CCNA 200-301 Cheat Sheet: 5.0 Security Fundamentals (15%)

by

·

As networks become more interconnected, the threat landscape also expands. From external attackers to internal mistakes, maintaining a secure network is no longer optional—it’s a requirement.

The Security Fundamentals section of the CCNA exam emphasizes core concepts that every network technician and administrator should understand. Even if you’re not pursuing a full cybersecurity role, these fundamentals help you design, implement, and maintain a secure networking environment.


5.1 Security Concepts

Before implementing security controls, it’s essential to understand the terminology:

  • Threat: A potential danger—such as malware, hackers, or social engineering—that could exploit a vulnerability.
  • Vulnerability: A weakness in a system or configuration (e.g., unpatched software, default credentials).
  • Exploit: A method or tool that takes advantage of a vulnerability.
  • Mitigation: Steps taken to reduce or eliminate risk (e.g., firewall rules, software updates, access restrictions).

The first line of defense is awareness—knowing where your risks are and how to address them.


5.2 Security Programs

Strong security isn’t just about technology—it’s also about people and processes.

  • User Training: Educating users about phishing, password hygiene, and safe browsing is critical to preventing social engineering attacks.
  • Awareness Campaigns: Posters, regular briefings, or simulated phishing tests help reinforce best practices.
  • Physical Security: Locks, access cards, surveillance cameras, and secure data centers are essential for preventing unauthorized physical access to network devices.

Security is only as strong as its weakest link, and that’s often human error.


5.3 Device Access Control

Controlling who can access your networking devices is a basic, but vital, layer of security.

  • Use local usernames and passwords for console, vty (remote), and privilege mode access.
  • Implement login banners to provide legal warnings or acceptable use policies.
  • Disable unused interfaces or services to minimize the attack surface.

Even at the CCNA level, securing access to routers and switches is a priority.


5.4 Password Policy and Alternatives

Password protection remains a cornerstone of device security—but it must be done properly.

  • Enforce password complexity: Use a mix of uppercase, lowercase, numbers, and symbols.
  • Minimum length and expiration policies help reduce the risk of brute-force attacks.
  • Multi-Factor Authentication (MFA): Adds an extra layer (e.g., token, mobile app, SMS) beyond the password.
  • Biometric authentication (e.g., fingerprint, facial recognition) and digital certificates are increasingly used in enterprise networks.

Where possible, combine strong password policies with additional authentication mechanisms.


5.5 VPN Types

Virtual Private Networks (VPNs) allow secure communication over untrusted networks like the internet.

Two common types:

  • Site-to-Site VPN: Connects two separate networks (e.g., headquarters to a branch office) via encrypted tunnels.
  • Remote Access VPN: Allows individual users to securely access the corporate network from outside, often using client software.

Both types typically use IPsec to ensure confidentiality, integrity, and authentication of data in transit.


5.6 ACLs – Access Control Lists

ACLs are used to permit or deny traffic based on source/destination IP, protocol, or port numbers.

  • Standard ACLs: Filter traffic based only on source IP address.
  • Extended ACLs: Allow filtering based on source/destination IPs, protocols (e.g., TCP, UDP), and port numbers.

ACLs are applied inbound or outbound on router interfaces and are essential for network traffic control and security policy enforcement.


5.7 Layer 2 Security

Switches are vulnerable to specific Layer 2 threats. Mitigation techniques include:

  • DHCP Snooping: Blocks rogue DHCP servers from offering IP addresses.
  • Dynamic ARP Inspection (DAI): Verifies ARP requests and replies against trusted DHCP bindings to prevent spoofing.
  • Port Security:
    • Limits the number of MAC addresses per port.
    • Can restrict traffic to specific known MACs.
    • Provides options like shutting down or alerting when violations occur.

These tools protect against common LAN-based attacks, including spoofing and flooding.


5.8 AAA Concepts

AAA stands for Authentication, Authorization, and Accounting—a framework for managing network access.

  • Authentication: Verifies who you are (username/password, token).
  • Authorization: Determines what you’re allowed to do (read-only vs admin access).
  • Accounting: Tracks what you did (logins, commands, resource use).

Implemented through protocols like TACACS+ and RADIUS, AAA is crucial for centralized, scalable access control.


5.9 Wireless Security

Wireless networks are inherently more exposed than wired ones, so strong security is a must.

  • WPA (Wi-Fi Protected Access): Replaced WEP; WPA2 is the current standard; WPA3 is newer and more secure.
  • Pre-Shared Key (PSK): Common in small setups; simple to deploy but harder to manage securely at scale.
  • Enterprise Mode: Uses 802.1X and a RADIUS server for user-based authentication; preferred for larger or more secure deployments.

Understanding the differences between WPA standards helps design secure wireless environments.


5.10 WLAN GUI Security

Modern wireless controllers and APs often use web-based interfaces for configuration.

In the GUI, you can:

  • Set SSID (network name).
  • Configure security modes (WPA2, WPA3).
  • Set up pre-shared keys or enterprise authentication.
  • Adjust QoS and client policies.

Graphical interfaces simplify the configuration process and help reduce errors—especially in small to mid-size deployments.


Final Thoughts

Security is not a feature—it’s a mindset. The Security Fundamentals domain of the CCNA ensures you understand the foundational measures required to build a safe and resilient network.

While this section accounts for 15% of the exam, its concepts have far-reaching implications across all domains of IT. Whether you’re locking down device access, configuring VPNs, or protecting against LAN threats, a solid security posture begins here.

Next up, we’ll tackle the final domain: 6.0 Automation and Programmability, where you’ll get a taste of how modern networks are becoming smarter, faster, and more autonomous.

Newsletter Form

Subscribe to our newsletter

Stay ahead. Get the NETWORKENGR newsletter. Sign up below.


Launch Your Site Simply with Hostinger!