In this article:
What: CCNA Security is a technical certification about general network security in a professional context. It describes the typical threats potentially affecting such networks then various Cisco technologies allowing to mitigate them. This covers the networking devices themselves, but also the data both in transit and at rest and end-user devices both corporate ones and personal one (BYOD).
When: Obtaining this certification requires to have at least the CCENT certification (I recommend having a CCNA Routing & Switching, though).
While the CCENT or CCNA R&S is a prerequisite to be granted the CCNA Security certification, they are not technically required to take the exam.
If for some reasons it suits you, Cisco allows you to take the CCNA Security exam before having obtained a CCENT or CCNA R&S. If you pass the exam, you will be granted the CCNA Security certification once you get your CCENT or CCNA R&S.
Depending on your schedule, this might be something worth to know.
Why: This certification demonstrates fundamental knowledge on threats affecting corporate data networks and familiarity with Cisco technologies designed to mitigate them.
For US people, this certification also officially meets the NSA / CNSS 4011 training standard and is DoD 8570 compliant, approved for the IAT Level II. This may satisfy some of requirements to be hired either directly by US governmental entities or by consulting companies providing services to them.
Who: If you are interested in networking and in security, this certification is an obvious choice. Cisco technologies are widespread, this certification provides the opportunity to dig further areas which are only scratched by the CCNA R&S and familiarize yourself with various technologies like Cisco’s VPN and firewall technologies.
Where: You only need to pass one exam to get this certification. It can be taken in any Pearson VUE test center.
This is a classical Cisco exam, it presents itself in a similar fashion as the CCENT and CCNA R&S exams: MCQs and lab simulation (the lab being of course extended to cover products specific to the CCNA Security curriculum).
Let’s say it straight: devices and services deployment is out-of-scope for this exam. Cisco training material assumes that you are provided, either by your training center or by your company, access to read-to-use environments to do your practical training.
When working on the CCNA R&S, there is enough documentation sources available to know what you will need, and once you have your lab ready you can fully dedicate yourself to the training step.
Here, chances are that your studies will frequently be brutally interrupted for an unknown amount of time because the author suddenly adds a new service like “Configure you CCP as in the following screenshot”, leaving you with a lot of unanswered questions:
- What is a “CCP”?
- Do I really need a practical knowledge of this or is it enough to just learn it from theoretical point-of-view from the book?
- Where can I get it? Is it freely available?
- Does the CCNA Security expects a specific version of the software?
- How to install it, what are the prerequisites and installation process?
- Why doesn’t it work? Is it because of a bug, an incompatibility, a wrong setting in the emulator or in the operating system or a license issue?
- Several hours of debugging and Internet searches later, why it still doesn’t work?
- How do I manage it? How do I make it interoperate with the rest of the topology, how do I create an account for myself?
And once you went through this, you can go back to your study… until the next component is added.
From my personal experience, in addition to CCNA R&S components you also need a practical training on ASA and ASDM, ACS, CCP and SCEP. Some other technologies are covered by the curriculum such as end-devices security technologies but having an general knowledge on what they are and how they work from high-level perspective is usually enough (for now, that was true for me but keep in mind that the CCNA Security curriculum may evolve).
I’m currently completing the virtualization section of this site to cover the installation of required components in your lab. Moreover, you will also find unvaluable information in this video by Keith Barker.
The CCNA Security is not a widespread certification compared to the CCNA R&S for instance. The main consequence of this is a very low amount of documentation available.
If you’ve read my CCNA Routing & Switching review, you should have read how satisfied I was of the subnetting.net website. While I was studying for my CCNA Security, they were in the process of building their CCNA Security course and it was not yet available. By now their CCNA Security training material became available. I did not view it, so I cannot tell whether it is good or not, but given the quality of their CCNA R&S material I highly recommend you to at least check them.
Other than that, your have Cisco’s official book and… not much else. I guess that the CCNA security cursus attract to few people and changes too often to interest editors (note though that while writing this article, I see that Sybex announces a book for January 2018, yet again I cannot vouch for its content).
Cisco’s official certification guide is of poor quality. For its defense, it is well written and what is explained is explained clearly, but I have the strong feeling that by it has been rushed and delivered in an unfinished state. The final product is therefore an incomplete book with missing parts (including sections announced in the table of content) and with some chapters are mixed up.
To give a first example there is no introduction to the CCP tool, except to tell you that you need to know it (not even any mention of which version and flavor is concerned, both the book and Cisco’s curriculum remain vague on this). It is mentioned for first time on page 41 and the author directly throws screenshot at you. From where, how, what: you don’t know. And as it happens, setting-up a working CCP is not an easy matter without prior knowledge of its specificities.
The best case of mixed-up chapters is the chapter 5 about PKI infrastructures which assumes that you have already read the chapter 8 which introduces ASA to the reader:
What I want to do now is walk you through an example of applying these concepts to some devices you are already familiar with if you have read the previous portions of this book. Both the Adaptative Security Appliance (ASA) and Cisco routers can use digital certificates. Let’s take a look at installing digital certificates on the ASA, using the Adaptative Security Device Manager (ASDM).
This is page 107 of the book, and is your first contact with these tools your are anything but “familiar” with. What the frustrated reader may not know is that this book indeed contains an introduction to the ASA device, but it is buried a hundred pages later, in the chapter 8 about Implementing SSL VPNs using Cisco ASA. The reader may assume this the same thing as with CCP and he is just supposed to learn how to deploy and administrate ASA systems on-the-fly before continuing to read.
But chapters are not only mixed-up and the CCP presentation is not the only thing missing. This book is incomplete as per the exam requirement. If it is your only source of study, you will fail2.
Here are the missing parts from this book with a link to the material I used to complement my learning:
802.1X: The table presented in the introduction chapters show that it was intended to be covered in the fourth chapter, but the whole section is missing from the book. Read Cisco’s Wired 802.1X Deployment Guide.
PVLAN was meant to be covered in chapter 9 according to the tables in the beginning of the book, but it was forgotten. See this video by Keith Barker.
Reflexive Access Lists are also never mentioned in the book while tested in the exam. They are not a complicated topic, but not so easy that you can just assume that everybody already knows that. Check this short video also by Keith Barker.
Extranet VPNs: usually they are considered as a kind of DMZ, but in Cisco’s world extranet VPNs provide a direct access to a company internal network. This is the “historical occasional definition” stated in Wikipedia and also explained in Cisco documentation. This is often asked under one form or another, it is not complicated, but if you come to the exam with the common definition of extranets you will fail.
Firewalls are covered in this book, that’s fortunate, but they are covered incompletely as per the exam requirements:
You are expected to know the limitations potentially affecting multicast handling:
- Zone-based firewalls: filtering of multicast traffic is not supported (search for “multicast” in the linked page). Control Plane Policing is the only way to go in this case.
- ASA firewalls: filtering of multicast traffic is supported (this link serves only as a reference to show it is supported, you are not expected to know the details).
You are expected to be familiar with ASA Security Contexts, know what they are and why they are used. Read this Cisco documentation.
You must also be familiar with Cisco ASA Accelerated Security Path (ASP). Sadly, the blog I used as resource is now closed, so you’re on your own for this one but there are many resources available online.
Maybe you noticed that I was often referring to Keth Barker’s videos. He is a presenter for CBT-Nuggets videos. The videos I linked here were free samples, but you can find the complete set on CBT Nuggets website. You can use them to complete your knowledge, moreover new members benefits from a free 7 days trial period so it may even not cost you any money.
The curriculum associated to this exam matches the goal expressed at the beginning of this post, as it allows someone starting in the realm of network security and / or starting with Cisco’s network security technologies to effectively deepen his knowledge on the subject.
However, personally I have two reservations:
- The topic list provided by Cisco is too vague.
- It focuses too much on Cisco products usage at the expense of more general background knowledge.
Let’s see each of these reservations more in details.
First, both Cisco’s topics list and official cert guide are really too vague about what is actually expected from the student.
Yes, the topic list has Cisco’s usual disclaimer:
The following topics are general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
This was also the case for the CCNA Routing & Switching exam, but while in the later this disclaimer actually covered a few secondary questions about knowledge that one is expected to gain during any normal training and wouldn’t prevent a candidate from passing, here Cisco really seem to go free-style regarding the choice of tested topics.
As this is a common claim regarding this certification, I remember a CCIE on a forum who explained that this is a good thing because the more your learn, the more you know, and one should not study with the exam as a goal, giving as example the CCIE curriculum where the topics are voluntary very vague.
I do not agree at all with such statements. The CCNA is an entry-level certification and the CCIE is an expert-level one, you cannot compare them as they are two different beasts.
In entry-level certifications, the student needs to know precisely what he has to study so he does not loose precious time on off-topic subjects while missing important on-topic subjects (time is always playing against any student). Of course, given an infinite amount of time, the student could become an expert in every topic before passing the CCNA exam, but this is not what is expected: there is an upper-bound in each topic which must be clearly indicated. The student remains free to investigate over this upper-bound if time allows him such additional research, and this may also provide insightful background information about on-topic subjects, but this remain additional research.
In expert-level certifications, there is basically no upper-bound anymore: you are meant to be an expert on the listed topics. For the domains where you are only required to be familiar with the “common features” of something, your position should allow you to determine what features are “commonly” found in the industry, which a candidate for an entry-level certification is most likely unable to do. For the domains where you are required to have a thorough knowledge, there is effectively no upper-bound and you could be asked about any aspect of the subject. Of course you are not expected to know everything, which means you won’t reach 100% score as you may potentially do in a lower-level exam, but the gaps in you knowledge should be small enough to allow you to stay over the required score.
Without a proper topic list or, at least, a proper certification guide, it is just impossible for a self-learner to pass this exam. That’s why you may have to check online either for specially created training questions or for old exams (by the way the IINS exam currently labeled 210-260 was previously labeled 640-554, this may help you find older material which, while not up-to-date, may still help you more accurately determine what is expected from the student as the main topics remained the same).
Don’t fall in the trap of learning the questions and answers and hoping to pass only with that knowledge.
This is stupid (see my general post on certifications) and most likely useless as Cisco regularly generates new batch of questions with either new questions or, more subtly, the same question but with a slight variation (a change in host names, numbers, etc.) making the correct answer change in an otherwise similar-looking question.
As I said in the general post, don’t forget that you study for yourself, to develop your own aptitudes in domains you are supposed to like and be good at.
The CCNA R&S curriculum is IMHO a perfect example of curriculum where the theoretical and practical content are well weighted. In the CCNA R&S, you begin by learning for instance a protocol: why it is needed, how it works, and then finally you learn how to implement it using Cisco technologies.
The CCNA Security curriculum, on the other hand, focuses more heavily on Cisco products. I’m not saying that there is no theoretical knowledge at all, on the contrary the details of IPsec for instance and its comparison with SSL-based VPNs are very well developed and very interesting, and I suppose that someone new in the security area will also enjoy the parts about the threats and PKI infrastructures, but the theoretical knowledge does not go very far beyond that.
After that the curriculum seems boils down to a catalogue of features, each one with its own succession of screenshots, web interface menus and command-line options to learn.
- The threats remain theoretical, you are solving problems you don’t known practically know and never experienced or verified for yourself. In other words, you are more taught good practices.
- The features are analyzed individually, with very little perspective onto the global network architecture and how each elements are organized and react with each other. For instance individual chapters describe centralized authentication, SCEP and site-to-site VPN, but how they could be securely to associate them is off-topic (but most probably covered in the CCNP curriculum).
Depending on your affinities and the reasons why you choose a CCNA Security certification, I would recommend you to accompany this certification with at least another one:
If you are more interested in the security aspect, you should highly benefit from a general security certification, like a CEH for instance. This will provide you a better understanding of the threats, allowing to take more appropriate decisions.
If you are more interested in Cisco technologies, I think you should take the step and push toward the CCNP Security. I did not took this one so I cannot vouch for it, but it should allow you to become more intimate with Cisco technologies than the introduction provided in the CCNA, making you more efficient and more apt to take the right decisions or react correctly in case of unforeseen events.
Similarly to the CCNA R&S, the question themselves are clear and non-ambiguous, even-though as mentioned above they follow a topic list which noticeably differs from the one available on Cisco website and in its official certification guide.
As a self-learner, you must therefore do your own investigations to discover the topic effectively covered by the exam.
Having been through this myself, I’ve shared with you in this post the complete list of topics which I find to be asked in CCNA Security exams and missing in Cisco’s official certification guide.
So maybe this list may save you some investigation time so you can more focus on your study, at least I hope so!
Don’t take it for granted, though, as Cisco regularly updates its questions sets and may include new, unmentioned topics.
The exam engine is… crap.
Yeah, I already knew it from my CCNA R&S exam so I was expecting the broken XML tags and attributes in the questions and answers, but here I got a BSOD, a Windows Blue Screen of Death right in the middle of the exam (while the engine was loading a simulation lab).
How is that even possible that a simple exam engine could make the whole operating system crash?
Needless to say I was very worry and my first reaction was, breaking the rule, to directly get up and fetch one of the responsible of the exam center less to get technical assistance than to get an official witness in case I would fail the exam because of this.
Fortunately, once Windows restarted, the exam went on as usual, at the current question, current time and keeping all previously saved answers. What a relief, but still: this is not what I would call good or comfortable exam conditions3.
Unless you need this very certification to meet some US governmental contract prerequisites, I would not recommend taking this certification alone.
I would however recommend it mainly in those two situations:
As a complement of a more general security learning path, to dig a bit deeper some protocols such as IPSec which is often mentioned but rarely studied elsewhere and familiarize yourself with Cisco’s approach to security. This is why I chose it personally, and I really don’t regret it.
As a first step to get your CCNP Security and become an actual Cisco Security Professional.
This links leads to the documentation of the version 5.6 of ACS. To access a different version or if this one is not found, simply change the version number in the URL as the path itself remains constant over ACS versions. ↩
Some gossips say that this may be a voluntary move from Cisco in order to bill more exams and put forward their official, expensive training sessions. Personally, I believe in the “Don’t see malignity where there is just stupidity” and I think that Cisco just do not care. There is too few money to make on people training using books and free simulators, so there is no business reason to invest money on them either. This is not a matter of thinking of strategies to push people to pay more, this is simply a matter of reducing funding where the ROI is not profitable enough. ↩
I passed nearly a dozen of exams in the same test center, I encountered such issues only with Cisco exams. These issues seem therefore unrelated to the exam center itself but really caused by Cisco’s specific exam engine. ↩