1 2 3 Previous Next 41 Replies Latest reply: Mar 12, 2019 11:33 AM by waninae39 RSS

    Passed the CCNA-Security Exam - My view of the exam

    Daniel

      Hi,

       

      I know it's late but I still feel like I wanted to give my objective view about what this exam is all about and what type of content that it includes (within the NDA of course).

      In short - the stories are true, the OCG is almost of no use to pass this exam. If i wouldn't be working with a lot of different cisco technologies (thanks to my work) i would not be able to pass this exam.

       

      It doesn't go very deep in most topics, but it covers a lot of topics that....just is not included in the books that are supposed to be covering this exam.

      .....my passing score was a tight one, very very tight one (860/860) and it didn't feel like I could do much more to increase it based on the OCG and the book from the Networking Academy.

       

      Let's consider some of the topics from this Exam.

       

      • -Security concepts (12%)
      • -Secure Access (14%)
      • -VPN (17%)
      • -Secure Routing & Switching (18%)

       

      Let's consider those topics for a while.

       

      We can always argue what should be included in these bullet-points, but in general I think that most would agree that:

       

      • Security concepts = General security terminology.
      • Secure Access = how to secure who may access your network
      • VPN = Obviously how to work with VPN-technologies.
      • Secure Routing & Switching = how to secure the infrastructure.

       

      These topics cover 60% of the exam, and are considered topics that most of us would say are "good to know if you are working with security" on your day-to-day basis.

      Now with that in mind, you could make a fair assumption that around 6/10 questions would be focused around any of those topics since it's what the blueprint says it should include.

       

      If we consider the rest of the topics:

       

      • -Cisco Firewall Technologies (18%)
      • -IPS (9%)
      • -Content and Endpoint Security (12%)

       

      I think it's a fair assumption that we could place those questions into something like this:

       

      • -Cisco Firewall Technologies = How the ASA works along with Firewpower/Sourcefire
      • -IPS = Either configuration of IPS and deployment of IPS solutions from a Security perspective.
      • -Content and Endpoint Security = How to protect end users and to filter content that end users are trying to access.

       

      These cover the rest of the 40% of the questions, with a strong focus on the ASA. So it's a fair assumption that we can expect about 4/10 questions to be based around these concepts. Or rather 40% of the points during the exam to be based around this.

       

      Before I will give you my view of the exam, let me tell you what I expected from this exam when I walked into it.

       

      What I thought would be included based on the above topics at CCNA-level of Security understanding



      -In general a lot of "basic" security stuff for example Port-security, Private VLANs, White hacker, Black Hacker, Honeypots, Worms, Viruses, Malware, Proxy, Firewalls...you name it...just some basic understanding of security.

      -How to actually configure your network to be "protected" from most things.

      -General information about how various security related products work and what they can mitigate (ips, ids, firewalls, vlans, access-lists, proxies etc)

      -Some information about the other cisco security-technologies but nothing major (like TALOS, Stealthwatch, Firewpower/Sourcefire)

      -How to protect your VPN-tunnels in various tunnel-modes, site-to-sit, client-vpns etc. IPSEC and that sort of stuff.

       

      And....more like that, Like I said...at a very basic security level of understanding. I don't expect a CCNA-level of exam to dig deep enough to discuss various modes or protocol-level specific stuff. After-all we have the CCNP+ for that sort of stuff. Especially when a LOT of the exam objectives say things like this:

       

      • Describe SIEM technolog
      • Describe confidentiality, integrity, availability (CIA)
      • Describe social engineering
      • Describe hash algorithm
      • Describe digital signatures, certificates, and PKI
      • Describe RADIUS and TACACS+ technologies
      • Describe authentication and authorization using ACS and ISE
      • Describe the BYOD architecture framewor
      • Describe hairpinning, split tunneling, always-on, NAT traversal
      • Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
      • Describe STP attacks
      • Describe ARP spoofing
      • Describe MAC spoofing
      • Describe CAM table (MAC address table) overflows
      • Describe CDP/LLDP reconnaissance
      • Describe VLAN hopping
      • Describe DHCP spoofing
      • Describe the security implications of a PVLAN
      • Describe the security implications of a native VLAN
      • Describe mitigation technology for email-based threats
      • Describe mitigation technology for web-based threats
      • Describe mitigation technology for endpoint threats
      • ....and so on ...
      • ....and so on ...
      • ....and so on ...

       

      Needless to say - i think the exam objectives are very much aligned with what I expected from this type of exam. Not so much about implementation, and much more about to explain some security related scenarios at a high-level overview.

       

      Man....I was so wrong and those objectives are SO out of line!


      Im not complaining about the quality of the questions or how easy they were to actually understand. But i think it's fair to say that these objectives are clear - you need to be able to DESCRIBE what these technologies are and what you can use them for. IT doesn't say implement, it DOESN'T say UNDERSTAND. It says DESCRIBE!

       

      ....my advice is that anyone taking this exam is that unless you know exactly how to also implement these technologies - then don't take this exam.

      The questions were NOT based around the "describe" keyword, it was more focused around the "implement, verify, troubleshoot and understand" type of scenarios. For example around the VPN-section where the points say:

       

      3.2 Remote access VPN

      • 3.2.a Implement basic clientless SSL VPN using ASDM
      • 3.2.b Verify clientless connection
      • 3.2.c Implement basic AnyConnect SSL VPN using ASDM
      • 3.2.d Verify AnyConnect connection
      • 3.2.e Identify endpoint posture assessment

       

      Pretty much all questions from all the other exam-topics were based around this.

      I think it's a bit unfair considering that it makes sense that you need to be able to understand the above requirements during your exam. But when it says "describe" i don't expect anyone to actually need to know protocol specific stuff or even deep knowledge about how you would do it.

       

      That's probably where most people taking this exam and failing it will fail the exam.

       

      Describe = Much deeper than Describe.


      From my personal perspective, i did very bad on this exam if i look at the complete scoring report. Lot of topics < 80% which is not where im used to score .

      Security concepts = 75%

      Secure Access = 80%

      VPN = 75%

      Secure Routing & Switching = 77% (my strongest security knowledge during work, so very surprised about this score)

      Cisco Firewall Technologies = 69% (fair, or at least i expect this to be low since i rarely work with the ASA)

      IPS = 100% (expected high score, done a lot of IPS)

      Content and Endpoint Security = 63% (Really surprised to see this low score since i do a lot of proxy/nac stuff)

       

       

      At the end of the day though....what i wanted to show you with this post was that - reading the book is not enough to pass the exam. You must do a lot of labs and implementations with the technologies, or you just won't stand a chance to pass this exam.

       

      What do I think about it?

       

      I remember I talked with Matt Saunders about it during CLEU, gave my honest opinion about it.

       

      I said that I thought the questions were fair from the perspective that employers probably want you to know this stuff if you have CCNA-Security. But at the same time, it was not aligned at all with the level that you think you need to know in order to pass the exam. Also I mentioned that i had no issues at all with the mentioned SIM that everybody is having issues with, everything worked.

       

      My honest opinion is that this felt more of a mix between a CCNP-exam and a CCNA-exam, and that it wasn't bad at all. It just wasn't the type of depth that you would expect from reading the blueprints.

       

      The exam is FAIR. It's difficult! It's a good one!

      ...but it's just a bit unfair that they go to deep on stuff that they don't hint about from the blue-prints.

       

      What is my main problem with this exam?


      I feel like i have hinted about it in the beginning of this post.

      The books you have to read they just don't cover it any deeper then the "describe" part for the "describe part".

      Now if we look about it from that perspective....the books do about 80% of DESCRIBE-depth while it covers about 20% of IMPLEMENTATION depth.

       

      While the exam itself is reversed, having roughly 80% based on IMPLEMENTATION and 20% based on DESCRIBE-depth.

      That's my main problem with this exam. It's just unfair for students/people paying for this exam to study on the "describe" level only to find out that during the exam they are going to be tested on the "implementation" level.

       

      I don't expect Cisco to do anything about it - considering how many people have actually discussed this exam here on CLN and other places, this exam seems to be one of the most....discussed one from an exam-quality perspective. I didn't have any problems with the quality of the exam at all - just to be clear. Only with the blue-prints-to-the Questions depth!

       

      Hopefully this post will help some students to focus their studies beyond the Describe depth in order to pass their exam!

       

      -HTH

      Daniel

        • 1. Re: Passed the CCNA-Security Exam - My view of the exam
          Juergen Ilse CCNA R&S

          Thanks for your detailed report. And again congratulations (i congratulated already at CLEUR). I'm sure, your detailed report will be very helpful for future candidates for this exam (me included).

          • 2. Re: Passed the CCNA-Security Exam - My view of the exam
            Michelle

            Daniel,

             

            Congratulations! 


            Thank you for your views on this exam.  I am currently studying for it now.  I appreciate your depth and will heed your warning.

             

            Since I am a beginner, I have loaded up on study materials to include 3 video series, CCNA Lab Manual (2nd edition), the OFC ,the Cisco Next-Generation Security Solutions (Omar Santos), Boson Practice Labs and Practice Exams.  I am undecided about purchasing a 5506x or 5510 ASA. 

             

            Because of your thorough synopsis, I will push my exam back until I am confident about passing this exam. 

             

            Awesome review!!!  Again,  congrats on the cert and thanks for your thoughts.

            • 3. Re: Passed the CCNA-Security Exam - My view of the exam
              Brandon

              Thanks for your take on the exam and topics.  I've noticed that cisco's exam topics for a few of their certifications need to be reviewed and updated.  Including the CCNP R&S.

               

              In the CCNP R&S forum there was a rant that someone had about the Official Cert Guide and certain subjects needed to be more in depth.  From that I learned that the OCGs are written by Pearson but are authorized to put the Cisco Logos on the book.  That said, It's better to try and find the official Cisco documentation online for much of this stuff.

              • 4. Re: Passed the CCNA-Security Exam - My view of the exam
                jeromehill

                Hello Everyone.

                 

                I'm just beginning this journey again after a long time away. Let's assume that the books aimed at CCNA-Sec, just dont have the depth needed to pass the actual exam at the level of being able to implement/verify/troubleshoot the technologies that they only say you have to describe.

                 

                So here is my question. Since I haven't purchased any books yet, should I just get CCNP-Sec books and head straight for the more in-depth material on all the subjects listed in the CCNA-Sec OCG?

                 

                If this is the case, which books should I get? I still have to work on a long-term solution for practice labs and I don't think VIRL is set up for most of the security work.

                 

                Thanks in advance for any help provided

                • 5. Re: Passed the CCNA-Security Exam - My view of the exam
                  Peter McKenzie

                  HI Jerome

                                  i reckon labs are essential for security . Many people on this site have stumbled on the exam.

                  As the poster above says implement, implement.

                  This allows you to understand a lot of the security principles in the exam.

                  When I did my exam I labbed it and studied books from both CCNA security and Security+ to get a good grasp of the theory.

                  • 6. Re: Passed the CCNA-Security Exam - My view of the exam
                    Daniel

                    Hi Jerome,

                     

                    jeromehill skrev:

                     

                    Hello Everyone.

                     

                    I'm just beginning this journey again after a long time away. Let's assume that the books aimed at CCNA-Sec, just dont have the depth needed to pass the actual exam at the level of being able to implement/verify/troubleshoot the technologies that they only say you have to describe.

                     

                    So here is my question. Since I haven't purchased any books yet, should I just get CCNP-Sec books and head straight for the more in-depth material on all the subjects listed in the CCNA-Sec OCG?

                     

                    If this is the case, which books should I get? I still have to work on a long-term solution for practice labs and I don't think VIRL is set up for most of the security work.

                     

                    Thanks in advance for any help provided

                    I have to say that the best advice I can give you for this is - use the official book provided by the Cisco Networking Academy.

                    It's just a VERY good book to start with, that WILL cover all the topics included in the exam.

                     

                    I've read a couple of the books aimed towards CCNA or CCNP-security, and I always find that the best book that covers everything will be the book by the Cisco Networking Academy. I promise you that if you go with that book - then from a THEORY perspective - you will cover all the ground needed to pass!

                     

                    You can always go for the CCNP-books, but IMO that's not the intended level of depth for this exam. The main-problem you will have if you just look at the blueprints is simple....you need to actually implement stuff - not just describe it.

                     

                    That means you also must be able to verify and troubleshoot the theory (which makes sense from the engineering and employee perspective). That is the piece that they left out from the blue-prints. So unless you also know how to implement, verify and troubleshoot those concepts then you are not going to get a very good score on the exam.

                     

                    Mind also that the CCNA-Security has a very high passing score of 86% which makes this a very tough exam with room for very few mistakes to get a pass.

                     

                    Long-term solutions to practice the labs required for CCNA-Security would work with GNS3 - as long as you have the IOS-versions to run in GNS3. Basically, I think you are in a much better position for this exam if you have little or no prior experience with Cisco-technologies from working with them as an Engineer.

                     

                    This exam uses a lot of outdated, unused tools to setup and configure your devices - stuff that no sane engineer would be using in a production network due to....Security-flaws and risks involved in using those named tools. That may sound harsh, but as of today - Cisco has still not a decent tool for Enterprise-management of Firewalls with tons of VPN-Connections and avanced NAT. So most people will do it using the old-fashioned CLI-way....and here you are tested on CCP & ASDM which is almost not in use at a professional level.

                     

                    I believe that if you have no prior experience with working with Cisco-equipment your mindset is easier to accept the use of such poor-tools. That probably was my most difficult part - to study and use tools I know is not working well in the real-world.

                     

                    All those tools works fine with your GNS3 or VIRL, and I believe that for this exam - you can sue VIRL to cover the topics. GNS3 would work as well. Even packet-tracer gets you a long way.

                     

                    Just learn how to use ASDM and you will save yourself a lot of trouble .

                     

                    -HTH

                    Daniel

                    • 7. Re: Passed the CCNA-Security Exam - My view of the exam
                      Caleb

                      It sounds like they just recycled questions from the CCNP exams and put it in the CCNA-Sec. I know that's pushing it, but it seems possible at this point. I mean, even Keith Barker from CBT Nuggets has you go watch CCNP videos the majority of the time.

                       

                      If you really mean that we have to implement all the technologies in the exam, then it sounds exactly like the CCNP. I mean, just look at this - SITCS Exam Topics. Everything is 'Implement.' The questions may just not be AS difficult. I'm taking the Boson exam practice test and what you say is starting to make sense. When reading the questions, I thought that there's no way I could know this without labbing it.

                      • 8. Re: Passed the CCNA-Security Exam - My view of the exam
                        Daniel

                        Hi Caleb,

                         

                        It sounds like they just recycled questions from the CCNP exams and put it in the CCNA-Sec. I know that's pushing it, but it seems possible at this point. I mean, even Keith Barker from CBT Nuggets has you go watch CCNP videos the majority of the time.

                         

                        I've not read any official statement that this is how it works, but looking back in time it makes sense. Usually something new is added at CCNA, that was previously in CCNP. When CCNP is revoked and redesigned, they push something down from CCIE. Then the CCIE-version gets the new stuff.

                         

                        So yeah, i think that is in line with how many people are working. The very senior guys (CCIE's) deal with the very latest stuff and try to do something fancy with it. Then when it's still advanced and complex, yet tried and implemented in various networks - it's pushed down to CCNP-guys. These guys work with the advanced stuff on a day-to-day basis, redesigning and everything....then it's pushed down to CCNA-level when it's considered "best practice and general knowledge", but without the depth.

                         

                        I'm being very drastic and simplifies it of course. What I mean is that - it makes sense to push topics down to CCNA that was previously at CCNP or CCIE level. But of course not at the depth that NP or IE requires you to understand.

                         

                        My personal opinion is that it's safe to assume that you are going to see CCNP-stuff down at the CCNA-level until they release a new exam at CCNP-level as well. Given the latest changes to the CCIE-program more or less confirms that Cisco's idea with the CCIE's are that they will be the guys required to know the latest stuff, while later pushing it down in the hierarchy.

                         

                        If you really mean that we have to implement all the technologies in the exam, then it sounds exactly like the CCNP. I mean, just look at this - SITCS Exam Topics. Everything is 'Implement.' The questions may just not be AS difficult. I'm taking the Boson exam practice test and what you say is starting to make sense. When reading the questions, I thought that there's no way I could know this without labbing it.

                         

                        If you look at the STICS Exam topics and the type of features it coves - you can see that it's not at all the same as with the CCNA-Security Exam topics. But what I mean is...Take this for example:

                         

                        -Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)

                         

                        This is a clear indicator that you need to be able to DESCRIBE the IP-sec stack. But you will not pass the exam by just knowing that. You need to know how to actually write your crypto-maps, your NAT-config, your tunnel-interfaces, the interesting traffic ACL....then when everything is setup - you also need to know your specific show-commands to verify that it's working, for example:

                        -show crypto iskamp xxx

                        -show crypto ipsec xxx

                         

                        And from that point on you need to also know how to interpret the information and which information is tied to Phase 1 or Phase 2. There is just a lot of "depth" to this exam that the current Blue-prints does not hint you about. Beware of that and you will be fine!

                         

                        It's just WAY outside the scope of "Describe". And that's a very big problem if you just rely on using those blue-prints (which is still the only official things cisco will publish about their exam topics). I'm complaining a lot as best as i can about that to the people i know can at least forward that message to the right places .

                         

                        Hope that answered your question and why I don't think that going for CCNP-books is the best approach, it's still at CCNA-level but a mix between CCNA/CCNP-depth.

                         

                        It's still a CCNA-level of exam. They just forgot to mention the "verify, implement, troubleshoot" parts.

                         

                        -HTH

                        Daniel

                        • 9. Re: Passed the CCNA-Security Exam - My view of the exam
                          Augusto

                          Hello all!

                           

                          First, congrats Daniel!

                           

                          I did my CCNA Security exam past Monday (13/03) and passed!

                           

                          I really agree with Daniel. I have failed the exam IINS 640-554 in November/15.

                           

                          I participated in  the IINS 640-553 courses for instructors from NetAcad in the past, but not tried to become certified. Then, I was request to renew my training for CCNA Security with NetAcad in 2015 and I decided to get certified.

                           

                          For my first exam attempt (IINS 640-554), I had the instructor training from NetAcad, studied using CCNA Security material from networking academy and the Official Certification Guide. Unfortunately, it was by far not enough. I have a good experience with ASA, routers and switches, VPNs, etc.

                           

                          Based on a lot of posts here at CLN, that complained about the exams (both exams), for this new exam (IINS 210-260) I used:

                          - Cisco Networking Academy material and I did all the exercises, packet tracer simulations and the laboratories.

                          - As I have access to Skillsoft courses, studied the IINS 210-260 course (entirely), some specific topics of CCNP Security courses.

                          - Research specific topics based on CLN forum posts about CCNA security exam.

                          - Did some specif labs when I was reading the material. For example, when studying Views, tested with Views. When studying aaa, tested with aaa, and so on. For some labs, I tested some additional configurations, for example, for Remote access VPNs used options that were not listed on labs.

                          - We are working on a security infrastructure since last year, and help a lot to know more about Cisco Security solutions, from technical presentation from cisco partner, white papers and Cisco website documentation. We also did a POC of ISE and was a very good experience, as I learned a lot on trying to understand the implementation, best practices and etc.

                           

                          Best regards,

                          Augusto

                          • 10. Re: Passed the CCNA-Security Exam - My view of the exam
                            James (CCNA R&S/Wireless)

                            I have tried to find CNA books through the store, but I can only find the course booklet. Is this what you're referring to? It's only $26 on Cisco Press, which makes me think it's not a full book. The OCGs are usually more than this.

                            • 11. Re: Passed the CCNA-Security Exam - My view of the exam
                              Peter McKenzie

                              that is covering all the bases Augusto.

                              This is the same way I like to prepare do the labs read the readings and use this forum for hiccups like the firepower.

                              • 12. Re: Passed the CCNA-Security Exam - My view of the exam
                                Gobind

                                Hi Guys...

                                 

                                Please guide me how i can get my ccna certification that i passed in Jan-2017. Please share the steps that how can i get my Cerficate. Please.....

                                • 13. Re: Passed the CCNA-Security Exam - My view of the exam
                                  Peter McKenzie

                                  Hi Gobind,

                                                      you would have registered a email and user Name with Pearson Vue

                                   

                                  Then I would go to Cisco - Login

                                  When you log in with your cisco credentials that will tell you what address details

                                  Cisco has to send out your cert.

                                  • 14. Re: Passed the CCNA-Security Exam - My view of the exam
                                    Gobind

                                    hi pm,

                                    yes, i registeredwith Pearson Vue

                                    1 2 3 Previous Next