Exam Profile: CCNA Security IINS 640-554

Date: Jun 22, 2012

This article profiles the Cisco CCNA Security IINS 640-554 exam. Pearson IT Certification provides a variety of exam preparation tools to help our customers in their quest for certification. As part of our service to you, we have developed this Exam Profile series. Each profile is developed based on the testing experience of one of our trainers or authors. You won’t get exact questions or answers, but you will get a real feel for the exam. Each profile describes question forms, trouble spots, hints for exam preparation, and recommendations for additional study resources. Find out what you can expect to see on the exam and how you can better prepare for it.

The Cisco 640-554 Implementing Cisco IOS Network Security (IINSv2) exam is required for certification as a Cisco Certified Network Associate Security (CCNA Security). This exam will test your knowledge across a wide range of security products and techniques including the ASA firewall and security features on IOS routers and switches.

Exam Details

Exam Number: 640-554
Types of questions: Multiple-Choice (single and multiple answer), Drag-and-Drop, Sim, Simlet, Testlet
Number of questions: 60 – 70
Time limit: 90 minutes
Passing Score: Varies
How to register: Pearson Vue web site: http://www.vue.com
Prerequisites: No prerequisites to take the exam; however, CCNA ROUTE and SWITCH exams are also required for the CCNA Security certification.

Trouble spots

Time management is likely the biggest challenge for a prepared candidate. This is because within several of the questions, such as simulations, there may be several additional sub-questions that you need to answer before moving on to the next full question. This exam does not allow you to skip a question and review it later, and it is tempting to spend too much time on a single question or simulation.

For those who are not familiar with navigating the graphical user interfaces (GUI) of Cisco configuration professional (CCP) and the ASA security device manager (ASDM), it would be easy to burn a lot of time on any one of these simlets/simulations. Speed, regarding using the GUI is required to:

Understand the action(s) (drop, pass, inspect, translate, etc) that would be taken on packets various packets that are attempting to move through a network device
Interpret the policy and general details that are currently implemented, using the GUI or CLI

There are also challenges waiting for the unprepared candidate in these areas:

Mitigation: understanding the correct countermeasure based on the type of attack that may threaten the network security
ASA Firewalls: understanding the security levels, default flows of traffic and how stateful filtering operates. The ASA is brand new to the CCNA Security certification (640-554) and is likely to catch some students off guard.
IPsec: understanding the individual components, what they do, and where they are used. Examples include the 5 elements and 3 stages of IKE phase 1, the modes for both IKE phase 1 and 2, encryption, symmetric vs. asymmetric, hashing, authentication and keys.
SSL VPNs: knowing when and how they may be implemented, and the interrelation of Certificate Authorities (CAs), digital certificates and the Public Key Infrastructure (PKI)
IOS Zoned Based Firewalls: understanding the stateful inspection that may occur, and its impact on traffic moving through the router, including the default traffic flow when between interfaces in various zones.
AAA: knowing the characteristics of aaa new-model, and all that is associated with it, including ACS, local databases, TACACS+, RADIUS and how to configure routers, switches and AAA servers to interoperate. This would also include the ability to interpret AAA status from debug output.

All of the above content is covered in the new Cisco Press CCNA Security IINSv2 640-554 Official Cert Guide.

Preparation hints

Probably the most significant first thing you should do is to learn this content with the intention of being able to teach it to someone else (regardless if you need to teach it or not). By studying with the intent of having to teach it to another, you will learn it more effectively, in less time, and be less likely to skim over content. This will assist you in your studies to really understand the content.

You should practice virtually everything that you study, both at the CLI and the GUI. If the topic is port security, you should practice implementing port security. If the topic is Cisco Configuration Professional (CCP), you should practice using and navigating CCP as you study. The same is true for ASDM, ACS, and the other topics covered. Much of the router IOS security can be practiced using live gear or GNS3, and this includes using CCP after you have logically integrated your PC or a virtual PC with the GNS3 environment. There are dozens of videos that explain how to do this integration, including some instructional videos on my YouTube channel Keith6783. A direct link to that channel is here.

For practice with TACACS+ and RADIUS using the Access Control Server software, ACS, Cisco offers an evaluation license that may be used for practice. Even with the evaluation license, you will need some type of virtualized environment, such as VMware’s ESXi (which is free) to run the ACS on.

Regarding the ASA firewall, emulation hasn’t been too successful (in the general public) for the most current version of the ASA (version 8.4x), and as a result it is likely that you will want to either rent rack time, or purchase a low-end ASA (5505 with base license) that runs at least 8.4 version of the software. For layer 2 switch security, live hardware, rented hardware or an emulator program would be needed for practice.

Resources

The most cost effective approach would be to use the Cisco Press CCNA Security IINSv2 640-554 Official Cert Guide, which is written by Keith Barker and Scott Morris (I admit, I am a little bias towards this book).

The Cisco Press 640-554 Official Cert Guide is streamlined and focuses on preparing a learner by explaining and demonstrating all the topics listed on the blueprint for the 640-554 exam. That blueprint can be seen on Cisco’s site by following this link. A account (free to set up and use) is required for access to the blue print.

Another training option would be to take the full IINSv2 course, offered by a Cisco authorized learning partner, where you would have access to the official course material and labs for your studies.

Regardless of which content you use to study and prepare, an excellent free resource is the Cisco Learning Network, which has discussion groups and lots of people ready to jump in to answer questions regarding technologies and topics centered around Cisco certification and the associated technologies. The link for the Cisco Learning Network (CLN) is here.

Exam topics

Cisco routers and switches

Understanding common threats, including blended threats, and how to mitigate them.
Describe the life cycle approach for a security policy.
Understand and implement network foundation protection for the control, data, and management planes
Understand, implement and verify AAA (authentication, authorization, and accounting) including the details of TACACS+ and RADIUS.
Understand and implement basic rules inside of Cisco Access Control Server (ACS) version 5.x, including configuration of both ACS and a router for communications with each other.
Standard, extended, and named access control lists used for packet filtering as well as for the classification of traffic
Understand and implement protection against layer 2 attacks including CAM table overflow attacks, and VLAN hopping

Cisco firewall technologies

Understand describe the various methods for filtering implemented by firewalls, including stateful filtering, including their strengths and weaknesses.
Understand the methods that a firewall may use to implement network address translation (NAT) and port address translation.
Understand, implement, and interpret a zone-based firewall policy through Cisco Configuration Professional (CCP)
Understand and describe the characteristics and defaults for interfaces, security levels and traffic flows on the Adaptive Security Appliance (ASA).
Implement, and interpret a firewall policy on an Adaptive Security Appliance (ASA), through the GUI tool named the ASA Security Device Manager (ASDM).

Intrusion Prevention System

Compare and contrast IPS versus IDS, including the pros and cons of each and the methods used by these systems for identifying malicious traffic.
Describe the concepts involved with IPS included True/False Positives/Negatives.
Configure and verify IOS-based IPS using Cisco configuration professional (CCP)

VPN technologies

Understand and describe the building blocks used for VPNs today, including the concepts of symmetrical, asymmetrical, encryption, hashing, IKE, PKI, authentication, Diffie-Hellman, certificate authorities, etc.
Implement and verify IPsec VPNs on IOS using CCP and the command line interface (CLI).
Implement and verify SSL VPNs on the ASA firewall, using ASDM

Where to go from here

Once you have both your CCNA in routing/switching (which is the prerequisite for CCNA Security), and then taken and passed the CCNA Security as well, you will have a solid networking foundation to grow from. One possible next step would be to obtain an additional CCNA certification in Voice or Wireless. Other options include building upon current knowledge and continuing on to Cisco certified network professional certification (CCNP) in routing/switching or the CCNP for security. The path you choose may be influenced by your interest in a specific technology, or perhaps based on what your current job responsibilities and or goals are.

Thanks for reading, and may you have the best of success in realizing your goals.