思科认证网络工程师CCNA安全认证考试大纲

思科认证网络工程师CCNA平安认证考试大纲CA平安认证可满足那些负责网络平安的IT专业人员的需求。它表示通过认证的专业人士拥有相应的专业技能，可以胜任网络平安专家、网络平安管理员和网络平安支持工程师等职位。该认证所验证的技能包括：在保持数据和设备的完好性、保密性和可用性的条件下安装、故障排除和监控网络设备，以及使用思科在平安架构中所采用的技术进展开发的才能。施行思科网络平安210-260IINS考试时间为90分钟，考生需要完成60-70到考题。210-260IINS考试验证考生是否具备网络平安架构，理解网络平安核心概念，管理平安访问，加密，防火墙，平安入侵防御，网页及邮件内容平安及终端设备平安等知识。通过210-260IINS考试证明考生拥有在思科平安网络架构中施行操作的才能。考生可以通过参加施行思科网络平安(IINS)课程来准备参加考试。1.1Commonsecurityprinciples1.1.aDescribeconfidentiality,integrity,availability(CIA)1.1.bDescribeSIEMtechnology1.1.cIdentifymonsecurityterms1.1.dIdentifymonworksecurityzones1.2Commonsecuritythreats1.2.aIdentifymonworkattacks1.2.bDescribesocialengineering1.2.cIdentifymalware1.2.dClassifythevectorsofdataloss/exfiltration1.3Cryptographyconcepts1.3.aDescribekeyexchange1.3.bDescribehashalgorithm1.3.cCompareandcontrastsymmetricandasymmetricencryption1.3.dDescribedigitalsignatures,certificates,andPKI1.4Describeworktopologies1.4.aCampusareawork(CAN)1.4.bCloud,wideareawork(WAN)1.4.cDatacenter1.4.dSmalloffice/homeoffice(SOHO)1.4.eNetworksecurityforavirtualenvironment2.1Securemanagement2.1.aComparein-bandandout-ofband2.1.bConfiguresecureworkmanagement2.1.cConfigureandverifysecureaessthroughSNMPv3usinganACL2.1.dConfigureandverifysecurityforNTP2.1.eUseSCPforfiletransfer2.2AAAconcepts2.2.aDescribeRADIUSandTACACS+technologies2.2.bConfigureadministrativeaessonaCiscorouterusingTACACS+2.2.cVerifyconnectivityonaCiscoroutertoaTACACS+server2.2.dExplaintheintegrationofActiveDirectorywithAAA2.2.eDescribeauthenticationandauthorizationusingACSandISE2.3802.1Xauthentication2.3.aIdentifythefunctions802.1Xponents2.4BYOD2.4.aDescribetheBYODarchitectureframework2.4.bDescribethefunctionofmobiledevicemanagement(MDM)3.1concepts3.1.aDescribeIPsecprotocolsanddeliverymodes(IKE,ESP,AH,tunnelmode,transportmode)3.1.bDescribehairpinning,splittunneling,always-on,NATtraversal3.2Remoteaess3.2.aImplementbasicclientlessSSLusingASDM3.2.bVerifyclientlessconnection3.2.cImplementbasicAnyConnectSSLusingASDM3.2.dVerifyAnyConnectconnection3.2.eIdentifyendpointpostureassessment3.3Site-to-site3.3.aImplementanIPsecsite-to-sitewithpre-sharedkeyauthenticationonCiscoroutersandASAfirewalls3.3.bVerifyanIPsecsite-to-site4.1SecurityonCiscorouters4.1.aConfiguremultipleprivilegelevels4.1.bConfigureCiscoIOSrole-basedCLIaess4.1.cImplementCiscoIOSresilientconfiguration4.2Securingroutingprotocols4.2.aImplementroutingupdateauthenticationonOSPF4.3Securingthecontrolplane4.3.aExplainthefunctionofcontrolplanepolicing4.4CommonLayer2attacks4.4.aDescribeSTPattacks4.4.bDescribeARPspoofing4.4.cDescribeMACspoofing4.4.dDescribeCAMtable(MACaddresstable)overflows4.4.eDescribeCDP/LLDPreconnaissance4.4.fDescribeVLANhopping4.4.gDescribeDHCPspoofing4.5Mitigationprocedures4.5.aImplementDHCPsnooping4.5.bImplementDynamicARPInspection4.5.cImplementportsecurity4.5.dDescribeBPDUguard,rootguard,loopguard4.5.eVerifymitigationprocedures4.6VLANsecurity4.6.aDescribethesecurityimplicationsofaPVLAN4.6.bDescribethesecurityimplicationsofanativeVLAN5.1Describeoperationalstrengthsandweaknessesofthedifferentfirewalltechnologies5.1.aProxyfirewalls5.1.bApplicationfirewall5.1.cPersonalfirewall5.2Comparestatefulvs.statelessfirewalls5.2.aOperations5.2.bFunctionofthestatetable5.3ImplementNATonCiscoASA9.x5.3.aStatic5.3.bDynamic5.3.cPAT5.3.dPolicyNAT5.3eVerifyNAToperations5.4Implementzone-basedfirewall5.4.aZonetozone5.4.bSelfzone5.5FirewallfeaturesontheCiscoAdaptiveSecurityAppliance(ASA)9.x5.5.aConfigureASAaessmanagement5.5.bConfiguresecurityaesspolicies5.5.cConfigureCiscoASAinterfacesecuritylevels5.5.dConfiguredefaultCiscoModularPolicyFramework(MPF)5.5.eDescribemodesofdeployment(routedfirewall,transparentfirewall)5.5.fDescribemethodsofimplementinghighavailability5.5.gDescribesecuritycontexts5.5.hDescribefirewallservices6.1DescribeIPSdeploymentconsiderations6.1.aNetwork-basedIPSvs.host-basedIPS6.1.bModesofdeployment(inline,promiscuous-SPAN,tap)6.1.cPlacement(positioningoftheIPSwithinthework)6.1.dFalsepositives,falsenegatives,truepositives,truenegatives6.2DescribeIPStechnologies6.2.aRules/signatures6.2.bDetection/signatureengines6.2.cTriggeractions/responses(drop,reset,block,alert,monitor/log,shun)6.2.dBlacklist(staticanddynamic)7.1Describemitigationtechnologyforemail-basedthreats7.1.aSPAMfiltering,anti-malwarefiltering,DLP,blacklisting,emailencryption7.2Describemitigationtechnologyforweb-basedthreats7.2.aLocalandcloud-basedwebproxies7.2.bBlacklist