In February of 2012, Cisco announced updates to their CCNA Security certification program. Since the world of networking and system security is constantly evolving, Cisco wanted to ensure that the skills assessed in the CCNA Security certification provided both candidates and prospective employers with the appropriate skills. This newest iteration of the CCNA Security certification includes additional coverage with the Adaptive Security Appliance (ASA) and IPv6.
Cisco IOS Network Security (IINS)
There are currently two different versions of the IINS exam available, version 1 (640-553) and version 2 (640-554). Version 1 will be available to candidates until September 30, 2012, on this date candidates will have to take the newer version of the exam; version 2 is currently available. The following list shows how the different topics differ between the older and the newer exam.
Existed in v1 curriculum (Many of these objectives have been generalized from the previous blueprint)
Added to the v2 curriculum
Common Security Threats
- Describe common security threats
Security and Cisco Routers
- Implement security on Cisco routers
- Describe securing the control, data, and management plane
- Describe Cisco Security Manager
- Describe IPv4 to IPv6 transition
AAA on Cisco Devices
- Implement AAA (authentication, authorization, and accounting)
- Describe TACACS+
- Describe RADIUS
- Describe AAA
- Verify AAA functionality
IOS ACLs
- Describe standard, extended, and named IP IOS access control lists (ACLs) to filter packets
- Describe considerations when building ACLs
- Implement IP ACLs to mitigate threats in a network
Secure Network Management and Reporting
- Describe secure network management
- Implement secure network management
Common Layer 2 Attacks
- Describe Layer 2 security using Cisco switches
- Describe VLAN security
- Implement VLANs and trunking
- Implement spanning tree
Cisco Firewall Technologies
- Describe operational strengths and weaknesses of the different firewall technologies
- Describe stateful firewalls
- Describe the types of NAT used in firewall technologies
- Implement zone-based policy firewall using CCP
- Implement the Cisco Adaptive Security Appliance (ASA)
- Implement Network Address Translation (NAT) and Port Address Translation (PAT)
Cisco IPS
- Describe Cisco Intrusion Prevention System (IPS) deployment considerations
- Describe IPS technologies
- Configure Cisco IOS IPS using CCP
VPN Technologies
- Describe the different methods used in cryptography
- Describe VPN technologies
- Describe the building blocks of IPSec
- Implement an IOS IPSec site-to-site VPN with pre-shared key authentication
- Verify VPN operations
- Implement Secure Sockets Layer (SSL) VPN using ASA device manager
Summary
The newer exam has many areas which were covered in the previous exam. The differences include support for the newer Cisco Configuration Professional (CCP) tool which has replaced the Security Device Manager (SDM), support for basic ASA configuration and a few added objectives that widen the technology base of the candidate.
