The CCNA Security exam is the first security certification within the security track. Like other tracks (e.g. data center or routing and switching), the security track has three levels: entry, professional, and expert. The CCNA Security certification is the entry level exam, and it can help your career as a penetration tester or network engineer tremendously.
Though the exam does cover some concepts and protocols that are applicable to other vendors (general knowledge concepts like encryption and ports), it is a Cisco exam, meaning that it’s focus is on Cisco products. For example, some of the exam tasks include configuring a VPN tunnel on a Cisco Adaptive Security Appliance (ASA).
Before you begin studying for the CCNA Security exam, I’d highly recommend having a few other certifications under your belt. The CCNA Security exam is more advanced than the CCNA standard exam, and builds on concepts learned in the CCNA study materials.
It would be very strange for an engineer to obtain the CCNA Security certification before the CCNA. In fact, I don’t think I’ve ever heard of people taking that path. In order to be prepared for the test, I’d recommend having at least one Comptia certification (like Security+) in addition to standard CCNA certification. Otherwise, you could be setting yourself up for failure.
In my humble opinion, the CCNA Security exam is more difficult than any given Comptia exam. Not only are the concepts more advanced and challenging, but the test is designed to test your knowledge with a rather tricky exam format. Questions are delivered in a variety of forms including multiple choice (with more than four options, any and all of which could be correct choices), drag and drop, true or false (with very tricky wording), and configuration and troubleshooting simulations.
I would even go so far as to say the CCNA Security exam is more difficult than the CCNA, even though they are both associate level certifications. However, in the grand scheme of things within the security track, this exam is the easiest. Naturally, the CCIE Security exam is going to be exponentially harder.
And if you’re new to networking in general, this test is going to be extremely difficult. If you haven’t ever touched a router, switch, or ASA in the real world, I think you’ll have a hard time getting a passing score. At the very least, make sure you have access to lab equipment before undertaking this exam.
In fact, Cisco Systems states on their website that a valid CCENT, CCNA, or CCIE certification is a prerequisite to taking the exam. And I think that’s a wise move on Cisco’s part. Basically, they are ensuring that they don’t set you up for failure by allowing you to take an exam that’s too difficult. Personally, I’ve failed an exam before, and it stung quite a bit. Not only did it hurt my pride, but I also had to grit my teeth and pay for the exam a second time, which isn’t fun at all.
Professional Value and Marketability
This certification correlates with higher salaries than the CCNA and Security+ certifications, and it’s no wonder why. Each day, more and more hackers spawn and wreak havoc on the Internet. Because the Internet is inherently flawed, the world will always need folks who know how to increase data security.
Just stop and think about how many headlines you’ve read about a massive data breach at corporation XYZ, or wiretapping scandals brought to light by Edward Snowden. Stealing things in general (data, in this case) is just an ugly part of human nature. To put it bluntly, showing any employer that you have training and a background in security will make you highly marketable.
Payscale reported that average salaries ranged between $50,000 and $97,000 among professionals who held the CCNA Security certification. But don’t make the mistake of thinking that a certification automatically qualifies you for this level of income. As with any other job, I.T. positions are highly demanding and require a high level of trust, professionalism, and experience.
If you don’t have any background in networking already, do you really think any legitimate company is going to give you the keys to the kingdom? When an engineer has control over an organizations security, bad things can happen with even the smallest mistakes. That’s one reason why higher level security professionals can earn a higher salary. And a lot of firms feel like there aren’t enough qualified security professionals to go around. It’s simple supply and demand. Demand is high, supply is low, and security professionals get higher pay.
Though it does make you more marketable and statistics show professionals get higher pay, I would also caution you from thinking that you’ll immediately land a security-centric role. Instead, it’s much more likely that you’ll be a jack of all trades – at least in the beginning. Just take a look at any I.T. job posting, and you’ll see that network engineers need to be experienced in several different disciplines (voice, security, routing and switching, server administration, etc.).
At a higher level, experts can wear the “security hat.” But on a lower level, you’ll probably find yourself wearing a lot of different hats. The CCNA Security certification doesn’t instantly make you a bonafide penetration tester, but it certainly is a useful stepping stone. Once you have a few years of experience under your belt, you can tackle greater challenges like the CCNP security, and really start to earn a better salary.
Believe it or not, Cisco lists “Security Concepts” as one of the main categories of the CCNA Security certification’s objectives. And I have to admit, I don’t think they could have picked any vaguer terminology. Yet this area of the exam focuses on more general knowledge type questions, such as:
identifying common types of network attacks
defining social engineering
identifying types of malware
understanding cryptography, key exchanges, hashing algorithms, and digital signatures
identifying and describing various network topologies like LAN, WAN, SOHO, CAN, and data cetners
The second main objective of the exam is to understand various secure access technologies. These types of questions aim to educate prospective students on the following:
the difference between in band and out of ban management
secure network management configurations
how to secure SNMP (Simple Network Management Protocol) with ACLs (Access Control Lists)
hos NTP (Network Time Protocol) can increase security
understanding authentication, authorization, and accounting (AAA)
the differences between RADIUS and TACACS+ servers
how to configure RADIUS and TACACS+ on a router
how to integrate RADIUS and TACACS+ with Active Directory
identify and describe 802.1X authentication
BYOD (Bring Your Own Device
In my opinion, this section of exam content isn’t really very exciting. Nevertheless, secure access technologies are essential on any modern network. The ability to authenticate and authorize users properly helps prevent external users from wheedling their way into all types of network services. In addition, you can keep an audit trail with various accounting tools, which can be used to track user logins, metadata, and other crucial information.
Lastly, BYOD is still a relatively new concept. These days, it’s so common for people to have multiple devices (like tablets, smartphones, and laptops). It’s only natural for them to try to connect these devices to corporate Wi-Fi, which presents security concerns. BYOD seeks to mitigate security problems caused by employees using personal devices.
VPNs are absolutely essential for end to end data transmissions, and you’re going to need to learn how they work. If you’ve ever had to use a consumer VPN to unblock content from another country, you’re a step ahead of the game. VPNs are extremely versatile in that they can be used in a number of different settings using one of many secure encryption protocols (PPTP, L2TP, IPsec, etc.).
But they can be used to do more than make your personal Bit Torrent downloads invisible to your ISP. You see, most businesses with multiple offices in separate geographic regions rely on VPN tunnels to protect data as it travels from one site to another. For example, consider a fast food franchise with an HQ location in New York and hundreds of restaurants across the country.
HQ needs to exchange billing, accounting, and sensitive payment information with each of these sites – but it’s unthinkable to send all this information through the public Internet with encryption. In this case, the franchise may very well opt to establish a VPN tunnel between HQ and each of the individual restaurant’s private networks.
This type of VPN is called a site-to-site VPN. The idea is to encrypt data once it reaches the edge of a private network, and then decrypt the data once it reaches the edge of the destination’s private network. Every competent hacker (white hat or black hat) as well as penetration testers need to know how VPN tunnels operate, exchange data, negotiate tunnels, and transfer keys.
Secure Routing and Switching
There are many ways for a hacker to attack a remote system, and sometimes they attack network devices themselves to gain a foothold. Competent engineers need to be able to lock down routing and switching with security features to ensure the infrastructure doesn’t become compromised. More specifically, the CCNA Security certification focuses on the following aspects of secure routing and switching:
configuring privilege levels Cisco devices
role-based command line interface
secure routing protocols, such as OSPF (Open Shortest Path First) authentication
control plane policing
identification of attacks that target STP, ARP spoofing, MAC spoofing, CAM table overflows, VLAN hopping, and DHCP spoofing
how to mitigate the aforementioned attacks with techniques like dynamic ARP inspection, BPDU guard, root guard, loop guard, and port security
Cisco Firewall Technologies
When most I.T. professionals hear the term “Internet security,” the first physical device and technology that pops into their minds is a firewall. Naturally, the CCNA Security candidate is going to need to know how firewalls work, but may have only been exposed to a software firewall in Windows or one contained on their wireless router.
Cisco doesn’t have any individual firewall product. Rather, they have many implementations of firewalls that can be used across a great number of devices. For instance, did you know you can use an ACL to block individual services on a router, which effectively acts like a firewall?
Cisco also produces hardware appliances, like ASAs. But ASAs are more than just firewall, because they include features like VPN servers, IP spoofing mitigation, DHCP, remote management, and AAA. They can even do packet captures on any interface. To put it bluntly, you need to know what a firewall is and how it works if you want to be good at your job as a penetration tester.
An ounce of prevention is worth a pound of cure, and IPS (Intrusion Prevention Systems) are an integral part of any business-class network. Not only can they help identify threats, but they can even block them in real time. However, the CCNA Security exam really only serves as an introduction to IPS devices. Entire volumes have been written about their configuration and operation, so this is really more of a primer.
The aforementioned topics should give you an accurate understanding of what information is contained within the CCNA Security exam, as well as how it will aid penetration testers. Remember, because of prerequisites imposed by Cisco, you’ll first need to pass the CCENT or CCNA exam. Though you can test for this exam without any real world experience, it isn’t advisable.
But with a few years of experience and this certification under your belt, you can start to earn a decent salary. The next logical step is to pursue the CCNP Security certification, which consists of multiple exams, each of which is more challenging than the CCNA level tests. If you’re intimidated by the CCNA Security exam, you might want to start with either the Security+ or CEH certifications.