(Wendell here - Kevin's wrapping up today on CCNA Security - thanks, Kevin!) Kevin Wallace, CCIE #7945, CCSI, CCSP, CCNP, CCDP, CCVP, is a full-time instructor of Cisco courses for SkillSoft Corp. and is an author of several Cisco Press titles. Kevin’s Cisco experience spans 19 years and includes positions as a Network Design Specialist for Walt Disney World and as a Network Manager for Eastern Kentucky University.
In my last blog, we examined how the CCNA Security exam (i.e. exam 640-553) could be attained, why someone might want to pursue such a certification, and the CCNA Security certification's impact on Cisco Certified Security Professional (CCSP) candidates. In this installment, we'll address specific content areas with which CCNA Security candidates should be familiar.
High-Level Overview
As mentioned in the previous blog, the CCNA Security certification is based on content found in the Implementing Cisco IOS® Network Security (IINS) course. The title of the course gives us some insight into what is covered on the exam. Specifically, we're focused on implementing network security for Cisco IOS® platforms (i.e. Cisco routers, and IOS®-based Cisco Catalyst switches). So, there's no need to be concerned with PIX, Adaptive Security Appliance (ASA), Virtual Private Network (VPN) concentrator, or Intrusion Prevention System (IPS) appliance platforms. The focus is solely on routers and switches.
Here's the breakdown of the IINS course:
Let's take a look at these one at a time.
Module 1: Introduction to Network Security Principles
This first module contains a lot of security theory. For example, it addresses what types of attacks exist, where attacks might come from, and best practices for combating such attacks. Also, this module covers a formalized approach to operations security, the purpose and content of a security policy, and an overview of Cisco's Self-Defending Network strategy. So, you don't have to memorize any syntax in this first module; just have a solid understanding of security fundamentals.
Module 2: Perimeter Security
At the perimeter of your network, you might find a Cisco IOS® router. This module addresses how that perimeter device could help secure your network. For example, the router could be configured for Authentication, Authorization, and Accounting (AAA) services. Also, when you communicate with that router for management purposes, how can you do so securely? An example would be using Secure Shell (SSH) as opposed to Telnet.
With all of this focus on routers, you might guess that there is some syntax to be familiar with in this module, and there certainly is. However, since IINS is an introductory-level course, not everything is done from the command line. Much of the configuration is performed with the assistance of the Cisco Security Device Manager (SDM) graphical user interface, as seen here.
Module 3: Network Security Using Cisco IOS® Firewalls
Even though IINS doesn't address the configuration of PIX or ASA devices, the course does delve into the topic of making a Cisco IOS® router act as a firewall. You can think of a firewall as an inspector that allows or denies packets into or out of a network. After reviewing the fundamentals of firewalling, you discover how to filter packets using traditional access control lists (ACLs). Finally, you see how to create a Cisco IOS® zone-based policy firewall, where you can group physical interfaces together into logical zones. Again, SDM is used to illustrate this more advanced firewall configuration.
Module 4: Site-to-Site VPNs
Virtual Private Networks (VPNs) are incredibly popular these days. Many teleworkers (including me) are able to set up a secure connection across an untrusted network (i.e. the Internet) into their corporate headquarters. While various Cisco devices can act as endpoints for a VPN tunnel, this module addresses how Cisco IOS® routers can be used to form a site-to-site VPN (i.e. a virtual connection between two corporate locations).
To fully appreciate VPNs, however, you need a foundational understanding of cryptography. Cryptography can be thought of as the science of securely transmitting data in such a way that the intended recipient can interpret the data, but if the data were intercepted in route to the intended recipient, the data could not be interpreted or successfully manipulated by an eavesdropper. As a result, much of Module 4 is a primer on cryptography.
Finally, Module 4 walks you through setting up a site-to-site VPN. This configuration is illustrated using the Command Line Interface (CLI) in addition to SDM.
Module 5: Network Security Using Cisco IOS® IPS
Intrusion Prevention System (IPS) technology allows traffic to be inspected in-line on the way to its destination. As the traffic is inspected, if an IPS device (such as a Cisco 4200 Series IPS appliance or a Cisco IOS® router) determines that the traffic is malicious, a variety of response actions can be configured. For example: the offending packet could be dropped; an alert could be generated; all traffic coming from the packet's source could be blocked, in addition to a variety of other possible response actions.
This module addresses how to configure a Cisco IOS® router to act as an IPS device. Specifically, after reviewing the fundamentals of IPS technology, Module 5 illustrates how SDM can be used to configure a router-based IPS solution.
Module 6: LAN, SAN, Voice, and Endpoint Security Overview
The IINS course wraps up with a collection of odds and ends in Module 6. This module addresses protecting network endpoints (such as mission critical servers, perhaps through the use of host-based IPS (HIPS)), protecting against Layer 2 attacks (many of which can be mitigated using Cisco Catalyst switch configuration options), securing Storage Area Networks (SANs), and securing voice packets in a Voice over IP (VoIP) network.
For hands-on practice, you'll want a routers running IOS® software capable of supporting the following:
I'd say that you could perform all necessary practice labs with no more than three routers. While many platform/IOS® combinations exist, as one example, when I co-authored the CCNA Security book, the version of IOS® I used was 12.4(12) with the Advanced Enterprise Services feature set for a Cisco 2691 router. However, to select an appropriate IOS® for your router platform (or to see if your platform will support the required features), I recommend that you use Cisco's Feature Navigator, available at http://www.cisco.com/go/fn. You can tell the Feature Navigator that you want to search by feature, and specify the features you're looking for. You are then presented with a screen, like the one seen here, that allows you to select your platform. After you select your platform, you are presented with a list of IOS® images that support SDM on your platform.
For example, let's say you were able to lay your hands on three Cisco 2691 routers, and you want to select an appropriate IOS® version. In the graphic, I've gone into Cisco Feature Navigator and specified the following features for a 2691 platform:
Assuming you have the required DRAM and Flash, you could select IOS® 12.4(15)T5 (for example) using one of the following feature sets:
Examples of other router platforms that support the required features include:
For practicing Catalyst switch security, don't worry about having a particular model of switch. As long as you have a fairly recent model of Cisco Catalyst switch (e.g. 3550 or 3560) running a current image, you should be fine.
Well that is going to wrap it up for my two blogs addressing the newly introduced CCNA Security certification. My thanks to Wendell Odom for allowing me to fill in during his absence, and I wish you the best in both your certification pursuits and your real-word deployments.
Odom, CCIE No, 1624, splits time between writing books for Cisco Press and teaching classes for Skyline ATS. In his 25-ish years in the networking industry, he has worked as as a pre-sale and post-sale SE for a few networking vendors, as well as a network engineer implementing network technology. Wendell has spent the majority of the last 15 years teaching, consulting, and writing about networking technologies, most of which in some way relate to Cisco products. His books include titles on QoS, CCIE R/S, as well as several titles related to CCNA certification, including the September 2007 book CCNA Official Exam Certification Library (CCNA Exam 640-802) (Read a sneak peek of chapter 7). Click for the list of current titles by Wendell.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
Looks like good information,
Looks like good information, another good place to gor for information would be the Cisco website. I recently got my CCNA from there and i'd recommend it for anyone who's looking for information on CCA certs or anything else in IT.
https://cisco.hosted.jivesoftware.com/index.jspa?ciscoHome=true?utm_source
=blog+commenting&utm_medium=media&utm_content=Google&utm_campaign=Domestic
Hey there ! I'm looking to
Hey there !
I'm looking to buy some 2610 or 2611 X M router !
ANyone knows the difference between those 2 routers please ? :) Many thanks for the help
CCNA SEC
Hello,
I am currently studying ISCW & BSCI at my local college.
Am I effectively duplicating the syllabus of the ccna sec exam here?
Wondering if I should skip this exam, or view it as an easy feather in cap.
Anthony
Pretty Much
Yes you are duplicating much of the ISCW.
If you can afford the tests, do the ISWC and then come back and do the CCNA Security and roll a few HR drones who don't know any better.
Post new comment