CCNA certification prep: Security fundamentals
In modern networks, security is not an afterthought. You need to know how to build secure networks from the outset. Security has to be woven into the very fabric of the network.
The 200-301 CCNA exam covers security fundamentals among a broad range of networking topics. This article describes what you need to know for the security fundamentals component of CCNA.
What percentage of the exam focuses on security fundamentals?
Security fundamentals take up 15 percent of CCNA exam topics. The key word here is fundamentals. You are required to know the fundamentals of many security technologies and protocols. For a few topics, configuration and verification details are also included.
What topics are covered in this section of the exam?
The CCNA exam includes the following major topics under security fundamentals:
- Key security concepts and program elements
- Access control: passwords, remote access and VPNs, access control lists
- Layer 2 security features
- Wireless security protocols (WPA, WPA2 and WPA3)
The next section provides details of what’s covered by each of these topics.
High-level overview of security fundamentals topics
The CCNA covers fundamentals for a range of network security technologies and protocols as detailed in the next sections.
Key security concepts and program elements (including authentication, authorization and accounting)
As a network professional, your primary focus often is on making sure traffic can flow from point A to point B and users can use the applications they want to use. However, you must also ensure that applications can be used in a secure manner.
You must understand what’s meant by security terms like vulnerability, exploit and threat. You should know available mitigation techniques for preventing malicious activity at the network layer.
You can let users access systems and applications in a secure and controlled manner with AAA (authentication, authorization and accounting), also called triple-A. While it is possible to use local device accounts to implement AAA, a more scalable solution is the use of AAA servers that use either Radius or TACACS+.
Authentication identifies who the user is, with the goal of letting only privileged users access systems and applications.
Authorization describes what an otherwise authenticated user is or is not allowed to do.
Accounting is about keeping a record of what an authenticated user did. It keeps users accountable for what they do while being connected to systems they can legitimately access.
Access control: Passwords, remote access and VPNs, access control lists (ACLs)
We will briefly discuss three important network security topics in this section.
Network administrators access the CLI (command-line interface) of routers and switches via local console or remote telnet and SSH (Secure Shell) connections. You should be able to configure secure management access to the router or switch CLI using passwords.
Remote access and VPNs
Any traffic sent unencrypted over the Internet can potentially be seen by others. You can use VPNs (virtual private networks) to build a private WAN over the public internet. The CCNA covers two types of internet VPNs: site-to-site and remote access.
Site-to-site VPNs securely connect all devices at one site with all devices at another site. Remote access VPNs connect a single user to a central company location. You should know the concepts and protocols behind both types of VPNs without needing to know configuration and verification.
Access control lists (ACLs)
Access control lists (ACLs) define a filter that can be applied to an interface, inbound or outbound. The filter tells the router or switch which packets can be allowed to pass through and which should be discarded. There are two types of ACLs: standard and extended. The CCNA covers concepts, configuration and verification of both standard and extended ACLs.
Layer 2 security features (DHCP snooping, dynamic ARP inspection, port security)
LAN switches provide wired network access to end-user devices like PCs and laptops. An attacker might gain remote or even physical access to a legitimate end-user device to launch an attack. Cisco switches provide a number of useful tools to prevent attacks that originate at the network access layer. We touch on a few of those tools that will be on your CCNA exam.
DHCP snooping identifies and discards DHCP messages that fall outside the normal use of DHCP. It also builds a table of legitimate DHCP leases that can then be used by other switch features. CCNA covers both concepts and configuration of DHCP snooping.
Dynamic ARP inspection
Dynamic ARP Inspection (DAI) identifies ARP messages that fall outside normal ARP operation or do not match legitimate addresses on the network. You need to know the concepts and configuration of both required and optional features of DAI.
If you know what device will be connecting to a switch interface, you can use port security to allow only that particular device on the interface. You need to know concepts, configuration and verification of port security.
Wireless security protocols (WPA, WPA2, WPA3)
A wireless network can potentially be accessed by anyone in range. That makes client authentication mandatory. Wireless data moves over the air and can be overheard by anyone. You must ensure data privacy and integrity using encryption.
A large number of methods are available to achieve authentication and data privacy/integrity in wireless networks. You must select some combination of those methods. This can be confusing.
The Wi-Fi Alliance took on the task to make wireless security straightforward through its WPA (Wi-Fi Protected Access) certifications. There are three variants: WPA, WPA2 and WPA3. You can guarantee interoperability if you ensure that a wireless client device is certified for the same WPA version as the AP (access point) and its associated WLC (wireless LAN controller). All three WPA versions support two methods for client authentication: personal mode and enterprise mode. The personal mode uses a pre-shared key (PSK), while the enterprise mode uses 802.1x.
You should be able to compare and contrast the three WPA versions. You should also be able to configure a wireless LAN with WPA2 PSK using GUI.
The first generation of Wi-Fi Alliance certification, known simply as WPA, came out in 2003. It used TKIP (Temporal Key Integrity Protocol) for encryption.
WPA2 came out in 2004. It included the superior AES (Advanced Encryption Standard) with CCMP (Counter/CBC-MAC Protocol) algorithms for encryption, rather than the deprecated TKIP from WPA.
WPA3 was introduced in 2018 as a future replacement for WPA2. WPA3 uses stronger encryption by AES GCMP (Galois/Counter Mode Protocol).
Where should I focus my time studying?
Security fundamentals include a high-level coverage of network security with focus on specific areas. For some topics, you need to know concepts alone. For others, you need to know configuration and verification as well. Spend more time on topics that involve configuration and verification. Learn to secure routers and switches using passwords. Know your access control lists very well.
You should be able to secure wired network access with port security, DHCP snooping, and dynamic ARP inspection. You also need to understand the authentication and encryption protocols available to secure wireless network access.
Security fundamentals include a high-level coverage of many network security technologies and protocols. There is special focus on some areas especially network device security, wired/wireless network access and access control lists.
Wendell Odom, “CCNA 200-301 Official Cert Guide, Volume 1,” Cisco Press, 2019
Wendell Odom, “CCNA 200-301 Official Cert Guide, Volume 2,” Cisco Press, 2019