1. CCNA Security – 640-554
Posted on May 28, 2012
Out with the old and in with new Cisco is updating its well-known
certification CCNA Security. Candidates that are studying for the older exam (640-553) are
suggested to take it on or before September 30th 2012. What has changed in the exam? For the
most part Cisco SDM is no longer covered, as it has reached its “End of Life” and in fact Cisco
Engineering stopped covering the product from developing and testing on February 26th 2012.
You can still renew the product for support (Cisco SmartNet) until March 24th of 2013 and the last
date the product will get support will be February 28th of 2014 after that it will become an old
friend . Let’s compare these two CCNA Security Exams and see what has changed, removed
and added. (640-553 & 640-554)
I have compared these two exams side-by-side. If you take look at these two exams, the red on
the older exam means it is no longer covered on the (640-554 exam) and the blue on the new
exam is new material that is not covered on the (640-553 exam). For the most part Cisco SDM is
no longer available instead it is the Cisco Configuration Professional along with that the new
exam mentions the Cisco ASA system and walking you into the ASDM along with the different
products and services the ASA system offers.
CCNA Security Exam Topics – (640-553) CCNA Security Exam Topics –
Describe the security threats facing modern (640-554)
network infrastructures Common Security Threats
Describe and list mitigation methods for Describe common security threats
common network attacks Security and Cisco Routers
Describe and list mitigation methods for
Worm, Virus, and Trojan Horse attacks Implement security on Cisco routers
Describe the Cisco Self Defending Network Describe securing the control, data,
architecture and management plane
Secure Cisco routers Describe Cisco Security Manager
Secure Cisco routers using the SDM Security Describe IPv4 to IPv6 transition
Audit feature
AAA on Cisco Devices
Use the One-Step Lockdown feature in SDM to
secure a Cisco router Implement AAA (authentication,
authorization, and accounting)
Secure administrative access to Cisco routers Describe TACACS+
by setting strong encrypted passwords, exec Describe RADIUS
2. timeout, login failure rate and using IOS login Describe AAA
enhancements Verify AAA functionality
Secure administrative access to Cisco routers IOS ACLs
by configuring multiple privilege levels
Secure administrative access to Cisco routers Describe standard, extended, and
by configuring role based CLI named IP IOS access control lists
Secure the Cisco IOS image and configuration (ACLs) to filter packets
file Describe considerations when
Implement AAA on Cisco routers using local building ACLs
router database and external ACS Implement IP ACLs to mitigate
threats in a network
Explain the functions and importance of AAA Secure Network Management and
Describe the features of TACACS+ and Reporting
RADIUS AAA protocols
Configure AAA authentication Describe secure network
Configure AAA authorization management
Configure AAA accounting
Mitigate threats to Cisco routers and networks Implement secure network
using ACLs management
Explain the functionality of standard, extended, Common Layer 2 Attacks
and named IP ACLs used by routers to filter
packets Describe Layer 2 security using
Configure and verify IP ACLs to mitigate Cisco switches
given threats (filter IP traffic destined for Describe VLAN security
Telnet, SNMP, and DDoS attacks) in a network Implement VLANs and trunking
using CLI Implement spanning tree
Configure IP ACLs to prevent IP address Cisco Firewall Technologies
spoofing using CLI
Discuss the caveats to be considered when Describe operational strengths and
building ACLs weaknesses of the different firewall
Implement secure network management and technologies
reporting Describe stateful firewalls
Describe the types of NAT used in
Use CLI and SDM to configure SSH on Cisco firewall technologies
routers to enable secured management access
Implement zone-based policy
Use CLI and SDM to configure Cisco routers firewall using CCP
to send Syslog messages to a Syslog server
Implement the Cisco Adaptive
Mitigate common Layer 2 attacks Security Appliance (ASA)
Describe how to prevent layer 2 attacks by Implement Network Address
configuring basic Catalyst switch security Translation (NAT) and Port
features Address Translation (PAT)
Implement the Cisco IOS firewall feature set using
SDM Cisco IPS
Describe the operational strengths and Describe Cisco Intrusion Prevention
weaknesses of the different firewall System (IPS) deployment
technologies considerations
Explain stateful firewall operations and the Describe IPS technologies
3. function of the state table Configure Cisco IOS IPS using
Implement Zone Based Firewall using SDM CCP
Implement the Cisco IOS IPS feature set using VPN Technologies
SDM
Describe the different methods used
Define network based vs. host based intrusion in cryptography
detection and prevention Describe VPN technologies
Explain IPS technologies, attack responses, and Describe the building blocks of
monitoring options IPSec
Enable and verify Cisco IOS IPS operations Implement an IOS IPSec site-to-site
using SDM VPN with pre-shared key
authentication
Implement site-to-site VPNs on Cisco Routers Verify VPN operations
using SDM Implement Secure Sockets Layer
(SSL) VPN using ASA device
Explain the different methods used in manage
cryptography
Explain IKE protocol functionality and phases
Describe the building blocks of IPSecand the
security functions it provides
Configure and verify an IPSec site-to-site VPN
with pre-shared key authentication using SDM