CCNA Security: The Journey Begins... (Definitive Starting Guide)

Just yesterday I scheduled my CCNA Security exam. I felt this would be a good time to provide a starting tips for those who are not sure where to begin. In this post, I will address how to get to go about studying to get certified, talk about preparation materials, as well as lab setup choices.

Getting Started

Understanding what you will actually be tested on is an essential step for developing a study plan. First, I highly recommend familiarizing yourself with the official CCNA Security Syllabus, Exam Topics, and Exam FAQ. Take the time to figure out exactly what topics you may encounter on the exam. You should also take the time to familiarize yourself with Question Types and Exam Policies.

Now that you have a general understanding of what's covered, I will now cover different ways you can go about learning the material.

Option 1: Attend a Class or Bootcamp

Cisco offers top notch training through education partners. If you would like to learn using a structured curriculum this may be a viable option. Some of the advantages to this approach are:

• Access to world class Cisco Certified instructors
• Structured curriculum
• Pre-built labs to further hone your skills
• Exposure to concepts and ideas beyond just the certification
• Examinations
• Access to physical/virtual lab environments
• Lab environments based off real world scenarios

If this option interests you, I would advice using the Global Learning Locator to find a class near you. Out of pocket, these classes are typically pretty expensive. If you are currently employed or work for a Cisco Certified Partner, they may be willing to cover these costs for you. The cost for one of these classes can range anywhere from $3000-4000 USD. So check with your boss or your personal finances to determine whether this is a viable option.

Option 2: Attend a Cisco Networking Academy Course

Another option is to check out the actual Cisco Networking Academy program for the CCNA Security. Like Option 1, the CNA offers a structured curriculum for learning the concepts covered in the 640-554 exam. The CNA is on of the largest IT training academies worldwide with over 1,000,000 students, and 10,000 academies in over 100 countries. The offered CNA courses are available to both college and non-college students.

Use the Academy Locator to find an academy near you. As a NetAcad, student you will have access to:

• Structured curriculum developed through industry partnerships
• Pre-built labs to further hone your skills
• Packet Tracer simulation software (practice tool which simulates Cisco hardware)
• Cisco Certified instructors
• Online assessments and practice exams
• Chance to receive a certificate of completion and letter signed by John Chambers for completion of the program (first attempt grade 80% or above on final exam)
• Chance to receive a voucher (first attempt grade of 75% or above on final exam) which offers a substantial discount when you schedule your certification exam
• As a netacad student at the (CCNA level only) you are eligible to compete in the Cisco NetRiders Skills Challenge
• And many more benefits...

Some colleges and universities have also integrated the CNA as part of their degree programs. An additional benefit is that you could also receive college credit for attending the class. As a college undergrad, I attended both the CCNA Discovery, CCNA Exploration, and later the CCNP course as a grad student. My personal experience with the academy was very pleasant. The top notch curriculum through the CNA also made learning networking lots of fun. I cannot recommend the CNA enough.

If this option interests you, make sure to utilize the Academy Locator. The cost of this course is relative to the institution offering it. Make sure to ask this question when contacting an academy.

Option 3: Self Study

If you are highly self driven and motivated to learn, self studying is a great alternative (and cheaper) to a formal class. This is the route I opted for in my CCNA Sec studies. Ultimately, this path is more difficult to pursue. However, with a structured approach, you can master the 640-554 exam with relative ease.

Preparation Materials

Now I will talk about some free and also pay prep materials that will help you master the 640-554 exam. My personal recommendation is to combine both free materials as well as pay options for your studies.

    Free Options:

Cisco does offer some free prep materials for the IINS Exam. I would also recommend using youtube to your advantage. There are many video lessons freely available for your consumption. Also, consider joining a Study Group. CertCollection is also another great user community for studying a variety of IT exams. When having trouble understanding concepts, you would be surprised how a like minded community can help in explaining complex topics. Study groups and user forums are also a great source for GNS3 and Packet Tracer labs. Use these resources to your advantage.

    Pay Options:

Title: CCNA Security 640-554 Official Cert Guide and LiveLessons Bundle (Recommended)
Authors: Keith Barker, Scott Morris

The official cert guide is the definitive book I would recommend for those with prior exposure to information security. This book provides a concise and straight to the point discussion on all exam topics. It provides chapter quizzes as well as a companion disc with a practice test. Optionally, you can buy the premium upgrade (instructions provided in the book) which will give you access to additional practice exams. This book can be bought by itself or as a bundle with live lessons. I also highly recommend the live lessons which are from the author of the book as well.

Title: Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide (2nd Edition) (Foundation Learning Guides) (Optional)
Authors: Catherine Paquet

The Foundation Learning Guide books contain the same material covered in the Cisco Networking Academy program mentioned above. This book is great for those that are newer to the Information Security industry. If you do not have a background in Information Assurance, Security Design, and/or Encryption algorithms, you should think about picking up a copy. Unlike the cert guide, the author spends more time covering these topics. I would even go so far as to say some chapters could even be used for a general security design class. If you have little or no background in IS I highly recommend this book.

Title: CBT Nuggets: CCNA Security (Optional)
Authors: Keith Barker

This video training series is authored by the same author of the cert guide book. Keith does a great job of breaking down the exam topics and combines real world experience with classroom instruction. Definitely consider this product if you prefer video lessons over text based publications.

Title: CCNA Portable Command Guide (Optional)
Authors: Bob Vachon

The portable command guide series of books are great for quickly covering a lot of material really quick. Aside from quick command lookups this book also contains all the concepts/material covered in the other books mentioned in a quick format. This is a great resource for the final days before your exam or as an aid for your lab work.

Title: CCNA Security Lab Manual Version 1.1 (2nd Edition) (Recommended)
Authors: Cisco Networking Academy

This is the same lab manual used by the Cisco Networking Academy. This book is highly recommended since it provides all the same labs offered to NetAcad students. Great for all your hands on practicing needs.

One final website I will recommend is Safari Books Online. If you can afford the yearly $400 subscription fee, you will have access to all Cisco press books as well as certification books for a variety of companies/products.

Practice Exams

As mentioned previously, the official cert guide comes with a practice exam. Optionally you can also upgrade to the premium and receive access to additional practice exams. It's no secret there are many exam dumps out there from companies like Pass4Sure, Lead2Pass. If you have a .vce reader there are also many websites out there which contain exam dumps as well. Exam Collection has a large databank of these .vce files. Just remember, if you use a dump, make sure you understand the concepts behind the question/answers and not just the answer itself. Securitytut is also a good resource for practice lab simulations (using packet tracer) and practice questions.

Also, as previously mentioned, join a study group and user forums. Users regularly post questions as well as practice lab simulations online.

Lab Equipment

Ideally real equipment is the way to go. According to the lab manual presented above you will need:

• 3 1841 routers
• 3 2950-T switches
• 1 ASA 5505
• 3 desktop machines

You may be asking why couldn't I just replace the 1841's with 2600 series routers? The short answer is you can but unfortunately the 2600 series doesn't support zone based firewall or IOS IPS which is covered in the 640-554 exam. The longer do's and dont's discussion about purchasing lab equipment can be found here. You should also make sure the equipment your buying comes with IOS version 12.4 with advanced IP services.

Another alternative is to virtualize your lab equipment using GNS3. GNS3 by itself is not enough to practice everything covered in the 640-554 exam (most notably Layer 2 security). For my personal lab setup, I took a hybrid approach which only cost $90. I bought two 2960-TT-L switches and borrowed a 2621XM. I then used USB Ethernet NIC's (make sure they support VLAN tagging) to connect my physical equipment to my GNS3 virtualized topology.

In another post, I wrote about how I accomplished this using individual NIC's. In a subsequent post, I plan on discussing in more detail how to set up a hybrid lab in more depth using both individual NIC's and a breakout switch design. GNS3 can also be used to emulate the ASA as well. However, in order to obtain image files required by GNS3, you will need to have access to a Cisco CCO account. I won't link to any sites here, but I will also say you can find GNS3 supported IOS and ASA image files elsewhere on the internet.

Just as an example, my physical and GNS3 lab topologies for the Chapter 9 lab from the lab manual are illustrated below:

 

 

 

For reference, here is the original topology:

This lab setup gives me the flexibility to complete all the labs in the lab manual (including Layer 2 security) all for $90 - $140. Additionally, another option is to completely virtualize your lab in GNS3 and use Cisco's Packet Tracer for practicing layer 2 hardening. As you can say there are a variety of ways to setup a practice lab. I recommend the hybrid approach for the budget conscious.

Study Plan

This study plan assumes you 1.5 - 2 months worth of preparation time. If you have less, I recommend first taking a practice exam, then focus on the areas you are weakest. If your not sure if you fully understand a certain topic, write it down and keep going. Develop a algorithm (checklist) for different configuration tasks. Example:

For configuring a radius server:

• Configure hostname
• Configure enable secret and enable service password-encryption
• Configure AAA
• AAA new-model
• Create AAA authentication list with group radius
• Configure a radius server host (change auth port, accounting port, and configure a key)

Forming checklists like these will get you into good habits and will burn the configuration steps into your brain. Also make a list of all the different ways you can secure the Control, Data, and Management plane and study that list.

Assuming you bought the Cert guide, make sure to read the Introduction. They provide an already laid out study plan that I think you will find useful. In the first week, research common attacks on the network infrastructure and read the first 3 chapters of the cert guide. If you bought the foundation learning guide as well, make sure to read Chapters 1 and 2 as well. In week 1, also go through the Intro lab to make sure you can access your routers via CCP. You will have to know CCP and ASDM in and out come exam day.

Dedicate subsequent weeks to each Part of either book (ex. week 1 is dedicated to Part 1 so on and so forth). Ask questions in study groups if you are still unclear about something. Here is the general study plan I developed for myself. As a rough timeline I recommend doing the following:

• Week 1: Read part 1 of CertGuide or Foundation book. Perform intro CCP lab from the lab manual as well as lab Chapter 1 Lab A. Research online common attacks on network infrastructure.
• Week 2: Proceed by reading part 2 of either book. Perform labs Chapter 2 Lab A, Chapter 3 Lab A.
• Week 3: Read part 3 of either book and do labs Chapter 4 Lab A, Chapter 5 Lab A, and Chapter 6 Lab A.
• Week 4: Early in the week start reading Part 4 and work on Chapter 7 Lab A. Later in the week work on the Chapter 8 labs.
• Week 5: Keep working on labs. If you marked down topics you didn't fully understand go back and read again. Finish the week off with Chapter 9 Lab A (Challenge lab). At this point you should have been exposed to most of the material in the book. If time permits during this week, take your first practice exam.
• Remaining weeks until exam: Take the same approach as week 5. Work on the remaining labs. Review concepts you are not sure about. Keep taking practice exams.

Welp, that's all for this post! If you would like to contribute studying tips, please do so in the comments. Take care!