Security Fundamentals Study Guide
CCNA 200-301 Exam Domain 5 (15% of exam)
1. Security Concepts
CIA Triad
The foundation of information security rests on three principles:
Confidentiality
/\
/ \
/ \
/ \
/________\
Integrity Availability
Confidentiality: Only authorized users can access data
(Encryption, Access Controls)
Integrity: Data is accurate and unaltered
(Hashing, Digital Signatures)
Availability: Systems are accessible when needed
(Redundancy, Backups, DDoS Protection)
Security Terms
| Term |
Definition |
Example |
| Vulnerability |
Weakness that can be exploited |
Unpatched software, weak passwords |
| Threat |
Potential danger to an asset |
Hackers, malware, natural disasters |
| Exploit |
Method used to leverage vulnerability |
Buffer overflow attack code |
| Risk |
Probability of threat exploiting vulnerability |
Risk = Threat x Vulnerability x Impact |
| Mitigation |
Action to reduce risk |
Patching, firewalls, training |
Defense in Depth
Defense in Depth: Using multiple layers of security controls so that if one layer fails, others still protect the system. Like a castle with walls, moat, guards, and locks.
Defense in Depth Layers:
[Physical] → Locks, cameras, guards
|
[Network] → Firewalls, IPS, VPNs
|
[Host] → Antivirus, patches, hardening
|
[Application] → Input validation, authentication
|
[Data] → Encryption, access controls
|
[Policies] → Training, procedures, compliance
2. Common Security Threats
Malware Types
| Type |
Description |
Behavior |
| Virus |
Attaches to files/programs |
Requires user action to spread |
| Worm |
Self-replicating malware |
Spreads automatically over network |
| Trojan |
Disguised as legitimate software |
Hidden malicious functionality |
| Ransomware |
Encrypts data for ransom |
Demands payment for decryption |
| Spyware |
Monitors user activity |
Steals sensitive information |
| Rootkit |
Hides in OS at kernel level |
Very difficult to detect |
Network Attacks
DoS/DDoS Attack: Overwhelming a target with traffic to make it unavailable. DDoS uses multiple sources (botnet). Mitigation: Rate limiting, traffic filtering, CDN services.
Man-in-the-Middle (MITM): Attacker intercepts communication between two parties. Can read, modify, or inject data. Mitigation: Encryption (TLS/SSL), certificate validation.
Phishing: Social engineering via fake emails/websites to steal credentials. Variants: Spear phishing (targeted), Whaling (executives). Mitigation: Training, email filtering, MFA.
Password Attacks:
- Brute Force: Try all possible combinations
- Dictionary: Try common words/passwords
- Credential Stuffing: Use stolen credentials from breaches
Mitigation: Strong passwords, account lockout, MFA
Layer 2 Attacks
| Attack |
Method |
Mitigation |
| MAC Flooding |
Flood switch with fake MACs to overflow CAM table |
Port Security |
| VLAN Hopping |
Access other VLANs via DTP or double tagging |
Disable DTP, dedicated native VLAN |
| DHCP Spoofing |
Rogue DHCP server provides false gateway |
DHCP Snooping |
| ARP Spoofing |
False ARP replies to redirect traffic |
Dynamic ARP Inspection (DAI) |
| STP Attack |
Manipulate STP to become root bridge |
BPDU Guard, Root Guard |
Understand the relationship between attacks and mitigations: MAC Flooding → Port Security, DHCP Spoofing → DHCP Snooping, ARP Spoofing → DAI, VLAN Hopping → Disable DTP.
3. Access Control Lists (ACLs)
ACLs filter network traffic by permitting or denying packets based on criteria like source/destination IP, protocol, and port numbers.
ACL Types
| Type |
Number Range |
Filters By |
Placement |
| Standard (Numbered) |
1-99, 1300-1999 |
Source IP only |
Close to destination |
| Extended (Numbered) |
100-199, 2000-2699 |
Source/Dest IP, Protocol, Ports |
Close to source |
| Named (Standard/Extended) |
Text name |
Depends on type |
Based on type |
ACL Processing Rules
- Processed top-down, first match wins
- Implicit "deny all" at end of every ACL
- One ACL per interface, per direction, per protocol
- New entries added to the bottom
ACL Processing Flow:
Packet arrives
|
v
+-------------+ No +-------------+ No
| Match ACE 1 | ---------> | Match ACE 2 | ---------> ...
+-------------+ +-------------+
| Yes | Yes
v v
Permit/Deny Permit/Deny
| |
v v
Forward/ Forward/
Drop Drop
If no match after all ACEs → Implicit DENY → Drop
Wildcard Masks
Wildcard Mask: Inverse of subnet mask. 0 = must match, 1 = ignore (don't care).
| Subnet Mask |
Wildcard Mask |
Meaning |
| 255.255.255.255 |
0.0.0.0 |
Match exact IP (host) |
| 255.255.255.0 |
0.0.0.255 |
Match /24 network |
| 255.255.0.0 |
0.0.255.255 |
Match /16 network |
| 0.0.0.0 |
255.255.255.255 |
Match any IP |
Standard ACL Configuration
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny 10.0.0.0 0.255.255.255
Router(config)# access-list 10 permit any
Router(config)# ip access-list standard ALLOW_LAN
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group 10 in
Router(config-if)# ip access-group ALLOW_LAN out
Extended ACL Configuration
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config)# access-list 100 deny ip any any
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp any host 10.1.1.100 eq 80
Router(config-ext-nacl)# permit tcp any host 10.1.1.100 eq 443
Router(config-ext-nacl)# deny ip any any log
Router(config-if)# ip access-group 100 in
Common ACL Keywords
| Keyword |
Meaning |
Example |
| host |
Match single IP (0.0.0.0 wildcard) |
host 192.168.1.10 |
| any |
Match all IPs (255.255.255.255 wildcard) |
any |
| eq |
Equal to port number |
eq 80 |
| gt |
Greater than port |
gt 1023 |
| lt |
Less than port |
lt 1024 |
| range |
Port range |
range 20 21 |
| established |
TCP with ACK/RST set |
established |
| log |
Log matches to syslog |
deny ip any any log |
ACL Verification
Router# show access-lists
Router# show ip access-lists
Router# show ip interface gigabitethernet 0/0
Router# clear access-list counters
Remember the placement rule: Standard ACLs close to destination (they only filter by source), Extended ACLs close to source (filter specifically, don't waste bandwidth).
4. Layer 2 Security
Port Security
Limits the number of MAC addresses allowed on a switch port to prevent MAC flooding attacks.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address 0011.2233.4455
Switch(config-if)# switchport port-security mac-address sticky
Switch# show port-security interface fa0/1
Switch# show port-security address
Port Security Violation Modes
| Mode |
Discards Traffic |
Sends Alert |
Shuts Port |
Increments Counter |
| Protect |
Yes |
No |
No |
No |
| Restrict |
Yes |
Yes (syslog/SNMP) |
No |
Yes |
| Shutdown (default) |
Yes |
Yes |
Yes (err-disabled) |
Yes |
Switch(config)# interface fastethernet 0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
DHCP Snooping
Prevents rogue DHCP servers by filtering DHCP messages. Only trusted ports can send DHCP server messages (OFFER, ACK).
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config)# interface range fastethernet 0/1-24
Switch(config-if-range)# ip dhcp snooping limit rate 15
Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding
Dynamic ARP Inspection (DAI)
Validates ARP packets using the DHCP snooping binding table. Prevents ARP spoofing attacks.
Switch(config)# ip arp inspection vlan 10,20,30
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# arp access-list STATIC_ARP
Switch(config-arp-nacl)# permit ip host 192.168.1.100 mac host 0011.2233.4455
Switch(config)# ip arp inspection filter STATIC_ARP vlan 10
Switch# show ip arp inspection
Dependency: DAI requires DHCP snooping to be enabled because it uses the DHCP snooping binding table to validate ARP packets. Static entries need ARP ACLs.
IP Source Guard
Prevents IP spoofing by validating source IP against DHCP snooping binding table.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# ip verify source
Switch(config-if)# ip verify source port-security
Layer 2 Security Best Practices
- Enable port security on all access ports
- Use DHCP snooping to prevent rogue DHCP servers
- Enable DAI to prevent ARP spoofing
- Disable unused ports and put in unused VLAN
- Disable DTP on all access ports (switchport nonegotiate)
- Use dedicated native VLAN (not VLAN 1)
5. AAA (Authentication, Authorization, Accounting)
AAA Components
| Component |
Purpose |
Question Answered |
| Authentication |
Verify user identity |
Who are you? |
| Authorization |
Determine permitted actions |
What can you do? |
| Accounting |
Track user actions |
What did you do? |
AAA Protocols
| Feature |
RADIUS |
TACACS+ |
| Standard |
Open (RFC 2865) |
Cisco proprietary |
| Transport |
UDP (1812/1813) |
TCP (49) |
| Encryption |
Password only |
Entire payload |
| AAA Separation |
Combined |
Separate services |
| Best For |
Network access (802.1X) |
Device administration |
Local AAA Configuration
Router(config)# username admin privilege 15 secret AdminPass123
Router(config)# username helpdesk privilege 5 secret HelpPass456
Router(config)# aaa new-model
Router(config)# aaa authentication login default local
Router(config)# aaa authentication login CONSOLE local
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config)# line console 0
Router(config-line)# login authentication CONSOLE
RADIUS/TACACS+ Configuration
Router(config)# radius server ISE
Router(config-radius-server)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
Router(config-radius-server)# key SharedSecret
Router(config)# tacacs server ACS
Router(config-server-tacacs)# address ipv4 192.168.1.101
Router(config-server-tacacs)# key TacacsSecret
Router(config)# aaa authentication login default group radius local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# aaa accounting exec default start-stop group radius
RADIUS is best for network access (802.1X, VPN), TACACS+ is best for device administration. TACACS+ encrypts the entire packet; RADIUS only encrypts the password.
6. Wireless Security
Wireless Security Evolution
| Protocol |
Encryption |
Authentication |
Status |
| WEP |
RC4 (weak) |
Open/Shared Key |
Deprecated - Never use |
| WPA |
TKIP |
PSK or 802.1X |
Legacy - Avoid |
| WPA2 |
AES-CCMP |
PSK or 802.1X |
Current standard |
| WPA3 |
AES-GCMP-256 |
SAE or 802.1X |
Latest - Enhanced |
Personal vs Enterprise
Personal (PSK): Pre-Shared Key. Everyone uses the same password. Easy to set up but difficult to manage, especially when employees leave.
Enterprise (802.1X): Each user has unique credentials authenticated against RADIUS. Better security, auditing, and user management. Recommended for business.
WPA3 Improvements
- SAE (Simultaneous Authentication of Equals): Replaces PSK, resistant to offline dictionary attacks
- Forward Secrecy: Captured traffic can't be decrypted later even with password
- Protected Management Frames: Management frame protection mandatory
- 192-bit Security Suite: For high-security environments
Wireless Threats and Mitigations
| Threat |
Description |
Mitigation |
| Rogue AP |
Unauthorized access point on network |
Wireless IDS, rogue detection, 802.1X |
| Evil Twin |
Fake AP mimicking legitimate one |
Client certificate validation, EAP-TLS |
| Deauthentication Attack |
Force clients to disconnect |
802.11w (PMF), WPA3 |
| Eavesdropping |
Capturing wireless traffic |
WPA2/WPA3 encryption |
7. VPN Fundamentals
VPNs (Virtual Private Networks) create secure tunnels over public networks like the internet, allowing secure remote access and site-to-site connectivity.
VPN Types
| Type |
Use Case |
Technology |
| Site-to-Site |
Connect two office networks |
IPsec, GRE |
| Remote Access |
Individual users to corporate network |
SSL/TLS VPN, IPsec client |
| DMVPN |
Dynamic hub-and-spoke VPN |
GRE + NHRP + IPsec |
Site-to-Site VPN:
[Office A Network]---[Router]====(Internet)====[Router]---[Office B Network]
192.168.1.0/24 | | 192.168.2.0/24
| IPsec Tunnel |
+==========================+
Encrypted traffic over
public internet
IPsec Overview
IPsec is a framework of protocols providing authentication and encryption for IP packets.
| Protocol |
Purpose |
IP Protocol |
| IKE (Phase 1) |
Establish secure channel, authenticate peers |
UDP 500 (ISAKMP) |
| IKE (Phase 2) |
Negotiate IPsec SAs for data transfer |
UDP 500 |
| ESP |
Encryption + Authentication of data |
Protocol 50 |
| AH |
Authentication only (no encryption) |
Protocol 51 |
IPsec Modes
Tunnel Mode (Site-to-Site):
+------+--------+------+---------+
| New | ESP | Orig | Payload |
| IP | Header | IP | |
+------+--------+------+---------+
|<-- Encrypted -->|
Transport Mode (Host-to-Host):
+------+--------+---------+
| Orig | ESP | Payload |
| IP | Header | |
+------+--------+---------+
|<-- Encrypted -->|
SSL/TLS VPN
SSL/TLS VPN: Uses standard HTTPS (TCP 443) for VPN connectivity. Easier to deploy (no client software needed for clientless), works through most firewalls. Common for remote access VPN.
VPN Key Points
- Site-to-Site: Permanent tunnels between locations
- Remote Access: On-demand access for mobile users
- IPsec provides strong encryption (ESP)
- SSL/TLS VPN uses port 443, easier firewall traversal
- GRE provides tunneling without encryption; combine with IPsec
8. Firewall Concepts
Firewalls control traffic between networks based on security policies. They are essential for network perimeter security.
Firewall Types
| Type |
Description |
Layer |
| Packet Filter |
Basic ACL-style filtering |
L3-L4 |
| Stateful |
Tracks connection state |
L3-L4 |
| Application (Proxy) |
Inspects application data |
L7 |
| Next-Generation (NGFW) |
IPS, app awareness, user ID |
L3-L7 |
Stateful vs Stateless
Stateless (ACL):
- Examines each packet independently
- No knowledge of connection state
- Must permit both directions explicitly
Stateful Firewall:
- Tracks connection state (SYN, SYN-ACK, ACK)
- Return traffic automatically permitted
- Blocks unexpected packets (out of sequence)
Example:
+--------+ +--------+
| Client |----SYN------------>| |
| |<---SYN-ACK---------| Web |
| |----ACK------------>| Server |
| |----HTTP GET------->| |
| |<---HTTP 200--------| |
+--------+ +--------+
Stateful firewall:
- Permits outbound connection
- Automatically allows return traffic
- Blocks unsolicited inbound
Firewall Zones
Zone-Based Firewall: Interfaces are assigned to security zones. Policies define what traffic is allowed between zones. Default: traffic within a zone is permitted; between zones is denied.
Common Firewall Zones:
+-------------+
| Internet |
+------+------+
|
[Outside Zone]
|
+------+------+
| Firewall |
+------+------+
/ \
[Inside Zone] [DMZ Zone]
| |
Internal LAN Public Servers
(Trusted) (Semi-Trusted)
IPS vs IDS
| Feature |
IDS (Intrusion Detection) |
IPS (Intrusion Prevention) |
| Placement |
Out of band (monitors copy) |
Inline (traffic passes through) |
| Action |
Alert only |
Block, drop, alert |
| Latency |
None (passive) |
Some (processing) |
| Risk |
Attacks not stopped |
False positives block legitimate |
Know the difference: IDS only detects and alerts (passive), IPS detects and blocks (active/inline). Modern NGFWs include IPS functionality.
Security Key Takeaways
- Defense in Depth: Multiple layers of security
- Least Privilege: Give minimum necessary access
- Standard ACLs near destination, Extended near source
- Port Security, DHCP Snooping, DAI for Layer 2
- Use TACACS+ for device admin, RADIUS for network access
- WPA2/WPA3 Enterprise for business wireless
- IPsec for site-to-site, SSL VPN for remote access