How to get ready for CCNA Security exam

First these are my personal notes, about areas I focused to understand CCNA objectives. My notes contain info, which concepts I learn, with support of CBT Nuggets videos. Finally master packet tracer activity. If you do not have access to ASDM, than choose other exam e.g. CCNA Cyber Ops.

Obtain this:
1/ Book CCNA Security Portable command guide through safari books. Start reading from the first chapter onwards.
2/ CBT Nuggets – Keith Barker CCNA Security 210-260
3/ PDF CCNA Security Lab 2.0 Manual
4/ PDF CCNA Security 1.0 Student Lab Manual

1. Fundamentals

Managing risk
Quantitative risk analysis – mathematical model
input – estimated value for an asset multiplied by likelihood of a threat being realized
risk – analysis provides an actual cash of expected losses, used to estimate an annual cost.
Example:
Datacenter value = $10000 (AV)
Estimated risk damage in flooding = 60% (EF)

SLE single occurrence, if specific threat exploits a vulnerability results in org’s potential loss
SLE = AV x EF
SLE = 10000X60=$600000

ARO = 1% (1/100)- likelihood of a flood occurring is estimated at once in 100 years
ALE = SLE x ARO
ALE = 600000×1% =6000

What does the key length represent?

  • Number of permutations
  • Cipher size

Threat control

  • Regulates network access, isolating infected systems, prevent intrusions and protect business assets.
  • This helps to mitigate malicious traffic before it affects a business

Cloud security
Threats in cloud:

  • Abuse of cloud computing
  • Account or service hijack
  • Unsecure API – we in AMP team work with API quite a lot, every single SIEM or CERT Analyst uses API at work.

2. Network foundation protection

#Management plane Security
– login and password policy
– role based access control
– Authorize actions – restrict actions and views by user, group, service
– record who accessed the device, what occurred, and when
– ACL -limit which IP are allowed to connect to the network device.
– use only secure protocols -SSH/HTTPS,SNMPv3

#Data plane security
– ACL – antispoofing – discards traffic that has an invalid source IP
– layer 2 security
– firewall
– IPS – deep packet inspection – if the traffic tunneling through port 25 is what is should look like
– VPN
– content security – web/email content policy

#Layer 2 Data Plane Protection
– port security – prevent MAC address spoofing, flooding attacks
– DHCP snooping – DHCP server and switch
– Dynamic ARP inspection – adds security to ARP

#Securing the management plane includes the following
– enforcing a secure password policy
– securing console, vty, aux lines
– secure and archive config
– enable logging record changes in real time
– use NTP to keep clocks synced, it can identify the order in which a specific attack occurred
– use appropriate logging levels for each device

—> Lab – configure Cisco routers for Syslog, NTP and SSH operations from CCNA security 2.0 Instructor Packet Tracer manual

#Securing the Data Plane on catalyst switches + see CBT Nuggets video
If a layer 2 switch is compromised, Layers 3-7 are also affected.
Review layer 2 attacks from CCNA Security Portable command guide.

—> LAB – CCNA security 1.0 Student LAB
Chapter 6 lab A Securing Layer 2 Switches – part 3 Secure trunks and Access ports
Use packet tracer 6.3.1.2 Packet Tracer – Layer 2 Security

—> CCNA Security 2.0 Configure extended ACL
—-> Layer 2 security
—-> Layer 2 VLAN security
—-> ASA Basic Settings and firewall using CLI

#Switching data plane
IP DHCP snooping

VLAN hopping – never use VLAN 1
– assign all ports to 999 or shut them down
– do not allow dynamic negotiation

Good overview of attacking the switching data plane is CEH course
Starts — network mapping tools
– getting IP address from rogue DHCP server leads to MITM password attacks and sniffing
– DHCP starvation
– cam table attack and port security
– DHCP snooping
– Dynamic ARP inspection (DAI)

Finally – Book CCNA Security Portable command guide, Configuring port security example. VLAN hopping attacks – mitigating VLAN Attacks
On non trunk links – disable trunking. Switchport mode access
All unused ports assign to unused VLAN e.g. 999 and disable the port. VLAN 999 is not used for any other traffic.

On the trunk links:
– Enable trunk
– Disable DTP and prevent DTP frames from being generated
– Switch the native VLAN to a dedicated VLAN.

The CBT nuggets course CCNA security is presented by Keith Barker. The information is consistent and presented in the well form understanding.

#Securing the infrastructure

1/ Management plane – SSH, Syslog +NTP current time written in logs, SNMPv3, RBAC give users access they need. Do not assign more than they need, otherwise there might be an accident.

2/ Control plane – routing protocol updates, routers authentication. Limit the number of sessions, number of inbound connections. The router can overload its CPU – DOS attack.

3/ Data plane – Forwd packets, transit packet, from end device to another. E.g. dns
ACL, for IPv4, IPv6, Use port security, Firewall, IPS IDS
– Switch is capable to memorize max 64K MAC addresses. If somebody sends million, the FIFO is full and switch does not know where anybody is. It start flooding all its ports with MAC addresses.
– Permit TCP traffic destined to our web server. What is really in the web traffic – IPS, is this packet typical for http traffic?

Hope this helps

David