CCNA Security 210-260 Certification Guide

CCNA Security 210-260 Certification Guide

by Glen D. Singh, Michael Vinod, Vijay Anandh
Released June 2018
Publisher(s): Packt Publishing
ISBN: 9781787128873

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to live online training experiences, plus books, videos, and digital content from O’Reilly and nearly 200 trusted publishing partners.

Start your free trial

Book description

Become a Cisco security specialist by developing your skills in network security and explore advanced security technologies

About This Book
  • Enhance your skills in network security by learning about Cisco's device configuration and installation
  • Unlock the practical aspects of CCNA security to secure your devices
  • Explore tips and tricks to help you achieve the CCNA Security 210-260 Certification
Who This Book Is For

CCNA Security 210-260 Certification Guide can help you become a network security engineer, a cyber security professional, or a security administrator. You should have valid CCENT or CCNA Routing and Switching certification before taking your CCNA Security exam.

What You Will Learn
  • Grasp the fundamentals of network security
  • Configure routing protocols to secure network devices
  • Mitigate different styles of security attacks using Cisco devices
  • Explore the different types of firewall technologies
  • Discover the Cisco ASA functionality and gain insights into some advanced ASA configurations
  • Implement IPS on a Cisco device and understand the concept of endpoint security
In Detail

With CCNA Security certification, a network professional can demonstrate the skills required to develop security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats. The CCNA Security 210-260 Certification Guide will help you grasp the fundamentals of network security and prepare you for the Cisco CCNA Security Certification exam.

You'll begin by getting a grip on the fundamentals of network security and exploring the different tools available. Then, you'll see how to securely manage your network devices by implementing the AAA framework and configuring different management plane protocols.

Next, you'll learn about security on the data link layer by implementing various security toolkits. You'll be introduced to various firewall technologies and will understand how to configure a zone-based firewall on a Cisco IOS device. You'll configure a site-to-site VPN on a Cisco device and get familiar with different types of VPNs and configurations. Finally, you'll delve into the concepts of IPS and endpoint security to secure your organization's network infrastructure.

By the end of this book, you'll be ready to take the CCNA Security Exam (210-260).

Style and approach

This book is a step-by-step certification guide that ensures you secure organization's network and also helps you in clearing this certification. The practical aspects covered in this book will a great starting point for those who wish to start their careers in the field of Cyber Security.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Publisher resources

Download Example Code

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. CCNA Security 210-260 Certification Guide
  3. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  4. Contributors
    1. About the authors
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Conventions
    4. Get in touch
      1. Reviews
  6. Exploring Security Threats
    1. Important terms in network security
      1. Threats
      2. Vulnerability
        1. Analyzing vulnerability
    2. Introduction to an attack
      1. Passive attacks
      2. Active attacks
      3. Spoofing attacks
      4. Internet protocol – the heart of internet communication
      5. How is an IP datagram spoofed?
      6. IP spoofing
        1. Scanning
        2. Hijacking an online session
        3. Flooding
      7. ARP spoofing attacks
      8. Mitigating ARP spoofing attacks
    3. The DHCP process
    4. Why DHCP snooping?
      1. Trusted and untrusted sources
      2. Ping of Death
      3. TCP SYN flood attacks
      4. Password attacks
      5. Buffer overflow attacks
      6. Malware
      7. Network security tools
        1. Wireshark
        2. Metasploit
        3. Kali Linux
    5. Summary
  7. Delving into Security Toolkits
    1. Firewall functions
      1. Rules of a firewall
      2. Types of firewall
        1. Packet-filtering firewall/stateless firewall
        2. Circuit-level gateway firewall/stateful firewall
        3. Application-layer firewall
        4. Zone-based firewall
    2. Intrusion prevention system 
    3. Intrusion detection system  
    4. Virtual Private Network
      1. Benefits of VPN
      2. Site-to-site VPNs
      3. Remote-access VPN
    5. Content security
      1. Content Security Policy 
      2. Cisco Email Security Appliance
      3. Cisco IronPort Web Security Appliance
        1. Endpoint security
    6. Summary
  8. Understanding Security Policies
    1. Need for a security policy
      1. Five steps for a security policy
        1. Security policy components 
          1. Best example for a security policy – a password policy
          2. How to develop a policy
    2. Risk
      1. Risk analysis
        1. Benefits of risk analysis
          1. Quantitative risk
          2. Qualitative risk
    3. Vulnerability
      1. Weakness in technology
      2. Weakness in configuration
      3. Weakness in a security policy
    4. Threat
      1. Threat consequence
        1.  Disclosure
          1. Threat action – exposure
          2. Threat action – interception
          3. Threat action – inference
          4. Threat action – intrusion
        2. Deception
          1. Threat action – masquerade
          2. Threat action - falsification
          3. Threat action – repudiation
        3. Disruption
          1. Threat action – incapacitation
      2. Types of threat
    5. Asset
      1. Why classifying of assets is required
        1. Identifying the asset
        2. Asset accountability
        3. Creating a plan for asset classification
        4. Implementing the plan
      2. Countermeasures
      3. Zones
      4. Planes
        1. Data plane
        2. Control plane
        3. Management plane
      5. Regulatory compliance
        1. Payment Card Industry Data Security Standard (PCI DSS)
        2. Health Insurance Portability and Accountability Act (HIPAA)
        3. Sarbanes-Oxley Act (SOX)
        4. Federal Information Security Management Act (FISMA)
        5. GLBA
        6. PIPED Act
        7. Data Protection Directive
        8. Digital Millennium Copyright Act (DMCA)
        9. Safe Harbor Act
    6. Summary
  9. Deep Diving into Cryptography
    1. What is cryptography?
    2. Objectives of cryptography
      1. Confidentiality 
      2. Data integrity
      3. Authentication
      4. Non-repudiation
    3. Terminologies
    4. Types of encryption
      1. Symmetric encryption
      2. Asymmetric encryption
    5. Types of cipher
      1. Substitution cipher
      2. Transposition cipher
      3. Block ciphers
      4. Stream ciphers
      5. Key
    6. Encryption algorithms
      1. Data Encryption Standard
      2. Triple Data Encryption Standard (3DES)
      3. Advanced Encryption Standard (AES)
      4. Rivest Cipher 4
      5. RSA (Rivest, Shamir, Adleman)
    7. Hashing algorithms
      1. Message Digest 5 (MD5)
      2. Secure Hashing Algorithm (SHA)
      3. Hashed Message Authentication Code (HMAC)
    8. Cryptographic systems
      1. Digital signature
      2. Secure Sockets Layer (SSL)
      3. Transport Layer Security
      4. Pretty Good Privacy
    9. Public Key Infrastructure
      1. Public Key Infrastructure components
        1. Certificate Authority
        2. Certificate management system
        3. Digital certificate
          1. X.509
        4. Registration Authority (RA)
        5. Putting the components of PKI together
    10. Summary
  10. Implementing the AAA Framework
    1. Components of AAA
    2. Implementing Cisco AAA - authentication
      1. Implementing authentication using local services
        1. Implementing authentication using external services
        2. TACACS+
          1. Configuring TACACS+
          2. Using AAA with TACACS+
          3. RADIUS
          4. Configuring RADIUS
          5. Using AAA with RADIUS
        3. Example of AAA using local authentication
        4. Choosing a protocol between the ACS server and the router 
        5. Example of AAA authentication using the TACACS+ server
      2. Command list
    3. Issues with authentication 
      1. Encryption
        1. Symmetric encryption
        2. Asymmetric encryption
    4. Implementing Cisco AAA - authorization
      1. Prerequisites for authorization
      2. Configuring method lists for authorization
      3. Different methods of authorization 
        1. Configuring the privilege level for AAA authorization
        2. Example of AAA authorization with privilege levels
    5. Implementing Cisco AAA - accounting
      1. Configuring AAA - authorization and accounting
        1. Step 1
        2. Step 2
        3. Step 3
        4. Step 4
    6. Summary
  11. Securing the Control and Management Planes
    1. Introducing the security policy
      1. Phases of secure network life cycle
        1. Initiation phase
          1. Security categorization
          2. Initial risk assessment
        2. Acquisition and development phase
          1. Risk assessment
          2. Requirements analysis of security functions
          3. Cost considerations and reporting
          4. Security control development
          5. Developmental security test and evaluation
        3. Implementation phase
        4. Operations and maintenance phase
          1. Configuration management and control
          2. Continuous monitoring
        5. Disposal phase
    2. Technologies to implement secure management network
      1. Syslog protocol
        1. Facility
        2. Severity 
        3. Hostname
        4. Timestamp
        5. Message
        6. Configuring Cisco router for syslog server
      2. Network Time Protocol
        1. Secure Shell (SSH)
      3. Simple Network Management Protocol version 3
        1. SNMP basic terminologies
          1. SNMP view
          2. SNMP group
          3. SNMP user
        2. SNMPv3 lab execution
    3. Planning considerations for secure management
      1. Guidelines for secure management and reporting
    4. Log messaging implementation for security
    5. Control Plane Policing
      1. Implementing class-map
    6. Summary
  12. Protecting Layer 2 Protocols
    1. Layer 2 attack mitigation
    2. Features of the Virtual Local Area Network
      1. VLAN tagging
      2. Features of trunking
        1. Trunking modes
      3. VLAN Trunking Protocol
      4. Spanning Tree Protocol fundamentals
        1. Port states
        2. Steps in implementing STP
          1. Root bridge election
          2. Root port election
          3. Designated port election
          4. Alternative port election
        3. Cisco Discovery Protocol
        4. Layer 2 protection toolkit
        5. Protecting with a BPDU guard
        6. Protecting with root guard
        7. Combating DHCP server spoofing
        8. Mitigating CAM-table overflow attacks
        9. MAC spoofing attack
        10. Port security configuration
          1. Protect
          2. Restrict
          3. Shutdown
        11. LAB: securing Layer 2 switches
        12. Lab-port security
    3. Summary
  13. Protecting the Switch Infrastructure
    1. Private VLANs VACL trunking vulnerabilities port security
    2. What is a private VLAN?
      1. Private VLAN lab
    3. Access Control List
      1. VLAN ACLs (VACLs)
        1. Steps for configuring VACL:
      2. Trunking-related attacks
    4. VLAN hopping
      1. Double-tagging
    5. Summary
  14. Exploring Firewall Technologies
    1. Services offered by the firewall
      1. Static-packet filtering
      2. Circuit-level firewalls
      3. Proxy server
      4. Application server
      5. Network Address Translation
      6. Stateful inspection
    2. Firewalls in a layered defense strategy
      1. Transparent firewall
      2. Application-layer firewalls
        1. Authenticates individuals and not devices
        2. It's more difficult to spoof and implement DoS attacks
        3. Can monitor and filter application data
        4. Logging information in more detail
        5. Working with the application-layer firewall
        6. Application-level proxy server
        7. Typical proxy server deployment
          1. Areas of opportunity
      3. Packet filtering and the OSI model
    3. Summary
  15. Cisco ASA
    1. Cisco ASA portfolio
    2. ASA features
      1. Stateful filtering
      2. Packet filtering
      3. Network Address Translation
      4. Routing
      5. Dynamic Host Configuration Protocol
      6. Virtual Private Network
      7. Botnet filtering
      8. Advanced Malware Protection
      9. Authentication, authorization, and accounting
      10. Class map and policy map
    3. Basic ASA configuration
      1. Viewing the filesystem
      2. Setting a hostname
      3. Setting the clock
      4. Assigning a domain name to the ASA
      5. Securing access to the privilege exec mode
      6. Saving the configurations
      7. Setting a banner
      8. Assigning IP addresses on the interfaces
      9. Setting a default static route
      10. Creating a local user account
      11. Remote access
        1. Setting up SSH
        2. Setting up Telnet
      12. Configuring Port Address Translation
      13. Setting up the Adaptive Security Device Manager
      14. Getting familiar with the ASDM
    4. Summary
  16. Advanced ASA Configuration
    1. Routing on the ASA
      1. Static routing
        1. Configuring static routing using the CLI
        2. Adding a default route using the ASDM
      2. Adding a default route using the CLI
      3. Open Shortest Path First
        1. Configuring OSPF using the CLI
      4. Routing Information Protocol
        1. Configuring RIP using the CLI
      5. Enhanced Interior Gateway Routing Protocol
        1. Configuring EIGRP using the CLI
    2. Device name, passwords, and domain name
    3. Setting banners using the ASDM
    4. Configuring interfaces
    5. System time and Network Time Protocol
      1. Configuring NTP using the CLI
    6. Dynamic Host Configuration Protocol
      1. Configuring DHCP using the CLI
    7. Access control list on the ASA
      1. Types of ACLs
        1. Standard ACL
          1. Applying an ACL on an interface
        2. Extended ACL
        3. Using the ASDM to create ACLs
        4. Global ACL
    8. Object groups
      1. Configuring Object groups using the ASDM
      2. Configuring object groups using the CLI
      3. Service Groups
    9. Creating policies on the ASA
      1. Modular Policy Framework
      2. Creating a policy
        1. Example 1 – Inspecting FTP traffic from Outside to DMZ (using the CLI)
        2. Example 2 – Inspecting FTP traffic from Outside to DMZ (using the ASDM)
        3. Example 3 – Preventing a SYN Flood attack
    10. Advanced NAT configurations
      1. Static NAT
      2. Dynamic NAT
    11. Summary
  17. Configuring Zone-Based Firewalls
    1. Zone-Based Firewall terminologies
    2. Overview of Cisco Common Classification Policy Language
      1. Class maps
      2. Policy maps
      3. Service policy
    3. Configuring a Zone-Based Firewall
      1. Configuring a Cisco IOS router to use Cisco Configuration Professional (CCP)
      2. Using Cisco Configuration Professional (CCP) to configure the Zone-Based Firewall
        1. Verification commands
      3. Using the command-line interface to configure the Zone-Based Firewall
        1. Step 1 – Creating the zones
        2. Step 2 – Identifying traffic by using Class Maps
        3. Step 3 – Defining an action using policy maps
        4. Step 4 – Identifying a zone-pair and creating match to a policy
        5. Step 5 – Assigning the zones to the interfaces
        6. Step 6 – Creating an ACL for access into the DMZ from any source
    4. Summary
  18. IPSec – The Protocol that Drives VPN
    1. Terminologies
      1. Virtual Private Network
        1. Why would you need a VPN?
      2. Confidentiality
        1. What is encryption?
          1. Types of encryption algorithms
          2. Encryption Algorithms
      3. Integrity
        1. How does a device verify the integrity of a message?
      4. Anti-replay
      5. Authentication
      6. Diffie-Hellman (DH)
      7. Tunnel
    2. What is IPSec?
      1. Authentication Header
      2. Encapsulation Security Payload
      3. Modes of IPSec
        1. Authentication header – Transport and tunnel modes
        2. Encapsulating Security Payloads (ESP) – Transport mode and tunnel mode
    3. ISAKMP
    4. Internet Key Exchange
      1. IKE phase 1
      2. IKE phase 2
    5. Summary
  19. Configuring a Site-to-Site VPN
    1. General uses of a site-to-site VPN
    2. Configuring a site-to-site VPN using a Cisco IOS router
      1. Verifying a site-to-site VPN on a Cisco IOS router
    3. Configuring a site-to-site VPN using a Cisco ASA
      1. Verifying a site-to-site VPN on a Cisco ASA
    4. Summary
  20. Configuring a Remote-Access VPN
    1. Using a remote-access VPN
      1. Clientless SSL VPN
      2. AnyConnect SSL VPN
    2. Configuring a clientless remote-access VPN
      1. Verifying the clientless SSL VPN
    3. Configuring a client-based remote-access VPN
      1. Verifying the client-based VPN
    4. Summary
  21. Working with IPS
    1. Terminologies
    2. IDS and IPS
      1. Intrusion Detection Systems
      2. Intrusion Prevention Systems
      3. Types of IDS and IPS
      4. Detecting malicious traffic
    3. Configuring an IPS on a Cisco IOS router
      1. Configuring a Target Value Rating
      2. Configuring an Event Action Override
      3. Configuring an Event Action Filter
      4. Configuring the IPS signatures
    4. Summary
  22. Application and Endpoint Security
    1. Cisco Email Security Appliance (ESA) overview
      1. Incoming mail processing
      2. Outgoing mail processing
      3. Cisco ESA deployment models
      4. Cisco ESA configuration steps
    2. Cisco Web Security Appliance overview
      1. Cisco WSA deployment model
    3. Cisco Cloud Web Security overview
      1. Cisco Cloud Web Security deployment model
    4. BYOD concepts
      1. Mobile Device Management
    5. Introduction to Cisco TrustSec
    6. Summary
  23. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: CCNA Security 210-260 Certification Guide
  • Author(s): Glen D. Singh, Michael Vinod, Vijay Anandh
  • Release date: June 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781787128873