Home > Store

CCNA Security Exam Cram (Exam IINS 640-553)

Register your product to gain access to bonus material or receive a coupon.

CCNA Security Exam Cram (Exam IINS 640-553)


  • Sorry, this book is no longer in print.
Not for Sale


  • Copyright 2009
  • Edition: 1st
  • Book
  • ISBN-10: 0-7897-3800-7
  • ISBN-13: 978-0-7897-3800-4

In this book you’ll learn how to:

  • Build a secure network using security controls
  • Secure network perimeters
  • Implement secure management and harden routers
  • Implement network security policies using Cisco IOS firewalls
  • Understand cryptographic services
  • Deploy IPsec virtual private networks (VPNs)
  • Secure networks with Cisco IOS® IPS
  • Protect switch infrastructures
  • Secure endpoint devices, storage area networks (SANs), and voice networks


Eric Stewart is a self-employed network security contractor who finds his home in Ottawa, Canada. Eric has more than 20 years of experience in the information technology field, the last 12 years focusing primarily on Cisco® routers, switches, VPN concentrators, and security appliances. The majority of Eric’s consulting work has been in the implementation of major security infrastructure initiatives and architectural reviews with the Canadian Federal Government. Eric is a certified Cisco instructor teaching Cisco CCNA, CCNP®, and CCSP® curriculum to students throughout North America and the world.

CD Features MeasureUp Practice Questions!

  • This book includes a CD-ROM that features:
  • Practice exams with complete coverage of CCNA® Security exam topics
  • Detailed explanations of correct and incorrect answers
  • Multiple exam modes
  • Flash Card format
  • An electronic copy of the book


ISBN-13: 978-0-7897-3800-4

ISBN-10: 0-7897-3800-7

Sample Content

Online Sample Chapter

CCNA Exam 640-553 Exam Cram: Implementing Secure Management and Hardening the Router

Sample Pages

Download the sample pages

Table of Contents

Introduction... 1

    Organization and Elements of This Book. 1

    Contacting the Author.. 4

Self Assessment... 5

    Who Is a CCNA Security?.. 5

    The Ideal CCNA Security Candidate. 6

    Put Yourself to the Test.. 8

    Exam Topics for 640-553 IINS (Implementing Cisco IOS Network Security).. 10

    Strategy for Using This Exam Cram. 12

Part I: Network Security Architecture

Chapter 1: Network Insecurity... 15

    Exploring Network Security Basics and the Need for Network Security.. 16

        The Threats.. 16

        Other Reasons for Network Insecurity 18

        The CIA Triad.. 18

        Data Classification.. 21

        Security Controls.. 22

        Incident Response.. 25

        Laws and Ethics.. 26

    Exploring the Taxonomy of Network Attacks. 29

        Adversaries.. 30

        How Do Hackers Think?. 32

        Concepts of Defense in Depth. 32

        IP Spoofing Attacks.. 34

        Attacks Against Confidentiality. 36

        Attacks Against Integrity. 38

        Attacks Against Availability. 42

    Best Practices to Thwart Network Attacks. 45

        Administrative Controls. 45

        Technical Controls.. 46

        Physical Controls.. 46

    Exam Prep Questions.. 47

    Answers to Exam Prep Questions. 50

Chapter 2: Building a Secure Network Using Security Controls. 51

    Defining Operations Security Needs. 52

        Cisco System Development Life Cycle for Secure Networks 52

        Operations Security Principles. 54

        Network Security Testing. 55

        Disaster Recovery and Business Continuity Planning 59

    Establishing a Comprehensive Network Security Policy 61

        Defining Assets.. 62

        The Need for a Security Policy. 63

        Policies.. 64

        Standards, Guidelines, and Procedures 65

        Who Is Responsible for the Security Policy? 66

        Risk Management.. 67

            Principles of Secure Network Design 70

    Examining Cisco’s Model of the Self-Defending Network 73

        Where Is the Network Perimeter?. 73

        Building a Cisco Self-Defending Network 74

        Components of the Cisco Self-Defending Network 75

        Cisco Integrated Security Portfolio. 79

    Exam Prep Questions.. 81

    Answers to Exam Prep Questions. 84

Part II: Perimeter Security

Chapter 3: Security at the Network Perimeter.. 87

    Cisco IOS Security Features.. 88

        Where Do You Deploy an IOS Router? 88

        Cisco ISR Family and Features. 90

    Securing Administrative Access to Cisco Routers 91

        Review Line Interfaces. 92

        Password Best Practices. 94

        Configuring Passwords. 94

        Setting Multiple Privilege Levels. 97

        Configuring Role-Based Access to the CLI 98

        Configuring the Cisco IOS Resilient Configuration Feature 101

        Protecting Virtual Logins from Attack 102

        Configuring Banner Messages. 104

    Introducing Cisco SDM.. 105

        Files Required to Run Cisco SDM from the Router 106

        Using Cisco SDM Express. 107

        Launching Cisco SDM. 108

        Cisco SDM Smart Wizards. 110

        Advanced Configuration with SDM. 111

        Cisco SDM Monitor Mode. 113

    Configuring Local Database AAA on a Cisco Router 114

        Authentication, Authorization, and Accounting (AAA) 114

        Two Reasons for Implementing AAA on Cisco Routers 114

        Cisco’s Implementation of AAA for Cisco Routers 115

        Tasks to Configure Local Database AAA on a Cisco Router 116

        Additional Local Database AAA CLI Commands 120

    Configuring External AAA on a Cisco Router Using
Cisco Secure ACS.. 121

        Why Use Cisco Secure ACS?. 123

        Cisco Secure ACS Features. 123

        Cisco Secure ACS for Windows Installation Requirements 124

        Cisco Secure ACS Solution Engine and Cisco Secure
ACS Express 5.0 Comparison. 125

        TACACS+ or RADIUS?. 125

        Prerequisites for Cisco Secure ACS 126

        Three Main Tasks for Setting Up External AAA 127

        Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+.. 140

        AAA Configuration Snapshot. 141

    Exam Prep Questions.. 142

    Answers to Exam Prep Questions. 145

Chapter 4: Implementing Secure Management and Hardening the Router 147

    Planning for Secure Management and Reporting 148

        What to Log.. 149

        How to Log.. 150

        Reference Architecture for Secure Management and Reporting.. 151

        Secure Management and Reporting Guidelines 153

        Logging with Syslog.. 153

        Cisco Security MARS. 154

        Where to Send Log Messages. 154

        Log Message Levels. 155

        Log Message Format. 156

        Enabling Syslog Logging in SDM. 156

        Using SNMP.. 157

        Configuring the SSH Daemon. 161

        Configuring Time Features. 165

    Using Cisco SDM and CLI Tools to Lock Down the Router 167

        Router Services and Interface Vulnerabilities 167

        Performing a Security Audit. 172

    Exam Prep Questions.. 180

    Answers to Exam Prep Questions. 182

Part III: Augmenting Depth of Defense     

Chapter 5: Using Cisco IOS Firewalls to Implement a Network Security Policy 185

    Examining and Defining Firewall Technologies 187

        What Is a Firewall?.. 188

        Characteristics of a Firewall. 189

        Firewall Advantages.. 189

        Firewall Disadvantages. 190

        Role of Firewalls in a Layered Defense Strategy 190

        Types of Firewalls.. 190

        Cisco Family of Firewalls. 201

        Firewall Implementation Best Practices 202

    Creating Static Packet Filters with ACLs. 203

        Threat Mitigation with ACLs. 203

        Inbound Versus Outbound. 203

        Identifying ACLs.. 205

        ACL Examples Using the CLI. 205

        ACL Guidelines.. 208

        Using the Cisco SDM to Configure ACLs 209

        Using ACLs to Filter Network Services 212

        Using ACLs to Mitigate IP Address Spoofing Attacks 213

        Using ACLs to Filter Other Common Services 216

    Cisco Zone-Based Policy Firewall Fundamentals 218

        Advantages of ZPF.. 220

        Features of ZPF.. 221

        ZPF Actions.. 221

        Zone Behavior.. 221

        Using the Cisco SDM Basic Firewall Wizard to
Configure ZPF.. 224

        Manually Configuring ZPF with the Cisco SDM 233

        Monitoring ZPF.. 238

    Exam Prep Questions.. 241

    Answers to Exam Prep Questions. 244

Chapter 6: Introducing Cryptographic Services.. 245

    Cryptology Overview.. 246

        Cryptanalysis.. 249

        Encryption Algorithm (Cipher) Desirable Features 251

        Symmetric Key Versus Asymmetric Key
Encryption Algorithms.. 251

        Block Versus Stream Ciphers. 254

        Which Encryption Algorithm Do I Choose? 255

        Cryptographic Hashing Algorithms. 256

        Principles of Key Management. 256

        Other Key Considerations. 257

        SSL VPNs.. 259

    Exploring Symmetric Key Encryption. 261

        DES... 263

        3DES.. 264

        AES... 265

        SEAL.. 266

        Rivest Ciphers (RC).. 267

    Exploring Cryptographic Hashing Algorithms and Digital Signatures.. 268

        HMACs.. 270

        Message Digest 5 (MD5). 271

        Secure Hashing Algorithm 1 (SHA-1) 272

        Digital Signatures.. 272

    Exploring Asymmetric Key Encryption and Public Key Infrastructure.. 275

        Encryption with Asymmetric Keys. 276

        Authentication with Asymmetric Keys 277

        Public Key Infrastructure Overview. 277

        PKI Topologies.. 278

        PKI and Usage Keys. 279

        PKI Server Offload and Registration Authorities (RAs) 280

        PKI Standards.. 280

        Certificate Enrollment Process. 282

        Certificate-Based Authentication. 283

        Certificate Applications. 284

    Exam Prep Questions.. 286

    Answers to Exam Prep Questions. 289

Chapter 7: Virtual Private Networks with IPsec.. 291

    Overview of VPN Technology.. 292

        Cisco VPN Products. 293

        VPN Benefits.. 293

        Site-to-Site VPNs.. 294

        Remote-Access VPNs. 295

        Cisco IOS SSL VPN. 296

        Cisco VPN Product Positioning. 297

        VPN Clients.. 299

        Hardware-Accelerated Encryption. 300

        IPsec Compared to SSL. 301

    Conceptualizing a Site-to-Site IPsec VPN. 302

        IPsec Components.. 302

        IPsec Strengths.. 306

        Constructing a VPN: Putting it Together 307

    Implementing IPsec on a Site-to-Site VPN Using the CLI 315

        Step 1: Ensure That Existing ACLs Are Compatible with the IPsec VPN.. 315

        Step 2: Create ISAKMP (IKE Phase I) Policy Set(s) 316

        Step 3: Configure IPsec Transform Set(s) 318

        Step 4: Create Crypto ACL Defining Traffic in the IPsec VPN.. 319

        Step 5: Create and Apply the Crypto Map (IPsec Tunnel Interface).. 320

        Verifying and Troubleshooting the IPsec VPN Using the CLI.. 321

    Implementing IPsec on a Site-to-Site VPN Using Cisco SDM 325

        Site-to-Site VPN Wizard Using Quick Setup 325

        Site-to-Site VPN Wizard Using Step-by-Step Setup 329

    Exam Prep Questions.. 337

    Answers to Exam Prep Questions. 339

Chapter 8: Network Security Using Cisco IOS IPS. 341

    Exploring IPS Technologies.. 342

        IDS Versus IPS.. 342

        IDS and IPS Categories. 343

        IPS Attack Responses. 347

        Event Management and Monitoring. 349

        Host IPS.. 351

        Network IPS.. 354

        HIPS and Network IPS Comparison 355

        Cisco IPS Appliances. 356

        IDS and IPS Signatures. 357

        Signature Alarms.. 359

        Best Practices for IPS Configuration 360

    Implementing Cisco IOS IPS.. 362

        Cisco IOS IPS Feature Blend. 362

        Cisco IOS IPS Primary Benefits. 362

        Cisco IOS IPS Signature Integration 363

        Configuring Cisco IOS IPS with the Cisco SDM 364

        Cisco IOS IPS CLI Configuration. 377

        Configuring IPS Signatures. 378

        SDEE and Syslog Logging Protocol Support 381

        Verifying IOS IPS Operation. 384

    Exam Prep Questions.. 387

    Answers to Exam Prep Questions. 390

Part IV: Security Inside the Perimeter     

Chapter 9: Introduction to Endpoint, SAN, and Voice Security. 395

    Introducing Endpoint Security. 396

        Cisco’s Host Security Strategy. 397

        Securing Software.. 397

        Endpoint Attacks.. 399

        Cisco Solutions to Secure Systems and Thwart Endpoint Attacks.. 403

        Endpoint Best Practices. 407

    Exploring SAN Security.. 407

        SAN Advantages.. 407

        SAN Technologies.. 408

        SAN Address Vulnerabilities. 408

        Virtual SANs (VSANs). 409

        SAN Security Strategies. 409

    Exploring Voice Security.. 411

        VoIP Components.. 411

        Threats to VoIP Endpoints. 413

        Fraud... 414

        SIP Vulnerabilities.. 414

        Mitigating VoIP Hacking. 415

    Exam Prep Questions.. 418

    Answers to Exam Prep Questions. 420

Chapter 10: Protecting Switch Infrastructure.. 421

    VLAN Hopping Attacks.. 422

        VLAN Hopping by Rogue Trunk. 423

        VLAN Hopping by Double-Tagging. 424

    STP Manipulation Attack.. 425

        STP Manipulation Attack Mitigation: Portfast 426

        STP Manipulation Attack Mitigation: BPDU Guard 427

        STP Manipulation Attack Mitigation: Root Guard 428

    CAM Table Overflow Attack.. 428

        CAM Table Overflow Attack Mitigation: Port Security 429

    MAC Address Spoofing Attack. 429

        MAC Address Spoofing Attack Mitigation: Port Security 429

    Configuring Port Security.. 429

        Port Security Basic Settings. 430

        Port Security Optional Settings. 430

        Port Security Verification. 433

    Miscellaneous Switch Security Features. 434

        Intrusion Notification.. 434

        Switched Port Analyzer (SPAN). 435

        Storm Control.. 436

    Switch Security Best Practices. 438

    Exam Prep Questions.. 439

    Answers to Exam Prep Questions. 440

Part V: Practice Exams and Answers     

Practice Exam 1... 443

Answers to Practice Exam 1.. 461

Practice Exam 2... 471

Answers to Practice Exam 2.. 487

Part VI: Appendixes      

Appendix A: What’s on the CD-ROM.. 499

Appendix B: Need to Know More?... 503

TOC, 0789738007, 10/3/08


Submit Errata

More Information

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020