Ensuring that only authorized people or systems can access data. Example: using SSH instead of Telnet to protect router login credentials.

Ensuring data is accurate and unaltered except by authorized changes. Example: preventing unauthorized changes to routing tables or configuration files.

Ensuring systems and data are accessible when needed. Example: protecting against DoS attacks that overwhelm a router or server.

Security principle that users and systems should be given the minimum level of access necessary to perform their tasks, and no more.

An approach that uses multiple, overlapping security controls so that if one fails, others still provide protection.

An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

Secure Shell, a protocol that provides encrypted remote login and command execution, used for secure device management.

An older, unencrypted remote login protocol that sends data, including passwords, in clear text and is not recommended for secure management.

Security Fundamentals: Threats, Principles, and Device Hardening — CCNA 200-301 Deep-Dive Masterclass: From Network Fundamentals to Automation

Big Picture: Why Security Fundamentals Matter

Security + Networking

This module links your core networking skills (DHCP, DNS, NTP, SNMP, SSH) with a security mindset expected at CCNA level.

Your CCNA Security Role

You are not a penetration tester yet; your role is to understand key principles, spot common threats, and harden Cisco routers and switches.

Attacker Mindset

Picture a campus network. Attackers chain small weaknesses: weak SSH, no logging, phished users, open TFTP. Each is a missing control.

Guiding Questions

Keep asking: If I were an attacker, what would I try? If I were defending, what simple control would stop or detect this?

Core Security Principles: CIA, Least Privilege, Defense in Depth

CIA Triad Overview

CIA stands for Confidentiality, Integrity, Availability. Almost every security control you configure supports one or more of these.

Confidentiality Example

Using SSH instead of Telnet protects router login credentials from being captured in clear text by an eavesdropper.

Integrity & Availability

Integrity means data is accurate and unaltered; availability means systems and data are reachable when needed, even under attack.

Least Privilege

Least privilege gives users the minimum access they need. Example: helpdesk can view configs but cannot change them.

Defense in Depth

Defense in depth layers controls: SSH, strong auth, ACLs on VTY, and syslog together protect device management access.

Common Network Threats: Spoofing, DoS, Malware, Social Engineering

Spoofing Attacks

Spoofing means forging identity: fake IP, MAC, or ARP entries to bypass ACLs or hijack traffic on a local network.

DoS and DDoS

Denial of Service floods a target to exhaust bandwidth, CPU, or memory. DDoS uses many distributed sources at once.

Malware on Networks

Malware includes viruses, worms, trojans, ransomware. It may scan for open shares, brute-force SSH, or spread via weak passwords.

Social Engineering

Social engineering tricks people: phishing emails, fake IT calls, or tailgating into secure rooms to bypass technical controls.

Defense Link

For each threat, think: which device configs (ACLs, SSH, logging, rate limits) and which user controls can reduce the risk?

Threat Walkthrough: Simple Campus Network Under Attack

Network Setup

Users connect to access switches, a core router does NAT, DHCP and DNS serve clients, and devices are managed via SSH.

Step 1: Phishing

A user enters their password into a fake site. The attacker reuses it to log into the router via SSH if controls are weak.

Step 2: Too Much Privilege

The stolen account has full privileges, letting the attacker disable logging or edit ACLs without restriction.

Step 3: Lateral Movement

From the router, the attacker SSHs to access switches using the same shared credentials to expand control.

Step 4: Data Capture

They configure a SPAN/monitor port and capture unencrypted Telnet or FTP traffic to harvest more credentials.

Break the Chain

Controls like strong unique passwords, least privilege, VTY ACLs, and syslog/SNMP alerts could stop or reveal each step.

Secure Management Basics: Out-of-Band, SSH, and Password Policies

Management Paths

In-band uses the production network for management; out-of-band uses a separate path and is usually more secure.

Telnet vs SSH

Telnet sends credentials in clear text. SSH encrypts the session, protecting admin logins from eavesdropping.

SSH Config Steps

Set hostname and domain, generate RSA keys, create local users, enable SSH on VTY, and disable Telnet.

Password Practices

Use secret instead of password, enable service password-encryption, and limit login attempts and timeouts.

CIA Mapping

Encrypted management protects confidentiality; strong auth and limits protect integrity of device configurations.

Hands-On: Hardening Cisco Management Access (SSH, Users, VTY)

Use this sample configuration as a template for securing management access on a Cisco router or switch. Read the comments carefully; similar snippets often appear on CCNA questions.

Device Hardening: Disable Unused Services and Protect the Control Plane

Reduce Attack Surface

Device hardening means turning off features you do not need and protecting the device’s CPU and memory from abuse.

Disable Unneeded Services

Examples: no ip http server, no ip http secure-server if not used, no ip source-route, and disabling unused interfaces.

Control Plane Protection

Use ACLs to limit who can reach management interfaces and rate-limit certain traffic to avoid CPU overload.

Logging and Time

Send logs to syslog and sync time with NTP so incidents can be detected and investigated accurately.

Exam Mindset

Given a long list of services, ask: which are truly needed? The rest increase risk with no benefit.

Quick Check: Management and Hardening

Test your understanding of secure management and device hardening concepts.

Which combination best aligns with secure management and basic device hardening for a Cisco router?

Enable Telnet, use simple passwords, and allow VTY access from any IP
Use SSH with local user accounts, restrict VTY access with an ACL, and disable unused services like HTTP server
Use SSH with default username/password, enable CDP on all interfaces, and allow HTTP access for convenience
Disable SSH, enable HTTP and HTTPS, and rely on service password-encryption alone

Show Answer

Answer: B) Use SSH with local user accounts, restrict VTY access with an ACL, and disable unused services like HTTP server

The secure approach is to use SSH (encrypted), local accounts with strong secrets, restrict VTY access using an ACL, and disable unused services such as the HTTP server. Telnet and default credentials are insecure; enabling extra services without need increases attack surface.

Security Program Elements: Users, Training, and Physical Access

User Awareness

Users must recognize phishing, handle passwords safely, and avoid installing unauthorized software on corporate systems.

Admin Training

Network admins need secure configuration habits, change control discipline, and basic incident response knowledge.

Policies and Procedures

Key policies: acceptable use, password rules, change management, and incident response instructions for staff.

Physical Security

Lock network closets, secure console ports, control building access, and prevent tailgating into restricted areas.

Blending Controls

Strong security blends technical controls with trained users and physical protections for a layered defense.

Thought Exercise: Hardening a Small Office Network

Imagine you are responsible for a small office network with:

One internet-facing router doing NAT.
Two access switches.
A wireless access point using WPA2-PSK.
Around 25 users with laptops and IP phones.

Currently:

Devices are managed with Telnet.
All VTY lines accept connections from any IP.
Default passwords are still set on some devices.
Network closets are often left unlocked.

Your task: In your own words (mentally or in notes), list at least 5 concrete changes you would make to improve security, using concepts from this module.

To guide your thinking, consider:

Management security

How will you replace Telnet?
How will you restrict who can manage devices?

Device hardening

Which services might you disable?
How will you handle unused switch ports?

User and physical controls

What simple user awareness message could you send?
How will you improve physical protection of the router and switches?

After you have your list, compare it mentally to this checklist:

SSH instead of Telnet, with strong local users.
ACLs on VTY lines allowing only admin subnet.
Disable HTTP server if not used, secure SNMP if used.
Disable unused switch ports and place them in an unused VLAN.
Change default passwords, use secrets.
Lock closets, label “authorized access only”, remind staff about phishing and password safety.

The closer your list is to this, the more ready you are for CCNA-style scenario questions.

Concept Check: CIA and Threats

Reinforce your understanding of the CIA triad and common threats.

A Distributed Denial of Service (DDoS) attack primarily targets which element of the CIA triad, and why?

Confidentiality, because it steals user passwords from the server
Integrity, because it modifies routing tables on the server
Availability, because it overwhelms resources so legitimate users cannot access the service
All three equally, because any attack affects confidentiality, integrity, and availability