This is the fifth in a series of articles on the six sections of Cisco’s ENCOR certification exam 350-401, which leads to the CCNP Enterprise, CCIE Enterprise Infrastructure, CCIE Enterprise Wireless, and Cisco Certified Specialist – Enterprise Core certifications.
The fifth section of the Cisco ENCOR Enterprise certification exam 350-401 blueprint is Security. Security is undoubtedly a hot topic, and a major part of every network engineer’s job. So it should come as no surprise when it comes in as the second highest weighted section of the CCNP ENCOR exam – worth 20%.
5.1 Configure and verify device access control
- 5.1.a Lines and password protection
- 5.1.b Authentication and authorization using AAA
5.2 Configure and verify infrastructure security features
- 5.2.a ACLs
- 5.2.b CoPP
5.3 Describe REST API security
5.4 Configure and verify wireless security features
- 5.4.a EAP
- 5.4.b WebAuth
- 5.4.c PSK
5.5 Describe the components of network security design
- 5.5.a Threat defense
- 5.5.b Endpoint security
- 5.5.c Next-generation firewall
- 5.5.d TrustSec, MACsec
- 5.5.e Network access control with 802.1X, MAB, and WebAuth
Securing network devices within your network is a major part of your responsibilities as a network engineer. In everything that you do security should be top of mind. In this section of the CCNP ENCOR exam blueprint, securing the device is just the beginning.
You should know about configuring users, remote access, various different types of passwords and their encryption levels. Configuring AAA, including Radius and TACACS. However, don’t worry about the server side of those. Look more closely at the device side. Like how you specify what user authentication sources are checked and in what order. Also, understand Control Plane Policy (CoPP) which can control which interfaces and can be used for Inbound SSH access to the device, rate limiting ICMP, and other, traffic, and more to help protect the device and keep its processors from getting overwhelmed.
Wireless security is also in covered in this portion of the exam. You should understand the different types of wireless authentication mechanisms, like Pre-Shared Keys (PSK) vs WebAuth, as well as the different flavors of EAP.
Cisco Security Portfolio
In section 5.5 you take a dive into the Cisco Security Portfolio. You should absolutely understand the different tools/products available from Cisco, like AMP, Umbrella, ESA (Email Security Appliance) and WSA (Web Security Appliance), and more. You don’t need to know them deeply, you just need to understand what they are, and at a high level, what they do. Understand Cisco’s TrustSec vs MACsec, and any good security section must include 802.1x, as this should be a standard for access to most enterprise networks.
In today’s networks Automation is crucial so it goes without saying that you should understand how REST API security works. Hint: It uses a nifty little thing called a JSON Web Token, or JWT. Make sure you understand the components of JWT.
Access Control Lists
My last bit of advice for this part of the Cisco ENCOR blueprint is to have a thorough knowledge of access control lists (ACLs). You should know the different between standard and extended, named and numbered, be comfortable configuring them, and absolutely understand how they are evaluated from the perspective of the device they are being deployed on. Understand time-based ACLs, and keywords you might find like greater than and less than. Know when, and when not, a name can be used in place of a port number, like www can be substituted for port 80, but ssh cannot be substituted for 22.
These topics are also covered in the ENCOR Implementing and Operating Cisco Enterprise Network Core Technologies class. So that’s security in a nutshell. Keep an eye for the next, and final, section of the this series – Breaking Down the Cisco ENCOR Blueprint: Automation.