Cisco’s objective of the CCNA Security exam is to verify the candidate’s understanding,
implementation, and verification of security best practices on Cisco hardware and software. The focus points for the exam (which this book prepares you for) are as follows:
■ Cisco routers and switches
■ Common threats, including blended threats, and how to mitigate them
■ The lifecycle approach for a security policy
■ Understanding and implementing network foundation protection for the control,
data, and management planes
■ Understanding, implementing, and verifying AAA (authentication, authorization,
and accounting), including the details of TACACS+ and RADIUS
■ Understanding and implementing basic rules inside of Cisco Access Control Server
(ACS) Version 5.x, including confi guration of both ACS and a router for communications with each other
■ Standard, extended, and named access control lists used for packet fi ltering and for
the classifi cation of traffi c
■ Understanding and implementing protection against Layer 2 attacks, including CAM
table overfl ow attacks, and VLAN hopping
■ Cisco firewall technologies
■ Understanding and describing the various methods for fi ltering implemented by
fi rewalls, including stateful fi ltering. Compare and contrast the strengths and weaknesses of the various fi rewall technologies.
■ Understanding the methods that a fi rewall may use to implement Network Address
Translation (NAT) and Port Address Translation (PAT).
■ Understanding, implementing, and interpreting a zone-based fi rewall policy through
Cisco Confi guration Professional (CCP).
■ Understanding and describing the characteristics and defaults for interfaces, security
levels, and traffi c fl ows on the Adaptive Security Appliance (ASA).
■ Implementing and interpreting a fi rewall policy on an ASA through the GUI tool
named the ASA Security Device Manager (ASDM).
■ Intrusion prevention systems
■ Comparing and contrasting intrusion prevention systems (IPS) versus intrusion
detection systems (IDS), including the pros and cons of each and the methods used
by these systems for identifying malicious traffi c
■ Describing the concepts involved with IPS included true/false positives/negatives
■ Confi guring and verifying IOS-based IPS using CCP
■ VPN technologies
■ Understanding and describing the building blocks used for virtual private networks
(VPNs) today, including the concepts of symmetrical, asymmetrical, encryption,
hashing, Internet Key Exchange (IKE), public key infrastructure (PKI), authentication, Diffi e-Hellman, certifi cate authorities, and so on
■ Implementing and verifying IPsec VPNs on IOS using CCP and the command-line
interface (CLI)
■ Implementing and verifying Secure Sockets Layer (SSL) VPNs on the ASA fi rewall
using ASDM