Time management is likely the biggest challenge for a prepared candidate. This is because within several of the questions, such as simulations, there may be several additional sub-questions that you need to answer before moving on to the next full question. This exam does not allow you to skip a question and review it later, and it is tempting to spend too much time on a single question or simulation.
For those who are not familiar with navigating the graphical user interfaces (GUI) of Cisco configuration professional (CCP) and the ASA security device manager (ASDM), it would be easy to burn a lot of time on any one of these simlets/simulations. Speed, regarding using the GUI is required to:
- Understand the action(s) (drop, pass, inspect, translate, etc) that would be taken on packets various packets that are attempting to move through a network device
- Interpret the policy and general details that are currently implemented, using the GUI or CLI
There are also challenges waiting for the unprepared candidate in these areas:
- Mitigation: understanding the correct countermeasure based on the type of attack that may threaten the network security
- ASA Firewalls: understanding the security levels, default flows of traffic and how stateful filtering operates. The ASA is brand new to the CCNA Security certification (640-554) and is likely to catch some students off guard.
- IPsec: understanding the individual components, what they do, and where they are used. Examples include the 5 elements and 3 stages of IKE phase 1, the modes for both IKE phase 1 and 2, encryption, symmetric vs. asymmetric, hashing, authentication and keys.
- SSL VPNs: knowing when and how they may be implemented, and the interrelation of Certificate Authorities (CAs), digital certificates and the Public Key Infrastructure (PKI)
- IOS Zoned Based Firewalls: understanding the stateful inspection that may occur, and its impact on traffic moving through the router, including the default traffic flow when between interfaces in various zones.
- AAA: knowing the characteristics of aaa new-model, and all that is associated with it, including ACS, local databases, TACACS+, RADIUS and how to configure routers, switches and AAA servers to interoperate. This would also include the ability to interpret AAA status from debug output.
All of the above content is covered in the new Cisco Press CCNA Security IINSv2 640-554 Official Cert Guide.