnyConnect SSL VPN Using ASDM 207

Verify an AnyConnect Connection 209

Endpoint Posture Assessment 209

Configuring Site-to-Site VPNs 209

Implement an IPsec Site-to-Site VPN with Preshared Key Authentication 209

Verify an IPsec Site-to-Site VPN 212

Summary 212

Exam Essentials 213

Review Questions 214

Chapter 13 Understanding Firewalls 219

Understanding Firewall Technologies 220

Packet Filtering 220

Proxy Firewalls 220

Application Firewall 221

Personal Firewall 221

Stateful vs. Stateless Firewalls 222

Operations 222

State Table 223

Summary 224

Exam Essentials 224

Review Questions 225

Chapter 14 Configuring NAT and Zone-Based Firewalls 229

Implementing NAT on ASA 9.x 230

Static 231

Dynamic 232

PAT 233

Policy NAT 233

Verifying NAT Operations 235

Configuring Zone-Based Firewalls 236

Class Maps 237

Default Policies 237

Configuring Zone-to-Zone Access 239

Summary 240

Exam Essentials 240

Review Questions 241

Chapter 15 Configuring the Firewall on an ASA 245

Understanding Firewall Services 246

Understanding Modes of Deployment 247

Routed Firewall 247

Transparent Firewall 247

Understanding Methods of Implementing High Availability 247

Active/Standby Failover 248

Active/Active Failover 248

Clustering 249

Understanding Security Contexts 249

Configuring ASA Management Access 250

Initial Configuration 250

Configuring Cisco ASA Interface Security Levels 251

Security Levels 251

Configuring Security Access Policies 253

Interface Access Rules 253

Object Groups 254

Configuring Default Cisco Modular Policy Framework (MPF) 256

Summary 257

Exam Essentials 257

Review Questions 259

Chapter 16 Intrusion Prevention 263

IPS Terminology 264

Threat 264

Risk 264

Vulnerability 265

Exploit 265

Zero-Day Threat 265

Actions 265

Network-Based IPS vs. Host-Based IPS 266

Host-Based IPS 266

Network-Based IPS 266

Promiscuous Mode 266

Detection Methods 267

Evasion Techniques 267

Packet Fragmentation 267

Injection Attacks 270

Alternate String Expressions 271

Introducing Cisco FireSIGHT 271

Capabilities 271

Protections 272

Understanding Modes of Deployment 273

Inline 275

Positioning of the IPS within the Network 275

Outside 275

DMZ 276

Inside 277

Understanding False Positives, False Negatives, True Positives, and True Negatives 277

Summary 278

Exam Essentials 278

Review Questions 280

Chapter 17 Content and Endpoint Security 285

Mitigating Email Threats 286

Spam Filtering 286

Context-Based Filtering 287

Anti-malware Filtering 287

DLP 287

Blacklisting 288

Email Encryption 288

Cisco Email Security Appliance 288

Putting the Pieces Together 290

Mitigating Web-Based Threats 292

Understanding Web Proxies 292

Cisco Web Security Appliance 293

Mitigating Endpoint Threats 294

Cisco Identity Services Engine (ISE) 294

Antivirus/Anti-malware 294

Personal Firewall 294

Hardware/Software Encryption of Local Data 294

HIPS 295

Summary 295

Exam Essentials 295

Review Questions 296

Appendix Answers to Review Questions 301

Chapter 1: Understanding Security Fundamentals 302

Chapter 2: Understanding Security Threats 304

Chapter 3: Understanding Cryptography 305

Chapter 4: Securing the Routing Process 307

Chapter 5: Understanding Layer 2 Attacks 309

Chapter 6: Preventing Layer 2 Attacks 311

Chapter 7: VLAN Security 312

Chapter 8: Securing Management Traffic 314

Chapter 9: Understanding 802.1x and AAA 316

Chapter 10: Securing a BYOD Initiative 317

Chapter 11: Understanding VPNs 319

Chapter 12: Configuring VPNs 321

Chapter 13: Understanding Firewalls 322

Chapter 14: Configuring NAT and Zone-Based Firewalls 324

Chapter 15: Configuring the Firewall on an ASA 325

Chapter 16: Intrusion Prevention 327

Chapter 17: Content and Endpoint Security 328

Index 331

Authors

Troy McMillan