CCNA Security – Key Things I learned

Having recently passed CCNA Security I thought I’d share some of the interesting topics covered that I’d either not heard of before or had limited knowledge of. I’ve also posted a small rant about the exam and how I studied here. Many of the topics were existing knowledge for me as my daily work is with Cisco ASAs, switches, routers and wireless so there wasn’t a huge amount of additional content that came as a surprise. On top of that there is the non-vendor specific knowledge such as the concepts of CIA (confidentiality, integrity and availability) and policies I’d picked up from doing the CompTIA Security+ which made several chapters of the official guide (which I found well written and detailed for the most part) a quick skim read for me. The official guide is quite thin at around 500 pages of content compared to some other Cisco exams (CCNA R&S, CCNP Route, CCDA) and my main gripe is that some sections were a brief 50,000ft overview whittling a whole technology like the ESA appliance down to a page or two. While this whet the appetite for further reading it did feel a little like an advertising platform for any Cisco technology remotely linked to security as opposed to a training / certification objective. There was also several pages devoted to Cisco GUI products like CCP and ACS of which were difficult to source for a lab and had mixed results running on my hardware due to heavy reliance on Java and IE with several compatibility options required.

Grumblings aside, the main thing I gained was a deeper understanding to the breadth of knowledge and gave insight on how I could change the way I do things for the better and I’ve outline the main finds below:

Concept of management, data and control planes

  • Management plane: Covers the configuration and remote management of the router. Think SSH, Telnet, SNMP, NTP
  • Control plane: Covers traffic that interacts with the routers CPU processors, routing protocol handling. Think EIGRP, BGP, pings / traceroutes that require CPU time to decrement TTLs
  • Data plane: Covers the movement of data across the network. Think ACLs, L3 packet inspection for traffic whose destination isn’t necessarily the router

Network security for a virtual environment

  • Leveraging the Cisco ASAv to provide a virtualised firewall that can dynamically scale to demand changes
  • Applying security policies to traffic staying within virtual hosts that passes from one VM to another, without incurring bandwidth contention or additional latency costs

Securing the data plane

  • Unicast Reverse Path Forwarding (uRPF). Provides means to discard traffic coming into an interface which does not have a valid source IP address based on the routing table and origin interface. Useful to prevent spoofing

Securing the management plane

  • The usual methods from CCNA R&S including passwords, ACLs etc
  • ACS and ISE for user identity management. Sadly this isn’t covered in much detail
  • Securing the IOS image and configuration files. This takes a secure copy of the files that cannot be deleted by remote users using the “secure boot-image” and “secure boot-config” commands
  • Parser views
    • Restricting users without creating custom privilege levels
    • Assign user to a view, which contains pre-approved commands that can be executed
  • SNMPv3
    • Providing a significantly more secure method for remote management of devices through the use of username / passwords as well as encryption (CBC-DES / DES-56)
  • TACACS+ versus RADIUS differences
    • RADIUS characteristics: UDP, open standard, only encrypts the password, good accounting capabilities
    • TACACS characteristics: TCP, Cisco proprietary, encrypts all packets, mediocre accounting capabilities

Securing the control plane

  • Control Plane Policing (CoPP)
    • Can be configured for traffic destined to an IOS devices’ IP
    • Provides rate limiting or complete dropping of traffic over a threshold to prevent CPU time being consumed in the processing of the traffic
    • Applied to logical control plane interface for global use
  • Control Plane Protection (CPPr)
    • More detailed classification allowed over CoPP
    • Reduces CPU load for packets being punted up for processing. This divides the control plane on the whole into three categories which can have different policies applied: Host subinterface, Transit subinterface and CEF-Exception subinterface.
    • CPPr also gives port filtering capabilities to police or drop packets destined for TCP or UDP ports as well as queue-thresholding to limit the number of packets for a defined protocol allowed into the control plane queue

Very brief overviews of ESA, CWS, WSA, SMA and AMP

  • This chapter is very brief and covers several concepts and products at minimal depth. Aside from the usual overview of phishing and other email or web attacks there is some knowledge required on the products:
    • Cisco ESA – Email Security Appliance which provides email security such as:
      • Black / white listing based on sender IP addresses, ranges or domain names
      • Spam filtering based on Cisco SenderBase reputation scores and Talos research group
      • Network anti-virus to provide scanning at the gateway using Sophos and McAfee engines
      • Advanced Malware Protection (AMP) to give an advanced detection of malware and post infection forensic tools
      • DLP to detect emails and documents being leaked
      • Email encryption and authentication using SPF (Sender Policy Framework), SIDF (Sender ID Framework) and Domain Keys Identified Mail (DKIM) verification for bi-directional mail
    • Cisco CWS – Cloud Web Security service providing web proxies in the Cisco cloud that scan for malware and enforce policies
      • Can be deployed with connectors on ISR G2, ASA, WSA or AnyConnect Mobility Client
      • In transparent mode, scanning is offloaded to the cloud to reduce latency
    • Cisco WSA – Web Security Appliance which provides web proxying on premise in either explicit or transparent mode using the Web Cache Communication Protocol (WCCP)
    • Cisco Content SMA – Security Management Appliance to centralise management and policies of WSA and ESA appliances, available in  physical or virtual (SMAV) flavours
    • Cisco AMP (Advanced Malware Protection) for Endpoints – providing Windows, Mac OSX and Android with host based protection
      • Based on acquisition of ThreatGRID
      • Provides analysis of malware, how it infiltrated the network, where it spread to and so on





3 thoughts on “CCNA Security – Key Things I learned

    1. Yeah, not going to happen here I’m afraid. If you want studying material then use the official cert guides. If you want practice tests then there are vendors supplying these. If you want dumps then you’re just cheating yourself.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s