Breaking Down the New CCNA Exam: Security Fundamentals

by Jim Goughenour

This is the fifth in a series of articles on the six sections of Cisco’s CCNA certification exam 200-301, which earns the CCNA (Cisco Certified Network Associate) certification.

In this series, we’re taking a look at all the many things you need to know for the Cisco’s 200-301 CCNA certification exam. The 200-301 Exam blueprint is divided into 6 components, each component having a different weight associated with it.  Here are the categories, weights, and possibly the number of questions for each:

The fifth area of focus for the new CCNA exam is Security Fundamentals. Here is a breakdown from Cisco of the components of the Security Fundamentals section which makes up 15% of the total exam.

5.0 Security Fundamentals
5.1 Define key security concepts (threats, vulnerabilities, exploits, and mitigation techniques)
5.2 Describe Security program elements (user awareness, training, and physical access control)
5.3 Configure device access control using local passwords
5.4 Describe security password policy elements, such as management, complexity, and password alternatives (multifactor authentication, certificates, and biometrics)
5.5 Describe remote access and site-to-site VPNs
5.6 Configure and verify access control lists
5.7 Configure Layer 2 Security features (DHCP snooping, dynamic ARP inspection, and port security
5.8 Differentiate authentication, authorization, and accounting concepts
5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)
5.10 Configure WLAN using WPA2 PSK using the GUI

There was a time when security concerns were thought to only come from the outside of the internal network. In today’s environment of BYOD (Bring your own Device), and all the things we do on or involving the Internet, security now has to be thought of spherically. For the new associate level exam, we start to focus on some of the basics.  Here we go. 

Define Key Security Concepts

Hopefully as you have prepared for the exam, you have become aware that Cisco has several ways they like to ask questions – single question/single answer, single question/multiple answers, and the ever popular drag and drop match up. I would anticipate (and I could be wrong) that there will be at least one or two questions using the drag and drop method, likely involving the definitions of these words.  It will serve you well to know the difference between a threat and an exploit. You will also be served well to know some (not all) of the ways in which we mitigate threats, vulnerabilities and exploits.

Describe security program elements

If your experience is anything like mine, when I was with my last employer, we had to sit down once a year and watch a series of video presentations (some even had the presenter dressed as Elvis) on network and user security. Now rest assured that the presentations made by the Elvis imitator were far more interesting than the ones with the computer voice, but in any event, the whole goal of these videos were to refresh in our minds the important role that users have in securing the network. You would be astonished (or nodding your head in agreement) that no matter how many times we tell users not to click on hyperlinks that are not familiar or trusted, they do it anyway. So an overview of the role that users play and the variety of ways we try to educate them is part of security also. Then there are the differences between physical and non-physical security mechanisms we put in place to assist users in staying safe.

Configure device access control using local passwords

The topics of Exam 200-301 are covered in the training course Implementing and Administering Cisco Solutions (CCNA v1.0). This section of the bootcamp is called Securing Administrative Access, and it is all about how we secure the network elements for administrators to manage them. There are lots of options, but this particular part talks about things like local user accounts and passwords and how we encrypt or don’t encrypt those passwords on the device. Circling back to SSH in an earlier blog, remember that usernames and passwords on the device are recommended, even if you are using TACACS+ or RADIUS on an external server, just in case the server becomes unavailable.

Describe Security Password Policy Elements

Now that we have decided to use passwords, the question then becomes how do we manage them? And what policies do we put in place to ensure that we have covered all the bases when it comes to length, complexity, age, and all those variables? If you are like me and use publicly available video resources, one of the common threads of those relating to passwords is that the longer they are, the better. There could be questions on alternatives to passwords also, like cards, biometrics, and certificates.

Describe Remote Access and Site-to-Site VPNs 

Did you know that the Google Search Engine prefers https:// over http:// sites when they return a response to an inquiry? Well if you did not, now you do. How this idea ties into remote access or site to site VPNs is this – when you are on a website that uses a certificate, there is a security agreement between the site and your browser. There is also encryption of the traffic flow between you and the site. Conceptually the same is true when we use any kind of VPN – there is encryption, key management, establishment of the session, and protected traffic. You will be well served to know, at least at a high level, all the moving parts involved in creating these. Now even though we do this most often in firewalls, we can do them in routers, provided we have the right software/licensing to do that.

Configure and Verify Access Control Lists

I remember when I first started in this industry that ACLs were challenging to me. Not so much anymore, as when I read them I put things in a logical order and then say that order out loud. It helps me to understand from the device or interface that is executing them how the device is processing the logic of the ACL (Access Control List). You will be well served to remember that Standard ACLs only look at the source IP address and control at the IP layer, and that Extended ACLs can look at source/destination IP, protocol and port number. I think it would also be helpful to remember that there are such things as shadowed and orphaned access control entries in the access control list, and where we typically place ACLs depending on what we want from them. Remember the 3P rule, which says you can have one ACL per protocol, per interface and per direction.

Configure Layer 2 Security Features

Another question or two could be about things we do on switches relative to security. Things like trusted versus untrusted interfaces could be asked about, and what a trusted interface will allow versus what an untrusted interface will deny. Know that in order to have Dynamic ARP Inspection you must have DHCP snooping (the all-important relational database), and that with port security, the ways in which we can secure MAC address passage over an interface.

Differentiate Authentication, Authorization, and Accounting Concepts

Many years ago (and I mean almost a lifetime ago) I thought being a part of a motorcycle club would complete me as a human being. I was wrong, but I made decisions in my life pursuant to that belief. Now before you translate my profile picture and create some illusion, let me be clear that the motorcycle club I was prospecting for was more social than anything else. In any event, there were certain things I could do and not do as a prospect. For example, as a prospect (not a full-patch holding member), I was not allowed to wear my “cut” when I was riding alone. So the way this ties into AAA is really simple – AAA answers the following questions: May I participate? Once granted the right to participate, what am I allowed to do? And finally, how is that going to be observed or calculated or reported?

Describe Wireless Security Protocols

The final two topics in this discussion of security would not be complete if we did not include Wireless, or the ever-popular WiFi security parameters. This section could ask about differentiations in the various security protocols WiFi has instituted over the years and how some have now become extinct. Simply put, WPA3 is more secure than WPA2, and both are more secure than WPA, and all of them are more secure than WEP.

Configure WLAN using WPA2 PSK using the GUI

And finally from this section, and remember the “box” concept I talked about earlier, a WLAN (the box) can be configured with various attributes, one of which is security. Recall the process steps from the lab or from your controller in the lab that takes you through step by step in building the “box.” Security is a working attribute of the WLAN.

Thanks for taking the time to read these. My hope is that they are helpful and remember that I believe in you and have confidence that you will succeed.  Happy examing everyone.

Training Resources:
Implementing and Administering Cisco Solutions (CCNA v1.0)
Athena Continuous Training Program
Enterprise Networking Training 

Read the other articles from this series:
Section 1: Network Fundamentals
Section 2: Network Access
Section 3: IP Connectivity
Section 4: IP Services

 

Related Posts

Leave a Comment

Close Bitnami banner
Bitnami