Release Notes

CCNA Security: Implementing Network Security 2.0

Last Updated August 22, 2018

Purpose
Cisco CCNA® Security is the second major release of the Cisco Networking Academy® CCNA Security curriculum.
CCNA Security aligns with the certification exam Implementing Cisco® Network Security (IINS) (210-260). These
notes provide detailed information about this release, including curriculum content, known issues, and support
information.

Table 1. Release Content

Component Description

E-Learning Content 11 chapters

Labs 16 hands-on labs using 1941 routers and 2960 switches

Skills Assessment 1 skills assessment using equipment to verify the development of course skills
Cisco® Packet Tracer 13 Packet Tracer activities
Activities PT version 6.2.x or above is required

Pre-Test 1 pre-test that covers prerequisite and pre-existing knowledge This can be used to understand what students
know before starting the course to direct planning and customization of the curriculum.
Chapter Quizzes 11 modifiable chapter quizzes

Chapter Exams 11 chapter exams containing simulation-based, multiple choice, and fill-in-the-blank questions

Syntax Checker 41 Syntax Checker activities

Packet Tracer Skills 1 Packet Tracer skills assessment to support skills acquisition
Assessment

Final Exam 1 final exam with field test pool items

Accessibility 11 chapters containing accessible text and media text Videos provide closed captioning (CC)

Known Issues and Caveats

Item Description

Text Area Sizing After resizing the text area of a page, subsequent pages retain the same text area size. The text area size will
return to default when the browser session ends.

Form-Fillable PDFs Open these documents in Adobe Reader to help ensure the form-fillable fields load properly.
Opening these documents in a web browser is not recommended.

Syntax Checker This tool is limited in functionality to the specific instructions provided in a Syntax Checker activity.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 6
 Certification Exam Alignment
Differences between the IINS 640-554 and the IINS 210-260.

Topics Removed Topics Added

2.1.a CCP Security Audit Feature 1.1.b Describe SIEM technology

2.1.b CCP One Step Lockdown Feature 1.2.b Describe Social Engineering
2.4 Describe IPv4 to IPv6 transition 1.2.d Classify the vectors of Data Loss/Exfiltration
2.4.a Reasons for IPv6
2.4.b Understanding IPv6 addressing
2.4.c Assigning IPv6 addresses
2.4.d Routing considerations for IPv6

3.1.a AAA Using CCP on Routers 1.4 Describe network topologies

1.4.a Campus Area Network (CAN)
1.4.b Cloud, Wide Area Network (WAN)
1.4.c Data Center
1.4.d Small office/Home office (SOHO)
1.4.e Network security for a virtual environment

4.1.c Types of ACLs (dynamic, reflexive, time-based ACLs) 2.1.c Configure and verify secure access through SNMP v3 using an ACL

4.1.j VLSM 2.4.b Describe the function of Mobile Device Management (MDM)

4.3.e. CCP 5.3 Implement NAT on Cisco ASA 9.x

4.3.g VACLs 5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x

5.2.g CCP 7.1.a SPAM Filtering, Anti-Malware Filtering, DLP, Blacklisting, Email Encryption

7.4 Implement Zone-Based Firewall Using CCP 7.2.b Blacklisting, URL-Filtering, Malware Scanning, URL Categorization, Web
Application Filtering, TLS/SSL Decryption

8.3 Configure Cisco IOS IPS using CCP 7.3.a Anti-Virus/Anti-Malware

8.3.a Logging
8.3.b Signatures

9.4.a CCP 7.3.c Hardware/Software Encryption of local data

Certification Objectives Coverage

Map of where IINS 210-260 objectives are covered in the CCNA Security course

IINS 210-260 Exam Objectives CCNAS v2.0 Coverage Location(s)

1.0 Security Concepts

1.1 Common Security Principles Chapter 1 Modern Network Security Threats

1.1.a Describe Confidentiality, Integrity, Availability (CIA) Section 1.2 Network Threats

1.1.b Describe SIEM technology Section 1.3 Mitigating Threats

1.1.c Identify common security terms Chapter 4 Implementing Firewall Technologies

1.1.d Identify common network security zones Section 4.2 Firewall Technologies

Chapter 11 Managing a Secure Network

Section 11.1 Network Security Testing

1.2 Common Security Threats Chapter 1 Modern Network Security Threats

1.2.a Identify Common network attacks Section 1.1 Securing Networks

1.2.b Describe Social Engineering Section 1.2 Network Threats

1.2.c Identify Malware Chapter 11 Managing a Secure Network

1.2.d Classify the vectors of Data Loss/Exfiltration Section 11.2 Developing a Comprehensive Security Policy

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 6
 IINS 210-260 Exam Objectives CCNAS v2.0 Coverage Location(s)
1.3 Cryptography Concepts Chapter 7 Cryptographic Systems

1.3.a Describe Key Exchange Section 7.2 Basic Integrity and Authenticity

1.3.b Describe Hash Algorithm Section 7.3 Confidentiality

1.3.c Compare & Contrast Symmetric and Asymmetric Encryption Section 7.4 Public Key Cryptography

1.3.d Describe Digital Signatures, Certificates and PKI

1.4 Describe network topologies Chapter 1 Modern Network Security Threats

1.4.a Campus Area Network (CAN) Section 1.1 Securing Networks

1.4.b Cloud, Wide Area Network (WAN) Section 1.2 Network Threats

1.4.c Data Center

1.4.d Small office/Home office (SOHO)

1.4.e Network security for a virtual environment

2.0 Secure Access

2.1 Secure management Chapter 2 Securing Network Devices

2.1.a Compare In-band and out of band Section 2.1 Securing Device Access

2.1.b Configure secure network management Section 2.3 Monitoring and Managing Devices

2.1.c Configure and verify secure access through SNMP v3 using an ACL

2.1.d Configure and verify security for NTP

2.1.e Use SCP for file transfer

2.2 AAA Concepts Chapter 3 Authentication, Authorization, and Accounting

2.2.a Describe RADIUS & TACACS+ technologies Section 3.3 Server-Based AAA

2.2.b Configure administrative access on a Cisco router using TACACS+ Section 3.4 Server-Based AAA Authentication

2.2.c Verify connectivity on a Cisco router to a TACACS+ server

2.2.d Explain the integration of Active Directory with AAA

2.2.e Describe Authentication & Authorization using ACS and ISE

2.3 802.1x Authentication Chapter 3 Authentication, Authorization, and Accounting

2.3.a Identify the functions 802.1x components Section 3.5 Server-Based AAA Authorization and Accounting

2.4 BYOD (Bring-Your-Own-Device) Chapter 1 Modern Network Security Threats

2.4.a Describe the BYOD architecture framework Section 1.1 Securing Networks

2.4.b Describe the function of Mobile Device Management (MDM)

3.0 Virtual Private Networks (VPN)

3.1 VPN Concepts Chapter 8 Implementing Virtual Private Networks

3.1.a Describe IPSec Protocols and Delivery Modes (IKE, ESP, AH, Section 8.2 IPsec VPN Components and Operation
Tunnel mode, Transport mode)

3.1.b Describe Hairpinning, Split Tunneling, Always-on, NAT Traversal

3.2 Remote Access VPN Chapter 10 Advanced Cisco Adaptive Security Appliance

3.2.a Implement basic Clientless SSL VPN using ASDM Section 10.2 ASA VPN Configuration

3.2.b Verify clientless connection

3.2.c Implement basic AnyConnect SSL VPN using ASDM

3.2.d Verify AnyConnect connection

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 6
 IINS 210-260 Exam Objectives CCNAS v2.0 Coverage Location(s)
3.2.e Identify Endpoint Posture Assessment

3.3 Site-to-Site VPN Chapter 10 Advanced Cisco Adaptive Security Appliance

3.3.a Implement an IPSec site-to-site VPN with pre-shared key Section 10.2 ASA VPN Configuration
authentication on Cisco routers and ASA firewalls

3.3.b Verify an IPSec site-to-site VPN

4.0 Secure Routing and Switching

4.1 Security on Cisco Routers Chapter 2 Securing Network Devices

4.1.a Configure multiple privilege levels Section 2.2 Assigning Administrative Roles

4.1.b Configure IOS Role-based CLI Access Section 2.3 Monitoring and Managing Devices

4.1.c Implement IOS Resilient Configuration

4.2 Securing Routing Protocols Chapter 2 Securing Network Devices

4.2.a Implement routing update authentication on OSPF Section 2.5 Securing the Control Plane

4.3 Securing the Control Plane Chapter 2 Securing Network Devices

4.3.a Explain the function of Control Plane Policing Section 2.5 Securing the Control Plane

4.4 Common Layer 2 Attacks Chapter 6 Securing the Local Area Network

4.4.a Describe STP attacks Section 6.2 Layer 2 Security Considerations

4.4.b Describe ARP Spoofing

4.4.c Describe MAC spoofing

4.4.d Describe CAM Table (MAC Address Table) Overflows

4.4.e Describe CDP/LLDP Reconnaissance

4.4.f Describe VLAN Hopping

4.4.g Describe DHCP Spoofing

4.5 Mitigation Procedures Chapter 6 Securing the Local Area Network

4.5.a Implement DHCP Snooping Section 6.2 Layer 2 Security Considerations

4.5.b Implement Dynamic ARP Inspection

4.5.c Implement Port Security

4.5.d Describe BPDU Guard, Root Guard, Loop Guard

4.5.e Verify mitigation procedures

4.6 VLAN Security Chapter 6 Securing the Local Area Network

4.6.a Describe the security implications of a PVLAN Section 6.2 Layer 2 Security Considerations

4.6.b Describe the security implications of a Native VLAN

5.0 Cisco Firewall Technologies

5.1 Describe operational strengths and weaknesses of the different Chapter 4 Implementing Firewall Technologies
firewall technologies
Section 4.2 Firewall Technologies
5.1.a Proxy firewalls
Chapter 6 Securing the Local Area Network
5.1.b Application firewall
Section 6.1 Endpoint Security
5.1.c Personal firewall

5.2 Compare Stateful vs. Stateless Firewalls Chapter 4 Implementing Firewall Technologies

5.2.a Operations Section 4.2 Firewall Technologies

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 6
 IINS 210-260 Exam Objectives CCNAS v2.0 Coverage Location(s)
5.2.b Function of the state table

5.3 Implement NAT on Cisco ASA 9.x Chapter 9 Implementing the Cisco Adaptive Security Appliance

5.3.a Static Section 9.2 ASA Firewall Configuration

5.3.b Dynamic Chapter 10 Advanced Cisco Adaptive Security Appliance

5.3.c PAT Section 10.1 ASA Security Device Manager

5.3.d Policy NAT

5.3 e Verify NAT operations

5.4 Implement Zone Based Firewall Chapter 4 Implementing Firewall Technologies

5.4.a Zone to zone Section 4.2 Firewall Technologies

5.4.b Self zone

5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x Chapter 9 Implementing the Cisco Adaptive Security Appliance

5.5.a Configure ASA Access Management Section 9.1 Introduction to the ASA

5.5.b Configure Security Access Policies Section 9.2 ASA Firewall Configuration

5.5.c Configure Cisco ASA interface security levels

5.5.d Configure Default Modular Policy Framework (MPF)

5.5.e Describe Modes of deployment (Routed firewall, Transparent

firewall)

5.5.f Describe methods of implementing High Availability

5.5.g Describe Security contexts

5.5.h Describe Firewall Services

6.0 Intrusion Prevention Systems (IPS)

6.1 Describe IPS Deployment Considerations Chapter 5 Implementing Intrusion Prevention

6.1.a Network Based IPS vs. Host Based IPS Section 5.1 IPS Technologies

6.1.b Modes of deployment (Inline, Promiscuous - SPAN, tap) Section 5.2 IPS Signatures

6.1.c Placement (positioning of the IPS within the network)

6.1.d False Positives, False Negatives, True Positives, True Negatives

6.2 Describe IPS Technologies Chapter 5 Implementing Intrusion Prevention

6.2.a Rules/Signatures Section 5.2 IPS Signatures

6.2.b Detection/Signature Engines

6.2.c Trigger Actions/Responses (drop, reset, block, alert, monitor/log,

shun)

6.2.d Blacklist (Static & Dynamic)

7.0 Content and Endpoint Security

7.1 Describe Mitigation Technology for Email-based Threats Chapter 6 Securing the Local Area Network

7.1.a SPAM Filtering, Anti-Malware Filtering, DLP, Blacklisting, Email Section 6.1 Endpoint Security
Encryption

7.2 Describe Mitigation Technology for Web-based Threats Chapter 6 Securing the Local Area Network

7.2.a Local & Cloud Based Web Proxies Section 6.1 Endpoint Security

7.2.b Blacklisting, URL-Filtering, Malware Scanning, URL Categorization,

Web Application Filtering, TLS/SSL Decryption

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 6
 IINS 210-260 Exam Objectives CCNAS v2.0 Coverage Location(s)
7.3 Describe Mitigation Technology for Endpoint Threats Chapter 5 Implementing Intrusion Prevention

7.3.a Anti-Virus/Anti-Malware Section 5.1 IPS Technologies

7.3.b Personal Firewall/HIPS Chapter 6 Securing the Local Area Network

7.3.c Hardware/Software Encryption of local data Section 6.1 Endpoint Security

Support
For general assistance with curriculum, classroom, or program issues, please contact the Networking Academy™
Support Desk by signing into the Cisco NetSpace learning environment and clicking Help > Contact Support at
the top of the page.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 6