CCNA Security Part 2: Perspectives on the Exam Conten
Today’s post lists opinions, results, impressions, and so on of my review of the content of the CCNA Security exam – or, more literally, the IINS exam. The set the stage, I’m using the Cisco Press Cisco CCNA Certification Security Exam Cert Guide to predict the content of the IINS exam. I’ve looked over the entire book, created a summary doc of what’s in the book, and this AM, I sat back over a cup of coffee to ponder not only what’s there, but how is it different than the pre-requisite CCNA cert. I’ve also formed a few opinions about what it would take for a newly-minted CCNA to prep for this exam.
The first big impression is that the size of the effort to learn the configuration topics seems less than the CCNA (640-802) exam. If you look at the summary doc, and look to the end to the table of configuration topics, you’ll see some that require CLI, some that require SDM, and some that require both. Some of the line items in the table expand out to 20+ CLI config commands – eg, the section about router login security expands to 20+ config commands, but most of them are straightforward. The most complicated CLI config in the book is probably the IPSec configuration, which just by itself is probably more detailed/complicated that any one topic in the CCNA exam. However, my view is that the sheer volume of CLI config on the IINS exam is less as compared with base CCNA.
The next big difference is that CCNA Security includes config using the Cisco Security Device Manager (SDM) tool. This tool runs on a PC, creating a GUI, which in turns communicates with the router/switch. You follow the bouncing config wizards, and SDM then creates the CLI commands and blows them into the router or switch. The book includes several topics that are configured only with SDM, and not CLI, with some shown with both CLI and SDM. In my opinion, learning the SDM config is easier than learning the CLI config, just because the GUI intuitively links to the underlying concept, whereas the CLI commands can be less intuitive.
For example, take the SNMPv3 topic. The book explains SNMP, as well as the reasons why SNMPv3 is more secure than earlier versions. Then, it also includes SDM-only config, with the 5 or so GUI screen shots in the book showing the basic settings, all of which link specifically back to the concepts already discussed. In my opinion, if you know the concepts, but had never seen the SDM screens before the test, you could interpret the screen image and figure out the answer to a test question (assuming the exam uses SDM screen images).
The big bear on this exam though, in my opinion, is the security theory. I was surprised by the number of topics, and the detail. If you look at the summary document for the tables at the end, you can see two tables – the first lists all the topics that focus on concepts. I also took the time to add up all the pages in the “Foundation Topics” section of the chapters, ignore the pages with exam prep material (eg, pre-chapter assessment, practice suggestions, etc). There were 440 or so such pages, with roughly half devoted to concept/theory that was not then tied to a particular CLI command or SDM config action. It seemed like a large amount of new theory to me.
For my final general observation, I was surprised that there was little content focused on troubleshooting. The exam topics list the word “troubleshooting” once, and only in the intro to the exam topics – not in any specific topic. (The CCNA exam topics lists 13 specific exam topics with “troubleshoot”, and CCNA Security came out after the current Cisco CCNA Training exam.) I looked for configuration and verification coverage in the book, watching to see things that looked like it was prepping the reader to be ready to t’shoot, and found only two topics – AAA and SSH – that might fall into that category. I would have expected to see maybe a little more depth into t’shooting, and maybe a little less on theory that, while interesting, discusses things that an engineer does not need to know in order to config/verify/t’shoot.
Next, let me draw a few conclusions. I’m basing these conclusions on what I’ve read in the book, and NOT based on what I’ve seen on the IINS exam – I’ve not even taken the exam at this point. (I must admit, I may just take it now, just to see, after doing this analysis.) But here’s my impression just on what I see:
While it’s best to practice on real/Emulator/Simulator for the hands-on skills, this may be a test that you could pass without doing any hands-on. Harder, certainly, and it is better to prep with some hands-on practice, but it is possible. Of course, one goal is to pass, another is to build the skills – and practicing is a must to build the skills.
A solid lab for hands-on practice, with real gear, does not require a lot. Best I can tell, you could get away with having a pair of routers, one switch, and preferably one PC on which to run Cisco Secure ACS server software, or maybe some alternative. You would live without a few pieces and do most of what’s there as well. For example, some of the router config relies on an external TACACS+/RADIUS server. If you can get a copy of Cisco Secure ACS, great, but if not, if you get a freeware/trial version of another TACACS+/RADIUS server, that may be good enough for practice. (I’ve seen links when googling to get free trial TACACS+ and/or RADIUS software – I’ve not tried it yet. Any of you found such a link yet?) The IOS would need to support all the features, including IPS, and you’d need SDM. But you wouldn’t need more hardware than you would have for base CCNA, and hopefully, what you already have will fit the bill. (OK, you might want a little more hardware, to have something to generate traffic for testing.) Next post, I’ll take a look at some lab requirements for CCNA Security.
The theory may require 2 reads through all such material, and maybe a 2nd source. Even if the Cisco Press Security ECG book is excellent at describing the theory, reading other descriptions can help as well. If you have no one to help you, if you don’t happen to get it with one book’s explanation, another’s may help.
So, let me know what you think. What else should be a challenge for this exam? What should be relatively easy? Any surprises? Thanks…