Quick review: Security – CCNA

What you really need to know

Security in CCNA concerns the basic controls needed to protect devices, access, traffic and network infrastructure. You should not think of security only as firewalls or antivirus: in a Cisco network, device hardening, authentication, authorization, ACLs, Layer 2 protections, segmentation, logging, updates and secure remote access all matter.

For CCNA, you need to understand which controls reduce risk, where they are applied and which problems they try to prevent. Many questions do not only ask for a definition, but which measure is most appropriate in a scenario.

The central point is this: network security is made of multiple layers. No single control is enough by itself.

Key concepts

• CIA triad: confidentiality, integrity and availability.
• Threat: something that can cause harm.
• Vulnerability: weakness that can be exploited by a threat.
• Risk: possibility that a threat exploits a vulnerability causing impact.
• Hardening: reduction of a device attack surface.
• AAA: Authentication, Authorization and Accounting.
• SSH: secure and encrypted remote access.
• Telnet: unencrypted remote access, to be avoided.
• ACL: rules that filter traffic.
• Port security: limits allowed MAC addresses on a switch port.
• DHCP snooping: protects against unauthorized DHCP servers.
• DAI: Dynamic ARP Inspection, protects against ARP spoofing.
• VPN: creates encrypted communications over untrusted networks.
• Segmentation: separates networks and reduces lateral movement.
• Logging: records events useful for monitoring, auditing and troubleshooting.

Differences not to confuse

Concept	Main meaning
Authentication	Verifies identity
Authorization	Defines what is allowed
Accounting	Records activities
SSH	Encrypted remote access
Telnet	Unencrypted remote access
ACL	Filters Layer 3/4 traffic
Port security	Controls MAC addresses on switch ports
DHCP snooping	Blocks unauthorized DHCP
DAI	Protects against ARP spoofing
VPN	Encrypts communications
Segmentation	Separates networks and limits impact

CIA triad

The CIA triad is one of the basic security concepts.

• Confidentiality: preventing unauthorized access to information.
• Integrity: preventing unauthorized or incorrect modifications.
• Availability: ensuring that systems and services are accessible when needed.

Examples:

• encryption and access control help confidentiality;
• hashing, controls and authorizations help integrity;
• redundancy, backups and protection from DoS attacks help availability.

For CCNA, you need to connect a scenario to the correct CIA principle.

Threats, vulnerabilities and risk

A threat is something that can cause harm, such as malware, attackers, human errors, misconfigurations or unauthorized access.

A vulnerability is a weakness, such as weak passwords, outdated software, unnecessarily open ports or insecure protocols.

Risk appears when a threat can exploit a vulnerability and cause impact.

Example:

• threat: attacker;
• vulnerability: Telnet enabled;
• risk: credential theft and unauthorized access to the device.

Device hardening

Hardening means making a device more secure by reducing unnecessary functions, weak configurations and attack surfaces.

Examples of hardening:

• using SSH instead of Telnet;
• disabling unnecessary services;
• using strong passwords;
• configuring correct privilege levels;
• using legal banners if required;
• limiting access to VTY lines;
• using ACLs for management access;
• disabling unused ports;
• updating firmware or software;
• saving and protecting configurations.

For CCNA, you need to remember that hardening means reducing opportunities for abuse and unauthorized access.

SSH vs Telnet

SSH and Telnet allow remote access to the CLI, but they have a fundamental difference.

• SSH encrypts communication.
• Telnet sends data in clear text.

In a secure scenario, SSH is the correct choice. Telnet can expose usernames and passwords to interception.

A secure remote access configuration may include:

• configured hostname;
• configured domain name;
• RSA keys;
• local username;
• strong passwords or secrets;
• VTY lines enabled only for SSH;
• ACLs to limit authorized source addresses.

Passwords and privileges

Passwords protect access to devices, but not all passwords have the same role.

Important concepts:

• console password;
• VTY password;
• enable password;
• enable secret;
• local users;
• privilege levels;
• password encryption in configuration.

Enable secret is preferred over enable password because it is stored in a more secure form.

For CCNA, you need to remember that passwords must be strong, protected and associated with appropriate privilege levels.

AAA

AAA means:

• Authentication: verifies who you are.
• Authorization: defines what you can do.
• Accounting: records what you do.

AAA can be managed locally or through external servers such as RADIUS or TACACS+.

Example:

• an administrator authenticates;
• the system verifies which commands they can use;
• their activities are recorded.

AAA is important because it centralizes and better controls access, permissions and tracking.

RADIUS and TACACS+

RADIUS and TACACS+ are protocols used for centralized AAA.

General concepts:

• RADIUS is often used for network access authentication, VPNs and wireless.
• TACACS+ is widely used in Cisco environments for device administration and more granular command control.

For CCNA, you do not need to know every deep detail, but you should know that both can support centralized authentication.

ACL

ACLs, Access Control Lists, filter traffic based on criteria such as:

• source IP address;
• destination IP address;
• protocol;
• port;
• direction;
• interface.

General types:

• Standard ACLs: mainly filter based on source.
• Extended ACLs: can filter source, destination, protocol and ports.

ACLs are powerful but must be ordered carefully.

Important rules:

• they are read from top to bottom;
• the first match decides;
• there is a final implicit deny;
• direction and interface are fundamental.

Common ACL mistakes

The most common mistakes are:

• rules in the wrong order;
• forgetting the implicit deny;
• applying the ACL to the wrong port or interface;
• applying it inbound instead of outbound;
• blocking required return traffic;
• using incorrect wildcard masks;
• writing rules that are too broad;
• forgetting to allow required services such as DNS or DHCP.

In CCNA quizzes, if an ACL looks correct but traffic does not pass, always check order, direction and implicit deny.

Segmentation

Segmentation divides the network into separate zones or domains.

It can be done with:

• VLANs;
• subnets;
• ACLs;
• firewalls;
• VRF in more advanced scenarios;
• separate guest networks;
• DMZ in more structured architectures.

Segmentation helps to:

• limit lateral movement;
• separate users and servers;
• protect sensitive networks;
• apply different policies;
• reduce the impact of a compromise.

For CCNA, you need to remember that different VLANs do not communicate without routing, and routing can be controlled by ACLs or firewalls.

Layer 2 security

Many attacks happen at Layer 2, so protecting only routing is not enough.

Common Layer 2 threats:

• MAC flooding;
• rogue DHCP server;
• ARP spoofing;
• VLAN hopping;
• unauthorized physical access;
• connection of unauthorized devices.

Useful controls:

• port security;
• DHCP snooping;
• Dynamic ARP Inspection;
• disabling unused ports;
• assigning unused ports to unused VLANs;
• avoiding VLAN 1 for important traffic;
• configuring trunks only where necessary.

Port security

Port security limits which MAC addresses can use a switch port.

It is especially useful on access ports toward end devices.

It can use:

• static MAC addresses;
• dynamic MAC addresses;
• sticky MAC addresses.

Violation actions:

• protect: drops unauthorized traffic without detailed logs;
• restrict: drops and may generate logs or counters;
• shutdown: places the port into err-disabled state.

In CCNA, shutdown is often the most severe default behavior.

DHCP snooping

DHCP snooping protects against unauthorized DHCP servers.

It works by distinguishing:

• trusted ports;
• untrusted ports.

Ports toward legitimate DHCP servers or controlled uplinks can be trusted. Ports toward end users should usually be untrusted.

If a device on an untrusted port tries to send DHCP responses, DHCP snooping can block them.

This helps prevent a rogue DHCP server from distributing malicious gateways or DNS servers.

Dynamic ARP Inspection

Dynamic ARP Inspection, or DAI, protects against ARP spoofing and ARP poisoning.

DAI verifies ARP messages by comparing them with trusted information, often derived from the DHCP snooping binding table.

Important concept:

• DHCP snooping builds a trusted base;
• DAI uses that base to validate ARP.

DAI is a useful Layer 2 control against attacks that try to redirect traffic or intercept local communications.

VLAN hopping

VLAN hopping is an attack in which a host attempts to access traffic from VLANs other than the one assigned.

Common countermeasures:

• disable automatic trunking where it is not needed;
• configure user ports as access ports;
• do not use VLAN 1 for important traffic;
• use an unused native VLAN;
• prevent access ports from negotiating trunks;
• limit allowed VLANs on trunks.

For CCNA, you need to remember that ports toward end users should not become trunks.

VPN

A VPN creates an encrypted tunnel through an untrusted network, such as the Internet.

It can be used for:

• remote user access;
• site-to-site links;
• traffic protection between sites;
• secure connections to corporate resources.

A VPN protects traffic in transit, but it does not replace strong authentication, ACLs, firewalls, patching and monitoring.

Logging and monitoring

Logging and monitoring help detect problems, analyze incidents and verify suspicious activities.

Examples:

• successful and failed logins;
• configuration changes;
• interfaces up/down;
• ACL events;
• protocol errors;
• security alerts;
• Syslog messages.

Centralizing logs helps because a device may lose local logs after a reboot or run out of memory.

For CCNA, you need to remember that logging is useful both for troubleshooting and for security.

Updates and patching

Updating devices and software reduces the risk of known vulnerabilities.

Patching must be controlled:

• verify version;
• read release notes;
• plan a maintenance window;
• back up configuration;
• test when possible;
• plan rollback;
• document the change.

An outdated device may be vulnerable even if it is well configured.

Wireless security

Wireless networks also require specific controls.

Best practices:

• use WPA2 or WPA3;
• avoid WEP;
• use strong passwords if PSK;
• prefer 802.1X/RADIUS in enterprise environments;
• separate guest networks;
• use dedicated VLANs;
• limit access to the internal network;
• monitor unauthorized APs;
• correctly manage controllers and policies.

Wireless is not only signal: it includes authentication, encryption, VLANs, DHCP, DNS and policies.

Operational best practices

General good practices:

• use SSH;
• disable Telnet;
• protect console and VTY access;
• use enable secret;
• limit management access with ACLs;
• disable unused ports;
• use separate VLANs;
• document changes;
• back up configurations;
• enable logging;
• update devices;
• apply the principle of least privilege.

These measures do not eliminate all risks, but they greatly reduce the attack surface.

Security troubleshooting

When a problem seems security-related, check:

• applied ACLs;
• ACL direction;
• rule order;
• implicit deny;
• VTY lines;
• SSH configuration;
• credentials;
• privilege level;
• port security;
• DHCP snooping;
• DAI;
• VLANs and trunks;
• firewalls or external policies;
• device logs.

Example: if a user cannot access via SSH, the issue may be password, local user, RSA keys, VTY, management ACL or IP reachability.

Common quiz mistakes

• Thinking that Telnet is as secure as SSH.
• Confusing authentication and authorization.
• Forgetting accounting in AAA.
• Thinking that ACLs do not have implicit deny.
• Applying ACLs in the wrong direction.
• Confusing port security with ACLs.
• Thinking that DHCP snooping blocks all DHCP.
• Forgetting that DAI protects against ARP spoofing.
• Thinking that a VPN replaces firewall and authentication.
• Thinking that VLAN automatically means complete security.
• Forgetting to protect unused switch ports.
• Thinking that logging is useful only after a major incident.
• Using WEP in secure wireless scenarios.

Mini exam scenario

An administrator wants to prevent users from connecting unauthorized devices to switch access ports. The most appropriate solution is to use port security, limiting the MAC addresses allowed on the port.

Another scenario: an attacker connects an unauthorized DHCP server and tries to distribute malicious gateways to clients. The most appropriate protection is DHCP snooping, correctly configuring trusted and untrusted ports.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

• what the CIA triad means;
• the difference between threat, vulnerability and risk;
• what hardening means;
• why SSH is preferred over Telnet;
• what AAA means;
• the difference between authentication, authorization and accounting;
• what standard and extended ACLs do;
• why implicit deny is important;
• what port security does;
• what DHCP snooping is used for;
• what Dynamic ARP Inspection is used for;
• why segmentation reduces risk;
• what a VPN is used for;
• why logging and patching are important controls.