CCNA Security - 640-554

Out with the old and in with new Cisco is updating its well-known certification CCNA Security. Candidates that are studying for the older exam (640-553) are suggested to take it on or before September 30th 2012. What has changed in the exam? For the most part Cisco SDM is no longer covered, as it has reached its "End of Life" and in fact Cisco Engineering stopped covering the product from developing and testing on February 26th 2012. You can still renew the product for support (Cisco SmartNet) until March 24th of 2013 and the last date the product will get support will be February 28th of 2014 after that it will become an old friend :). Let's compare these two CCNA Security Exams and see what has changed, removed and added. (640-553 & 640-554) I have compared these two exams side-by-side. If you take look at these two exams, the red on the older exam means it is no longer covered on the (640-554 exam) and the blue on the new exam is new material that is not covered on the (640-553 exam). For the most part Cisco SDM is no longer available instead it is the Cisco Configuration Professional along with that the new exam mentions the Cisco ASA system and walking you into the ASDM along with the different products and services the ASA system offers.

CCNA Security Exam Topics – (640-553) Describe the security threats facing modern network infrastructures

  • Describe and list mitigation methods for common network attacks

  • Describe and list mitigation methods for Worm, Virus, and Trojan Horse attacks

  • Describe the Cisco Self Defending Network architecture

Secure Cisco routers

  • Secure Cisco routers using the SDM Security Audit feature

  • Use the One-Step Lockdown feature in SDM to secure a Cisco router

  • Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

  • Secure administrative access to Cisco routers by configuring multiple privilege levels

  • Secure administrative access to Cisco routers by configuring role based CLI

  • Secure the Cisco IOS image and configuration file

Implement AAA on Cisco routers using local router database and external ACS

  • Explain the functions and importance of AAA

  • Describe the features of TACACS+ and RADIUS AAA protocols

  • Configure AAA authentication

  • Configure AAA authorization

  • Configure AAA accounting

Mitigate threats to Cisco routers and networks using ACLs

  • Explain the functionality of standard, extended, and named IP ACLs used by routers to filter packets

  • Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI

  • Configure IP ACLs to prevent IP address spoofing using CLI

  • Discuss the caveats to be considered when building ACLs

Implement secure network management and reporting

  • Use CLI and SDM to configure SSH on Cisco routers to enable secured management access

  • Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server

Mitigate common Layer 2 attacks

  • Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features

Implement the Cisco IOS firewall feature set using SDM

  • Describe the operational strengths and weaknesses of the different firewall technologies

  • Explain stateful firewall operations and the function of the state table

  • Implement Zone Based Firewall using SDM

Implement the Cisco IOS IPS feature set using SDM

  • Define network based vs. host based intrusion detection and prevention

  • Explain IPS technologies, attack responses, and monitoring options

  • Enable and verify Cisco IOS IPS operations using SDM

Implement site-to-site VPNs on Cisco Routers using SDM

  • Explain the different methods used in cryptography

  • Explain IKE protocol functionality and phases

  • Describe the building blocks of IPSec and the security functions it provides

  • Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM

CCNA Security Exam Topics – (640-554) Common Security Threats

  • Describe common security threats

Security and Cisco Routers

  • Implement security on Cisco routers

  • Describe securing the control, data, and management plane

  • Describe Cisco Security Manager

  • Describe IPv4 to IPv6 transition

AAA on Cisco Devices

  • Implement AAA (authentication, authorization, and accounting)

  • Describe TACACS+

  • Describe RADIUS

  • Describe AAA

  • Verify AAA functionality


  • Describe standard, extended, and named IP IOS access control lists (ACLs) to filter packets

  • Describe considerations when building ACLs

  • Implement IP ACLs to mitigate threats in a network

Secure Network Management and Reporting

  • Describe secure network management

  • Implement secure network management

Common Layer 2 Attacks

  • Describe Layer 2 security using Cisco switches

  • Describe VLAN security

  • Implement VLANs and trunking

  • Implement spanning tree

Cisco Firewall Technologies

  • Describe operational strengths and weaknesses of the different firewall technologies

  • Describe stateful firewalls

  • Describe the types of NAT used in firewall technologies

  • Implement zone-based policy firewall using CCP

  • Implement the Cisco Adaptive Security Appliance (ASA)

  • Implement Network Address Translation (NAT) and Port Address Translation (PAT)

Cisco IPS

  • Describe Cisco Intrusion Prevention System (IPS) deployment considerations

  • Describe IPS technologies

  • Configure Cisco IOS IPS using CCP

VPN Technologies

  • Describe the different methods used in cryptography

  • Describe VPN technologies

  • Describe the building blocks of IPSec

  • Implement an IOS IPSec site-to-site VPN with pre-shared key authentication

  • Verify VPN operations

  • Implement Secure Sockets Layer (SSL) VPN using ASA device manager

For the most part if you have older books and products that cover the 640-553 exam continue studying as you can see when you compare these exams the fundamentals stay the same and if you think you can take it before September 30th go ahead and go for it! For me I want to take the new exam so I'll take it after September 30th. I also have some good tutorials that cover SDM like (Configure Cisco SDM) back a year ago on this blog along with some security topics like AAA an Radius and TACACS+ go ahead search for them! If you are like me and want to get your hands on some books that cover the new exam (640-554) you will have to wait until July 16th for the Official Certification Guide according to Amazon but you can go head and order the CCNA Security Portable Command Guide which released today. Like always I hope this information is helpful, if you have questions feel free to post them :).


adam -

What do you use for labs? hardware or virtualized? if virtualized, do you use gns3 if hardware, where did you get your hardware form? Thanks!

#### [Ryan]( "") -

Hey Adam, I have used both and GNS3 works for routers well, but for switches it does not support them well. For the physical gear eBay is a pretty good spot. Hope that helps

#### [Password Recovery – Cisco IOS Routers | Cisco Skills]( "") -

[...] CCNA Security – 640-554 ( [...]

#### [Upgrade ASA IOS via ASDM | Cisco Skills]( "") -

[...] CCNA Security – 640-554 ( [...]

#### [Basic Cisco ASA Overview | Cisco Skills]( "") -

[...] Post navigation ← Previous [...]

#### [Ryan]( "") -

Glad I could help.

#### [Rujvelt]( "") -

Good comparison and blue which gives idea of new exam material Thanks for infomation