Senior Acquisitions Editor: Kenyon Brown
Development Editor: David Clark
Technical Editors: Jon Buhagiar and Mark Dittmer
Production Manager: Kathleen Wisor
Copy Editor: Kim Wimpsett
Editorial Manager: Mary Beth Wakefield
Executive Editor: Jim Minatel
Book Designer: Judy Fung and Bill Gibson
Proofreader: Amy Schneider
Indexer: Johnna VanHoose Dinse
Project Coordinator, Cover: Brent Savage
Cover Designer: Wiley
Cover Image: @Jeremy Woodhouse/Getty Images, Inc.
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-40993-9
ISBN: 978-1-119-40991-5 (ebk.)
ISBN: 978-1-119-40988-5 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2017962360
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CCNA is a registered trademark of Cisco Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
For my best friend, Wade Long, for just being a good friend.
Special thanks go to David Clark for keeping me on schedule and ensuring all the details are correct. Also, I’d like to thank Jon Buhagiar for the excellent technical edit that saved me from myself at times. Finally, as always, I’d like to acknowledge Kenyon Brown for his continued support of all my writing efforts.
Troy McMillan writes practice tests, study guides, and online course materials for Kaplan IT Training, while also running his own consulting and training business. He holds more than 30 industry certifications and also appears in training videos for OnCourse Learning and Pearson Press. Troy can be reached at mcmillantroy@hotmail.com.
The CCNA Security certification program is one of the elective paths you can take when achieving the CCNA. It requires passing the CCENT exam (100-105) and then passing the CCNA Security exam (210-260).
The Cisco Security exam objectives are periodically updated to keep the certification applicable to the most recent hardware and software. This is necessary because a technician must be able to work on the latest equipment. The most recent revisions to the objectives—and to the whole program—were introduced in 2016 and are reflected in this book.
This book and the Sybex CCNA Security+ Complete Study Guide (both the Standard and Deluxe editions) are tools to help you prepare for this certification—and for the new areas of focus of a modern server technician’s job.
Cisco Certified Network Associate Security (CCNA Security) validates associate-level knowledge and skills required to secure Cisco networks. With a CCNA Security certification, a network professional demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security curriculum emphasizes core security technologies; the installation, troubleshooting, and monitoring of network devices to maintain integrity, confidentiality, and availability of data and devices; and competency in the technologies that Cisco uses in its security structure.
The CCNA Security certification isn’t awarded until you’ve passed the two tests. For the latest pricing on the exams and updates to the registration procedures, call Pearson VUE at (877) 551-7587. You can also go to Pearson VUE’s website at www.vue.com for additional for information or to register online. If you have further questions about the scope of the exams, see https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security.html.
Here is a glance at what’s in each chapter.
We’ve put together some really great online tools to help you pass the CCNA Security exam. The interactive online learning environment that accompanies the CCNA Security exam certification guide provides a test bank and study tools to help you prepare for the exam. By using these tools you can dramatically increase your chances of passing the exam on your first try.
The online test bank includes the following:
Sample Tests Many sample tests are provided throughout this book and online, including the Assessment Test, which you’ll find at the end of this introduction, and the Chapter Tests that include the review questions at the end of each chapter. In addition, there are two bonus practice exams. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.
Flashcards The online text bank includes 100 flashcards specifically written to hit you hard, so don’t get discouraged if you don’t ace your way through them at first! They’re there to ensure that you’re really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you’ll be more than prepared when exam day comes! Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.
Resources A glossary of key terms from this book and their definitions are available as a fully searchable PDF.
If you want to acquire a solid foundation in managing security on Cisco devices or your goal is to prepare for the exams by filling in any gaps in your knowledge, this book is for you. You’ll find clear explanations of the concepts you need to grasp and plenty of help to achieve the high level of professional competency you need in order to succeed in your chosen field.
If you want to become certified as a CCNA Security professional, this book is definitely what you need. However, if you just want to attempt to pass the exam without really understanding the basics of personal computers, this guide isn’t for you. It’s written for people who want to acquire skills and knowledge of servers and storage systems.
If you want a solid foundation for the serious effort of preparing for the Cisco CCNA Security exam, then look no further. We’ve spent hundreds of hours putting together this book with the sole intention of helping you to pass the exam as well as really learn about the exciting field of network security!
This book is loaded with valuable information, and you will get the most out of your study time if you understand why the book is organized the way it is.
So, to maximize your benefit from this book, I recommend the following study method:
To learn every bit of the material covered in this book, you’ll have to apply yourself regularly, and with discipline. Try to set aside the same time period every day to study, and select a comfortable and quiet place to do so. I’m confident that if you work hard, you’ll be surprised at how quickly you learn this material!
If you follow these steps and really study in addition to using the review questions, the practice exams, and the electronic flashcards, it would actually be hard to fail the CCNA Security exam. But understand that studying for the Cisco exams is a lot like getting in shape—if you do not go to the gym every day, it’s not going to happen!
According to the Cisco website the Cisco CCNA Security exam details are as follows:
Exam code: 210-260
Exam description: This exam tests the candidate’s knowledge of secure network infrastructure, understanding core security concepts, managing secure access, VPN encryption, firewalls, intrusion prevention, web and email content security, and endpoint security using Cisco routers and the ASA 9x.
Number of questions: 60–70
Type of questions: multiple choice, drag and drop, testlet, simulation
Length of test: 90 minutes
Passing score: 860 (on a scale of 100–900)
Language: English
When the time comes to schedule your exam you will need to create an account at http://www.pearsonvue.com/cisco/ and register for your exam. Cisco testing is provided by their global testing partner Pearson VUE. You can locate your closest testing center at https://home.pearsonvue.com/. You can schedule at any of the listed testing centers.
To purchase the exam, you will need to buy an exam voucher from Cisco. The voucher is a code they provide you to use to schedule the exam. Information on purchasing a voucher can be found at: http://www.pearsonvue.com/vouchers/pricelist/cisco.asp.
When you have a voucher and have selected a testing center, you can schedule the Cisco 210-260 exam by following this link: http://www.pearsonvue.com/cisco/. This will take you to the Pearson VUE website and from here you can also locate a testing center or purchase vouchers if you have not already done so.
When you have registered for the CCNA Security certification exam you will receive a confirmation e-mail that supplies you with all of the information you will need to take the exam. Remember to take a printout of this e-mail with you to the testing center.
For the most current information regarding Cisco exam policies, it is recommended that you follow the https://www.cisco.com/c/en/us/training-events/training-certifications/exams/policies.html link to become familiar with Cisco policies. It contains a large amount of useful information regarding:
The Cisco CCNA Security exam contains 60–90 multiple choice, drag and drop, testlet, and simulation item questions, and must be completed in 90 minutes or less. This information may change over time and it is advised to check www.cisco.com for the latest updates.
Many questions on the exam offer answer choices that at first glance look identical—especially the syntax questions! So remember to read through the choices carefully because close just doesn’t cut it. If you get information in the wrong order or forget one measly character, you may get the question wrong. So, to practice, do the practice exams and hands-on exercises in this book’s chapters over and over again until they feel natural to you; also, and this is very important, do the online sample test until you can consistently answer all the questions correctly. Relax, read the question over and over until you are 100% clear on what it is asking, and then you can usually eliminate a few of the obviously wrong answers.
Here are some general tips for exam success:
After you complete an exam, you’ll get immediate notification of your pass or fail status, a printed examination score report that indicates your pass or fail status, and your exam results by section. (The test administrator will give you the printed score report.) Test scores are automatically forwarded to Cisco after you take the test, so you don’t need to send your score to them. If you pass the exam, you’ll receive confirmation from Cisco and a package in the post with a nice document suitable for framing showing that you are now a Cisco certified engineer.
Cisco goes to great lengths to ensure that its certification programs accurately reflect the IT industry’s best practices. The company does this by establishing Cornerstone Committees for each of its exam programs. Each committee comprises a small group of IT professionals, training providers, and publishers who are responsible for establishing the exam’s baseline competency level and who determine the appropriate target audience level.
Once these factors are determined, Cisco shares this information with a group of hand-selected subject-matter experts (SMEs). These folks are the true brainpower behind the certification program. They review the committee’s findings, refine them, and shape them into the objectives you see before you. Cisco calls this process a job task analysis (JTA).
Finally, Cisco conducts a survey to ensure that the objectives and weightings truly reflect the job requirements. Only then can the SMEs go to work writing the hundreds of questions needed for the exam. And, in many cases, they have to go back to the drawing board for further refinements before the exam is ready to go live in its final state. So, rest assured, the content you’re about to learn will serve you long after you take the exam.
Cisco also publishes relative weightings for each of the exam’s objectives. The following table lists the objective domains and the extent to which they’re represented on each exam.
| 210-260 Exam Domains | % of Exam |
| 1.0 Security Concepts | 12% |
| 2.0 Secure Access4.0 Security | 14% |
| 3.0 VPN | 17% |
| 4.0 Secure Routing and Switching | 18% |
| 5.0 Cisco Firewall Technologies | 18% |
| 6.0 IPS | 9% |
| 7.0 Content and Endpoint Security | 12% |
| Total | 100% |
| 210-260 Sub Domains | Chapters |
| 1.2 Common security threats | 2 |
| 1.3 Cryptography concepts | 2 |
| 1.4 Describe network topologies | 3 |
| 2.1 Secure management | 8 |
| 2.2 AAA concepts | 9 |
| 2.3 802.1x authentication | 9 |
| 2.4 BYOD | 10 |
| 3.1 VPN concepts | 11 |
| 3.2 Remote access VPN | 12 |
| 3.3 Site-to-site VPN | 12 |
| 4.1 Security on Cisco routers | 4 |
| 4.2 Securing routing protocols | 4 |
| 4.3 Securing the control plane | 4 |
| 4.4 Common Layer 2 attacks | 5 |
| 4.5 Mitigation procedures | 6 |
| 4.6 VLAN security | 7 |
| 5.1 Describe operational strengths and weaknesses of the different firewall technologies | 13 |
| 5.2 Compare stateful vs. stateless firewalls | 13 |
| 5.3 Implement NAT on Cisco ASA 9.x | 14 |
| 5.4 Implement zone-based firewall | 14 |
| 5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x | 15 |
| 6.1 Describe IPS deployment considerations | 16 |
| 6.2 Describe IPS technologies | 16 |
| 7.1 Describe mitigation technology for email-based threats | 17 |
| 7.2 Describe mitigation technology for web-based threats | 17 |
| 7.3 Describe mitigation technology for endpoint threats | 17 |
When you are concerned with preventing data from unauthorized edits you are concerned with which of the following?
When a systems administrator is issued both an administrative-level account and a normal user account and uses the administrative account only when performing an administrative task, it is an example of which concept?
What is the purpose of mandatory vacations?
Which of the following occurs when an organizational asset is exposed to losses?
Which of the following is a standard used by the security automation community to enumerate software flaws and configuration issues?
Which hacker type hacks for a political cause?
Which of the following is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator?
What does the following command do?
nmap -sP 192.168.0.0-100
You just executed a half open scan and got no response. What does that tell you?
Which of the following is a mitigation for a buffer overflow?
Which of the following is a Layer 2 attack?
Which of the following is not intellectual property?
What is the best countermeasure to social engineering?
Which of the following is a mitigation for ARP poisoning?
In which cryptographic attack does the attacker use recurring patterns to reverse engineer the message?
You have five users in your department. These five users only need to encrypt information with one another. If you implement a symmetric encryption algorithm, how many keys will be needed to support the department?
Which statement is true with regard to asymmetric encryption?
Which of the following is a stream-based cipher?
What is the purpose of an IV?
Which step is not required to configure SSH on a router?
Which of the following allows you to assign a technician sets of activities that coincide with the level they have been assigned?
Which of the following is a way to prevent unwanted changes to the configuration?
Which of the following is used to hold multiple keys used in OSPF Routing Update Authentication?
Which of the following characteristics of a rogue switch could cause it to become the root bridge?
Which of the following is used by a malicious individual to pollute the ARP cache of other machines?
What happens when the CAM table of a switch is full of fake MAC addresses and can hold no other MAC addresses?
Which switch feature uses the concept of trusted and untrusted ports?
Which command enables port security on the switch?
Which switch feature prevents the introduction of a rogue switch to the topology?
What prevents switching loops?
A. Integrity, the second part of the CIA triad, ensures that data is protected from unauthorized modification or data corruption. The goal of integrity is to preserve the consistency of data, including data stored in files, databases, systems, and networks.
A. The principle of least privilege requires that a user or process is given only the minimum access privilege needed to perform a particular task.
B. With mandatory vacations, all personnel are required to take time off, allowing other personnel to fill their position while gone. This detective administrative control enhances the opportunity to discover unusual activity.
C. An exposure occurs when an organizational asset is exposed to losses.
B. Security Content Automation Protocol (SCAP) is a standard used by the security automation community to enumerate software flaws and configuration issues. It standardized the nomenclature and formats used.
D. Hacktivists are those who hack not for personal gain, but to further a cause. For example, the Anonymous group hacks from time to time for various political reasons.
D. Sender Policy Framework (SPF) is an email validation system that works by using DNS to determine whether an email sent by someone has been sent by a host sanctioned by that domain’s administrator. If it can’t be validated, it is not delivered to the recipient’s box.
B. 0–100 is the range of IP addresses to be scanned in the 192.168.0.0 network.
C. If you receive no response the port is blocked on the firewall.
C. With proper input validation, a buffer overflow attack will cause an access violation. Without proper input validation, the allocated space will be exceeded, and the data at the bottom of the memory stack will be overwritten.
C. One of the ways a man-in-the-middle attack is accomplished is by poisoning the ARP cache on a switch. The attacker accomplishes this poisoning by answering ARP requests for another computer’s IP address with his own MAC address. Once the ARP cache has been successfully poisoned, when ARP resolution occurs, both computers will have the attacker’s MAC address listed as the MAC address that maps to the other computer’s IP address. As a result, both are sending to the attacker, placing him “in the middle.”
B. An advertisement would be publicly available.
A. The best countermeasure against social engineering threats is to provide user security awareness training. This training should be required and must occur on a regular basis because social engineering techniques evolve constantly.
B. Dynamic ARP inspection (DAI) is a security feature that intercepts all ARP requests and responses and compares each response’s MAC address and IP address information against the MAC–IP bindings contained in a trusted binding table.
B. One of the issues with substitution ciphers is that if the message is of sufficient length, patterns in the encryption begin to become noticeable, which makes it vulnerable to a frequency attack. A frequency attack is when the attacker uses these recurring patterns to reverse engineer the message.
C. To calculate the number of keys that would be needed in this example, you would use the following formula:
# of users × (# of users – 1) / 2
Using our example, you would calculate 5 ×(4) / 2 or 10 needed keys.
B. Asymmetric encryption is more expensive than symmetric, it is slower than symmetric, it is easier to crack than symmetric, and key compromise can occur less easily than with symmetric.
A. Only RC4 is a stream cipher.
B. Some modes of symmetric key algorithms use initialization vectors (IVs) to ensure that patterns are not produced during encryption. These IVs provide this service by using random values with the algorithms.
B. A router ID is not a part of the configuration.
C. Privilege levels allow you to assign a technician sets of activities that coincide with the level they have been assigned. There are 16 levels from 0 to 15.
B. The IOS Resilient Configuration feature can provide a way to easily recover from an attack on the configuration, and it can also help to recover from an even worse attack in which the attacker deletes not only the startup configuration but also the boot image.
B. A keychain can be used to hold multiple keys if required.
C. When a malicious individual introduces a rogue switch to the switching network and the rogue switch has a superior BPDU to the one held by the current root bridge, the new switch assumes the position of root bridge.
A. Gratuitous ARP is called gratuitous because the ARP message sent is an answer to a question that the target never asks and it cause the target to change its ARP cache.
C. The result of this attack is that the attacker is now able to receive traffic that he would not have been able to see otherwise because in this condition the switch is basically operating as a hub and not a switch.
B. DHCP snooping is implemented on the switches in the network, so it is a Layer 2 solution. The switch ports on the switch are labeled either trusted or untrusted. Trusted ports are those that will allow a DHCP message to traverse.
C. Without executing this command the other commands will have no effect.
B. The BPDU Guard feature is designed to prevent the reception of superior BPDUs on access ports by preventing the reception of any BPDU frames on access ports.
Spanning Tree Protocol (STP), prevents switching loops in redundant switching networks.