Contents at a Glance

Introduction

Day 31. Common Security Principles

Day 30. Common Security Threats

Day 29. Cryptographic Technologies

Day 28. PKI and Network Security Architectures

Day 27. Secure Management Systems

Day 26. AAA Concepts

Day 25. TACACS+ and RADIUS Implementation

Day 24. 802.1X

Day 23. BYOD

Day 22. IPsec Technologies

Day 21. Clientless Remote-Access VPN

Day 20. AnyConnect Remote Access VPN

Day 19. Site-to-Site VPN

Day 18. VPN Advanced Topics

Day 17. Secure Device Access

Day 16. Secure Routing Protocols

Day 15. Control Plane Security

Day 14. Layer 2 Infrastructure Security

Day 13. Layer 2 Protocols Security

Day 12. VLAN Security

Day 11. Firewall Technologies

Day 10. Cisco ASA NAT Implementation

Day 9. Cisco IOS Zone-Based Policy Firewall

Day 8. Cisco ASA Firewall Concepts

Day 7. ASA Firewall Configuration

Day 6. IDS/IPS Concepts

Day 5. IDS/IPS Technologies

Day 4. Email-based Threat Mitigation

Day 3. Web-based Threat Mitigation

Day 2. Endpoint Protection

Day 1. CCNA Security Skills Review and Practice

Exam Day

Post-Exam Information

---

Introduction

If you’re reading this Introduction, you’ve probably already spent a considerable amount of time and energy pursuing your CCNA Security certification. Regardless of how you got to this point in your travels through your networking studies, 31 Days Before Your CCNA Security Exam most likely represents the last leg of your journey on your way to the destination: to become CCNA Security certified.

However, if you happen to be reading this book at the beginning of your studies, then this book provides you with an excellent overview of the material you must now spend a great deal of time studying and practicing. But, I must warn you: Unless you are extremely well-versed in network security technologies and have considerable experience as a network technician or administrator, this book will not serve you well as the sole resource for CCNA Security exam preparation. I know this first hand. I recently took the CCNA Security exam and was impressed with both the breadth and depth of knowledge required to pass. I have been teaching, writing about, and implementing networks for almost two decades. And yet, there was a moment during the CCNA Security exam where I thought, “Wow, this is really a tough exam!”

You see, Cisco states that for the CCNA Security exam, you must “demonstrates the skills required to develop a security infrastructure, recognize threats and vulnerabilities to networks, and mitigate security threats.” You simply cannot just study this content. You must practice it. Although I have a solid understanding of network security concepts and technologies, I also have extensive experience implementing and troubleshooting network security. That’s why I was able to successfully pass the exam. There really is no other way to correctly answer the many scenario-based questions a candidate will receive during the exam than to have experienced the same or similar scenario in the real world or a lab simulation.

Now that I’ve sufficiently challenged you, let me spend some time discussing my recommendations for study resources.

If you are a Cisco Networking Academy student, you are blessed with access to the online version of the CCNA Security curriculum and the wildly popular Packet Tracer network simulator. The course provides an introduction to the core security concepts and skills needed for the installation, troubleshooting, and monitoring of network devices to maintain the integrity, confidentiality, and availability of data and devices. The course helps students learn how to secure Cisco routers, implement AAA, configure ACLs, mitigate common Layer 2 attacks, implement Cisco IOS firewall features, implement site-to-site VPNs, and implement remote-access VPNs. To learn more about the CCNA Security course and to find an Academy near you, visit http://www.netacad.com. Cisco Press also produces a printed course booklet (ISBN: 9781587133510) and lab manual (ISBN: 9781587133503) to accompany the CCNA Security Networking Academy course.

I occasionally reference other Cisco Press books for more specific topics. The simplest way to access this extra content is with a Safari Books Online subscription.

So, which resources should you buy? That question is largely up to how deep your pockets are or how much you like books. If you’re like me, you want it all...online access for mobile and tablet reading, as well as hard copies for intensive study sessions with a pencil in hand. I admit it; my bookcase is a testament to my “geekness.” But that’s not practical for most students. So if you are on a budget, then choose one of the primary study resources and one of the supplemental resources, such as the CCNA Security 210-260 Official Cert Guide and the CCNA Security Portable Command Guide. Whatever you choose, you will be in good hands. Any or all of these authors will serve you well.

• A title for the day that concisely states the overall topic
• A list of one or more CCNA Security IINS 210-260 exam topics to be reviewed
• A Key Topics section to introduce the review material and quickly orient you to the day’s focus
• An extensive review section consisting of short paragraphs, lists, tables, examples, and graphics
• A Study Resources section to provide you a quick reference for locating more in-depth treatment of the day’s topics (as introduced in the previous section)

The book counts down starting with Day 31 and continues through exam day to provide post-test information.

Use the calendar to enter each actual date beside the countdown day and the exact day, time, and location of your CCNA Security exam. The calendar provides a visual for the time that you can dedicate to each CCNA Security exam topic.

The checklist highlights important tasks and deadlines leading up to your exam. Use it to help map out your studies.

Currently for the CCNA Security exam, you are allowed 90 minutes to answer 60 to 70 questions. Most recently, a passing score is 860 on a scale of 300 to 1000, but the passing score often rises as the exam matures. If you’ve never taken a certification exam before with Pearson VUE, there is a 2 minute 45 second video titled What to Expect in a Pearson VUE Test Center that nicely summarizes the experience: https://home.pearsonvue.com/test-taker/security.aspx. You can also search for it on YouTube.

When you get to the testing center and check in, the proctor verifies your identity, gives you some general instructions, and then takes you into a quiet room containing a PC. When you’re at the PC, you have a few things to do before the timer starts on your exam. For instance, you can take the tutorial to get accustomed to the PC and the testing engine. Every time I sit for an exam, I go through the tutorial even though I know how the test engine works. It helps me settle my nerves and get focused. Anyone who has user-level skills in getting around a PC should have no problems with the testing environment.

• Legal name
• Social Security or passport number
• Company name
• Valid email address
• Method of payment

You can schedule your exam at any time by visiting www.pearsonvue.com/cisco/. I recommend you schedule it now for 31 days from now. The process and available test times will vary based on the local testing center you choose.

Packet Tracer

To get your copy of Packet Tracer software please go to the companion website for instructions. To access this companion website, follow these steps:

1. Go to www.ciscopress.com/register and log in or create a new account.

2. Enter the ISBN: 9781587205781.

3. Answer the challenge question as proof of purchase.

4. Click on the Access Bonus Content link in the Registered Products section of your account page, to be taken to the page where your downloadable content is available.

---

About the Author

Patrick Gargano has been an educator since 1996 and a Cisco Networking Academy Instructor since 2000. He currently heads the Networking Academy program at Collège La Cité in Ottawa, Canada, where he teaches CCNA/CCNP-level courses. Patrick has twice led the Cisco Networking Academy student Dream Team deploying the wired and wireless networks supporting the U.S. Cisco Live conferences. In 2014 he co-authored CCNP Routing and Switching Portable Command Guide. Recognitions of his teaching include prizes from Collège La Cité for innovation and excellence and from the Ontario Association of Certified Engineering Technicians and Technologists for excellence in technology education. Previously, Patrick was a Cisco Networking Academy instructor at Cégep de l’Outaouais (Gatineau, Canada) and Louis-Riel High School (Ottawa, Canada) and a Cisco instructor (CCSI) for Fast Lane UK (London). His certifications include CCNA (R&S), CCNA Wireless, CCNA Security, and CCNP (R&S). He holds Bachelor of Education and Bachelor of Arts degrees from the University of Ottawa. Find him on Twitter @PatrickGargano.

Dedications

To my wife Kathryn, who is always happy to explain that when in doubt, “that” is always better than “which,” and to our son Samuel who, at age 7, already knows that (not which) Mummy is usually right but Daddy is usually more fun.

To my father, who can’t read this.

To my mother, who has devoted everything to our family.

To Albert, who has endured with courage.

Acknowledgments

My first thank-you’s have to go to Mary Beth Ray for suggesting that I write this book, and to Scott Empson and Hans Roth for making my first Cisco Press project such a thoroughly enjoyable collaboration that I was happy to accept her offer. Mary Beth is a remarkable executive editor, but then everyone at Cisco Press has been fantastic to work with: Ellie Bru, the development editor, has kept the SS Gargano on an even keel, and Tonya Simpson, the project editor, has ensured that everything is shipshape, while Bill McManus, the copy editor, has kept the good ship from sinking under an avalanche of mixed metaphors and grammatical missteps. I confess that I was a bit intimidated when I found out John Stuppi would be the technical editor, because he co-wrote one of my primary sources, the Cisco Press CCNA Security 210-260 Official Cert Guide, but in addition to being a true authority, he was a pleasure to work with. Allan Johnson, who initiated the 31 Days series, was my trusty guide on this, and Troy McMillan, who produced the fantastic material used in the Digital Study Guide version of the book, deserves sincere thanks as well.

Alongside the Cisco Press team, I want to offer my sincere gratitude to my colleagues at La Cité, especially Georges Absi, who has been generous with advice, moral support, and his wife’s authentic tabbouleh.

My past, present, and future students at La Cité are the inspiration for this book. I had them in mind with every word that I wrote, and if I’ve produced something that they’ll find useful and easy to understand, then I’ve met my loftiest goal.

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:

• Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).
• Italic indicates arguments for which you supply actual values.
• Vertical bars (|) separate alternative, mutually exclusive elements.
• Square brackets ([ ]) indicate an optional element.
• Braces ({ }) indicate a required choice.
• Braces within brackets ([{ }]) indicate a required choice within an optional element.