You are previewing CCNA Security 210-260 Official Cert Guide.
O'Reilly logo
CCNA Security 210-260 Official Cert Guide

Book Description

CCNA Security 200-260 Official Cert Guide is a complete guide covering all the material presented in the CCNA Security 200-260 exam. It is meant to help network security professionals prepare for the CCNA Security certification exam and also improve their awareness and knowledge of network security. The book uses several key practices and methodologies to help the reader discover the exam topics for which they need more review. The goal is not to try to help the reader pass the exams only by memorization, but by truly learning and understanding the topics.

This book provides step-by-step instructions and explanations to fill in the reader’s security knowledge gaps. Additionally, it helps the student discover which exam topics he or she may want to invest more time studying. It provides supplemental material to reinforce some of the critical concepts and techniques that the reader has learned and provides practice questions to assess their understanding of the topics. CCNA Security 200-260 Official Cert Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. “Do I Know This Already?” quizzes open each chapter and enable you to decide how much time you need to spend on each section. Exam topic lists make referencing easy. Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly.

  • Master Cisco CCNA Security 200-260 exam topics

  • Assess your knowledge with chapter-opening quizzes

  • Review key concepts with exam preparation tasks

  • CCNA Security 200-260 Official Cert Guide focuses specifically on the objectives for the Cisco CCNA Security IINS exam. Expert networking professionals Omar Santos and John Stuppi share preparation hints and test-taking tips, helping you identify areas of weakness and improve both your conceptual knowledge and hands-on skills. Material is presented in a concise manner, focusing on increasing your understanding and retention of exam topics.

    The official study guide helps you master all the topics on the CCNA Security IINS exam.

    Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. About the Technical Reviewers
    6. Dedications
    7. Acknowledgments
    8. Contents at a Glance
    9. Contents
    10. Command Syntax Conventions
    11. Introduction
      1. About the CCNA Security Implementing Cisco Network Security (IINS) 210-260 Exam
      2. CCNA Security Exam
      3. About the CCNA Security 210-260 Official Cert Guide
      4. Objectives and Methods
      5. Book Features
      6. How This Book Is Organized
      7. Premium Edition eBook and Practice Test
    12. Part I: Fundamentals of Network Security
      1. Chapter 1. Networking Security Concepts
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Understanding Network and Information Security Basics
            1. Network Security Objectives
            2. Confidentiality, Integrity, and Availability
            3. Cost-Benefit Analysis of Security
            4. Classifying Assets
            5. Classifying Vulnerabilities
            6. Classifying Countermeasures
            7. What Do We Do with the Risk?
          2. Recognizing Current Network Threats
            1. Potential Attackers
            2. Attack Methods
            3. Attack Vectors
            4. Man-in-the-Middle Attacks
            5. Other Miscellaneous Attack Methods
          3. Applying Fundamental Security Principles to Network Design
            1. Guidelines
            2. Network Topologies
            3. Network Security for a Virtual Environment
            4. How It All Fits Together
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
      2. Chapter 2. Common Security Threats
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Network Security Threat Landscape
          2. Distributed Denial-of-Service Attacks
          3. Social Engineering Methods
            1. Social Engineering Tactics
            2. Defenses Against Social Engineering
          4. Malware Identification Tools
            1. Methods Available for Malware Identification
          5. Data Loss and Exfiltration Methods
          6. Summary
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    13. Part II: Secure Access
      1. Chapter 3. Implementing AAA in Cisco IOS
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cisco Secure ACS, RADIUS, and TACACS
            1. Why Use Cisco ACS?
            2. On What Platform Does ACS Run?
            3. What Is ISE?
            4. Protocols Used Between the ACS and the Router
            5. Protocol Choices Between the ACS Server and the Client (the Router)
          2. Configuring Routers to Interoperate with an ACS Server
          3. Configuring the ACS Server to Interoperate with a Router
          4. Verifying and Troubleshooting Router-to-ACS Server Interactions
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      2. Chapter 4. Bring Your Own Device (BYOD)
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Bring Your Own Device Fundamentals
          2. BYOD Architecture Framework
            1. BYOD Solution Components
          3. Mobile Device Management
            1. MDM Deployment Options
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    14. Part III: Virtual Private Networks (VPN)
      1. Chapter 5. Fundamentals of VPN Technology and Cryptography
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Understanding VPNs and Why We Use Them
            1. What Is a VPN?
            2. Types of VPNs
            3. Main Benefits of VPNs
          2. Cryptography Basic Components
            1. Ciphers and Keys
            2. Block and Stream Ciphers
            3. Symmetric and Asymmetric Algorithms
            4. Hashes
            5. Hashed Message Authentication Code
            6. Digital Signatures
            7. Key Management
            8. IPsec and SSL
          3. Public Key Infrastructure
            1. Public and Private Key Pairs
            2. RSA Algorithm, the Keys, and Digital Certificates
            3. Certificate Authorities
            4. Root and Identity Certificates
            5. Authenticating and Enrolling with the CA
            6. Public Key Cryptography Standards
            7. Simple Certificate Enrollment Protocol
            8. Revoked Certificates
            9. Uses for Digital Certificates
            10. PKI Topologies
          4. Putting the Pieces of PKI to Work
            1. ASA’s Default Certificate
            2. Viewing the Certificates in ASDM
            3. Adding a New Root Certificate
            4. Easier Method for Installing Both Root and Identity Certificates
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      2. Chapter 6. Fundamentals of IP Security
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. IPsec Concepts, Components, and Operations
            1. The Goal of IPsec
            2. The Internet Key Exchange (IKE) Protocol
            3. The Play by Play for IPsec
            4. Summary of the IPsec Story
          2. Configuring and Verifying IPsec
            1. Tools to Configure the Tunnels
            2. Start with a Plan
            3. Applying the Configuration
            4. Viewing the CLI Equivalent at the Router
            5. Completing and Verifying IPsec
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      3. Chapter 7. Implementing IPsec Site-to-Site VPNs
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Planning and Preparing an IPsec Site-to-Site VPN
            1. Customer Needs
            2. Planning IKEv1 Phase 1
            3. Planning IKEv1 Phase 2
          2. Implementing and Verifying an IPsec Site-to-Site VPN in Cisco IOS Devices
            1. Troubleshooting IPsec Site-to-Site VPNs in Cisco IOS
          3. Implementing and Verifying an IPsec Site-to-Site VPN in Cisco ASA
            1. Troubleshooting IPsec Site-to-Site VPNs in Cisco ASA
            2. Note
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      4. Chapter 8. Implementing SSL VPNs Using Cisco ASA
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Functions and Use of SSL for VPNs
            1. Is IPsec Out of the Picture?
            2. SSL and TLS Protocol Framework
            3. The Play by Play of SSL for VPNs
            4. SSL VPN Flavors
          2. Configuring Clientless SSL VPNs on ASA
            1. Using the SSL VPN Wizard
            2. Digital Certificates
            3. Accessing the Connection Profile
            4. Authenticating Users
            5. Logging In
            6. Seeing the VPN Activity from the Server
          3. Using the Cisco AnyConnect Secure Mobility Client
            1. Types of SSL VPNs
            2. Configuring the Cisco ASA to Terminate the Cisco AnyConnect Secure Mobility Client Connections
            3. Groups, Connection Profiles, and Defaults
            4. One Item with Three Different Names
            5. Split Tunneling
          4. Troubleshooting SSL VPN
            1. Troubleshooting SSL Negotiations
            2. Troubleshooting AnyConnect Client Issues
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    15. Part IV: Secure Routing and Switching
      1. Chapter 9. Securing Layer 2 Technologies
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. VLAN and Trunking Fundamentals
            1. What Is a VLAN?
            2. Trunking with 802.1Q
            3. Following the Frame, Step by Step
            4. The Native VLAN on a Trunk
            5. So, What Do You Want to Be? (Asks the Port)
            6. Inter-VLAN Routing
            7. The Challenge of Using Physical Interfaces Only
            8. Using Virtual “Sub” Interfaces
          2. Spanning-Tree Fundamentals
            1. Loops in Networks Are Usually Bad
            2. The Life of a Loop
            3. The Solution to the Layer 2 Loop
            4. STP Is Wary of New Ports
            5. Improving the Time Until Forwarding
          3. Common Layer 2 Threats and How to Mitigate Them
            1. Disrupt the Bottom of the Wall, and the Top Is Disrupted, Too
            2. Layer 2 Best Practices
            3. Do Not Allow Negotiations
            4. Layer 2 Security Toolkit
            5. Specific Layer 2 Mitigation for CCNA Security
          4. CDP and LLDP
          5. DHCP Snooping
          6. Dynamic ARP Inspection
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Review the Port Security Video Included with This Book
          4. Define Key Terms
          5. Command Reference to Check Your Memory
      2. Chapter 10. Network Foundation Protection
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Using Network Foundation Protection to Secure Networks
            1. The Importance of the Network Infrastructure
            2. The Network Foundation Protection Framework
            3. Interdependence
            4. Implementing NFP
          2. Understanding the Management Plane
            1. First Things First
            2. Best Practices for Securing the Management Plane
          3. Understanding the Control Plane
            1. Best Practices for Securing the Control Plane
          4. Understanding the Data Plane
            1. Best Practices for Protecting the Data Plane
            2. Additional Data Plane Protection Mechanisms
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
      3. Chapter 11. Securing the Management Plane on Cisco IOS Devices
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Securing Management Traffic
            1. What Is Management Traffic and the Management Plane?
            2. Beyond the Blue Rollover Cable
            3. Management Plane Best Practices
            4. Password Recommendations
            5. Using AAA to Verify Users
            6. Role-Based Access Control
            7. Encrypted Management Protocols
            8. Using Logging Files
            9. Understanding NTP
            10. Protecting Cisco IOS Files
          2. Implementing Security Measures to Protect the Management Plane
            1. Implementing Strong Passwords
            2. User Authentication with AAA
            3. Using the CLI to Troubleshoot AAA for Cisco Routers
            4. RBAC Privilege Level/Parser View
            5. Implementing Parser Views
            6. SSH and HTTPS
            7. Implementing Logging Features
            8. SNMP Features
            9. Configuring NTP
            10. Secure Copy Protocol
            11. Securing the Cisco IOS Image and Configuration Files
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      4. Chapter 12. Securing the Data Plane in IPv6
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Understanding and Configuring IPv6
            1. Why IPv6?
            2. The Format of an IPv6 Address
          2. Configuring IPv6 Routing
            1. Moving to IPv6
          3. Developing a Security Plan for IPv6
            1. Best Practices Common to Both IPv4 and IPv6
            2. Threats Common to Both IPv4 and IPv6
            3. The Focus on IPv6 Security
            4. New Potential Risks with IPv6
            5. IPv6 Best Practices
            6. IPv6 Access Control Lists
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      5. Chapter 13. Securing Routing Protocols and the Control Plane
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Securing the Control Plane
            1. Minimizing the Impact of Control Plane Traffic on the CPU
          2. Control Plane Policing
            1. Control Plane Protection
          3. Securing Routing Protocols
            1. Implement Routing Update Authentication on OSPF
            2. Implement Routing Update Authentication on EIGRP
            3. Implement Routing Update Authentication on RIP
            4. Implement Routing Update Authentication on BGP
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    16. Part V: Cisco Firewall Technologies and Intrusion Prevention System Technologies
      1. Chapter 14. Understanding Firewall Fundamentals
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Firewall Concepts and Technologies
            1. Firewall Technologies
            2. Objectives of a Good Firewall
            3. Firewall Justifications
            4. The Defense-in-Depth Approach
            5. Firewall Methodologies
          2. Using Network Address Translation
            1. NAT Is About Hiding or Changing the Truth About Source Addresses
            2. Inside, Outside, Local, Global
            3. Port Address Translation
            4. NAT Options
          3. Creating and Deploying Firewalls
            1. Firewall Technologies
            2. Firewall Design Considerations
            3. Firewall Access Rules
            4. Packet-Filtering Access Rule Structure
            5. Firewall Rule Design Guidelines
            6. Rule Implementation Consistency
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
      2. Chapter 15. Implementing Cisco IOS Zone-Based Firewalls
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Cisco IOS Zone-Based Firewalls
            1. How Zone-Based Firewall Operates
            2. Specific Features of Zone-Based Firewalls
            3. Zones and Why We Need Pairs of Them
            4. Putting the Pieces Together
            5. Service Policies
            6. The Self Zone
          2. Configuring and Verifying Cisco IOS Zone-Based Firewalls
            1. First Things First
            2. Using CCP to Configure the Firewall
            3. Verifying the Firewall
            4. Verifying the Configuration from the Command Line
            5. Implementing NAT in Addition to ZBF
            6. Verifying Whether NAT Is Working
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      3. Chapter 16. Configuring Basic Firewall Policies on Cisco ASA
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. The ASA Appliance Family and Features
            1. Meet the ASA Family
            2. ASA Features and Services
          2. ASA Firewall Fundamentals
            1. ASA Security Levels
            2. The Default Flow of Traffic
            3. Tools to Manage the ASA
            4. Initial Access
            5. Packet Filtering on the ASA
            6. Implementing a Packet-Filtering ACL
            7. Modular Policy Framework
            8. Where to Apply a Policy
          3. Configuring the ASA
            1. Beginning the Configuration
            2. Getting to the ASDM GUI
            3. Configuring the Interfaces
            4. IP Addresses for Clients
            5. Basic Routing to the Internet
            6. NAT and PAT
            7. Permitting Additional Access Through the Firewall
            8. Using Packet Tracer to Verify Which Packets Are Allowed
            9. Verifying the Policy of No Telnet
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      4. Chapter 17. Cisco IDS/IPS Fundamentals
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. IPS Versus IDS
            1. What Sensors Do
            2. Difference Between IPS and IDS
            3. Sensor Platforms
            4. True/False Negatives/Positives
            5. Positive/Negative Terminology
          2. Identifying Malicious Traffic on the Network
            1. Signature-Based IPS/IDS
            2. Policy-Based IPS/IDS
            3. Anomaly-Based IPS/IDS
            4. Reputation-Based IPS/IDS
            5. When Sensors Detect Malicious Traffic
            6. Controlling Which Actions the Sensors Should Take
            7. Implementing Actions Based on the Risk Rating
            8. Circumventing an IPS/IDS
          3. Managing Signatures
            1. Signature or Severity Levels
          4. Monitoring and Managing Alarms and Alerts
            1. Security Intelligence
            2. IPS/IDS Best Practices
          5. Cisco Next-Generation IPS Solutions
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    17. Part VI: Content and Endpoint Security
      1. Chapter 18. Mitigation Technologies for E-mail-Based and Web-Based Threats
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Mitigation Technology for E-mail-Based Threats
            1. E-mail-Based Threats
            2. Cisco Cloud E-mail Security
            3. Cisco Hybrid E-mail Security
            4. Cisco E-mail Security Appliance
            5. Cisco ESA Initial Configuration
          2. Mitigation Technology for Web-Based Threats
            1. Cisco CWS
            2. Cisco WSA
          3. Cisco Content Security Management Appliance
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
          4. Command Reference to Check Your Memory
      2. Chapter 19. Mitigation Technologies for Endpoint Threats
        1. “Do I Know This Already?” Quiz
        2. Foundation Topics
          1. Antivirus and Antimalware Solutions
          2. Personal Firewalls and Host Intrusion Prevention Systems
          3. Advanced Malware Protection for Endpoints
          4. Hardware and Software Encryption of Endpoint Data
            1. E-mail Encryption
            2. Encrypting Endpoint Data at Rest
            3. Virtual Private Networks
        3. Exam Preparation Tasks
          1. Review All the Key Topics
          2. Complete the Tables and Lists from Memory
          3. Define Key Terms
    18. Part VII: Final Preparation
      1. Chapter 20. Final Preparation
        1. Tools for Final Preparation
        2. Exam Engine and Questions on the CD
          1. Install the Exam Engine
          2. Activate and Download the Practice Exam
          3. Activating Other Exams
          4. Premium Edition
        3. The Cisco Learning Network
        4. Memory Tables
        5. Chapter-Ending Review Tools
        6. Study Plan
        7. Recall the Facts
        8. Practice Configurations
        9. Using the Exam Engine
    19. Part VIII: Appendixes
      1. Appendix A. Answers to the “Do I Know This Already?” Quizzes
        1. Chapter 1
        2. Chapter 2
        3. Chapter 3
        4. Chapter 4
        5. Chapter 5
        6. Chapter 6
        7. Chapter 7
        8. Chapter 8
        9. Chapter 9
        10. Chapter 10
        11. Chapter 11
        12. Chapter 12
        13. Chapter 13
        14. Chapter 14
        15. Chapter 15
        16. Chapter 16
        17. Chapter 17
        18. Chapter 18
        19. Chapter 19
      2. Appendix B. CCNA Security 210-260 (IINS) Exam Updates
        1. Always Get the Latest at the Companion Website
        2. Technical Content
    20. Glossary
    21. Index
    22. Cisco Connect, Engage, Collaborate
    23. Where are the companion content files?
    24. Appendix C. Memory Tables
      1. Chapter 1
      2. Chapter 3
      3. Chapter 5
      4. Chapter 6
      5. Chapter 7
      6. Chapter 8
      7. Chapter 9
      8. Chapter 10
      9. Chapter 11
      10. Chapter 12
      11. Chapter 14
      12. Chapter 15
      13. Chapter 17
    25. Appendix D. Memory Tables Answer Key
      1. Chapter 1
      2. Chapter 3
      3. Chapter 5
      4. Chapter 6
      5. Chapter 7
      6. Chapter 8
      7. Chapter 9
      8. Chapter 10
      9. Chapter 11
      10. Chapter 12
      11. Chapter 14
      12. Chapter 15
      13. Chapter 17
    26. Appendix E. Study Planner
    27. Code Snippets