Overview
CCNA security starts with knowing common threats (malware, social engineering, DoS) and matching controls (ACLs, switch security, firewalls). This guide maps attack types to mitigations at exam depth.
Security fundamentals
| Term | Definition |
|---|---|
| Threat | Potential to cause harm to an IT asset |
| Vulnerability | Weakness that compromises security or functionality |
| Exploit | Technique that uses a vulnerability to compromise a system |
| Risk | Likelihood and impact of a successful attack |
| Mitigation | Techniques to reduce attack likelihood or severity |
CCNA expects you to recognize common threats and map them to layered defenses: firewalls, ACLs, switch security (port security, DHCP snooping), device hardening, and encryption.
Malware
Malware is malicious software. Know these types for the exam:
| Type | Behavior | Spread |
|---|---|---|
| Virus | Inserts into other software | Requires human action to spread |
| Worm | Self-replicating | Spreads automatically across networks |
| Trojan horse | Disguised as legitimate software | Often installs back doors |
| Ransomware | Encrypts data; demands payment for decryption key | Often delivered via phishing |
Botnets are built from worm/trojan-infected zombie hosts controlled by a command-and-control (C2) server — the foundation of large-scale DDoS attacks.
Hacking tools (awareness)
Penetration testers use the same tools as attackers to find weaknesses:
- Password crackers
- Packet sniffers (Wireshark) — read unencrypted traffic
- Ping sweepers
- Port and vulnerability scanners
Reconnaissance and social engineering
Reconnaissance gathers information about a target before attacking — from passive sources (WHOIS, job listings) to active tools (ping sweeps, port scans).
Social engineering manipulates people into revealing credentials or sensitive data — often via phone or email, with no technical exploit required.
Phishing is social engineering via fake emails or websites impersonating trusted brands to steal passwords or payment data.
Data exfiltration
Data exfiltration is unauthorized data leaving an organization — by external hackers after compromise, or insiders (malicious or accidental, e.g., email with secrets, lost USB drive).
Denial of Service (DoS)
A DoS attack floods a target with more traffic than it can handle, denying service to legitimate users. Single-source DoS can be blocked by filtering that source.
TCP SYN flood

TCP SYN flood — attacker sends SYNs without completing the handshake, exhausting server connection tables.
Supplementary figure from Panagiss CCNAmd

SYN flood mitigation concepts — half-open connections consume resources.
Supplementary figure from Panagiss CCNAmd
DDoS and botnets
Distributed DoS (DDoS) attacks originate from many sources (botnet), making simple source blocking ineffective. Infected hosts connect outbound to C2 servers — bypassing inbound firewall rules.
Spoofing
Spoofing fakes identity:
| Type | Example |
|---|---|
| IP address spoofing | Fake source IP in packets |
| MAC address spoofing | Fake source MAC on LAN |
| Application spoofing | Rogue DHCP server offering wrong gateway/DNS |
Reflection and amplification
Reflection attacks spoof the victim's address as the source, causing reflectors to flood the victim with responses. Amplification uses protocols that return much larger responses than requests (e.g., DNS, NTP) to multiply attack volume.
Man-in-the-middle (MITM)
The attacker inserts into the communication path between legitimate hosts — reading or modifying traffic. ARP spoofing is a classic L2 MITM attack on IPv4 LANs.
Password attacks
When a login prompt is reachable:
- Enumeration — discover valid usernames
- Guessing, brute force, dictionary attacks — obtain passwords
Mitigation: account lockout, strong passwords, MFA, limit management access with ACLs/VTY restrictions.
Buffer overflow
Malformed or oversized data sent to a service can crash it (DoS) or allow arbitrary code execution (compromise).
Packet sniffers
On a compromised host or in the traffic path, sniffers capture packets. Unencrypted protocols (Telnet, HTTP, SNMPv1/v2c communities) expose credentials immediately. Use SSH, HTTPS, and SNMPv3.
IDS and IPS
| System | Placement | Action |
|---|---|---|
| IDS (Intrusion Detection) | Out-of-band / copy of traffic | Alerts administrators |
| IPS (Intrusion Prevention) | Inline | Can block matching traffic |
Both use signatures (known attack patterns) and anomaly detection (unusual behavior). Require tuning to minimize false positives/negatives.

IDS vs IPS placement — detection observes; prevention sits inline.
Supplementary figure from Panagiss CCNAmd
IPS vs firewalls
| Device | Inspection depth | Typical rules |
|---|---|---|
| Firewall | L3/L4 (IP, port) | Permit/deny by address and port |
| IPS | Up to L7 (application) | Signature-based attack blocking |
Next-Generation Firewalls (NGFW) blur the line — deep packet inspection, application awareness, IPS, and VPN termination in one platform (e.g., Cisco Firepower on ASA).
Stateful firewalls
Stateful firewalls maintain a connection table tracking two-way flow state. Return traffic for permitted outbound sessions is allowed automatically.

Stateful firewall — connection table tracks permitted flows and return traffic.
Supplementary figure from Panagiss CCNAmd
Example policy:
- Deny all inbound from outside to inside
- Permit outbound web from 10.10.10.0/24
- Return web traffic permitted by state table
Packet filters (ACLs) vs stateful firewalls
ACLs on routers are stateless packet filters:
- No connection table
- Affect one direction only
- Outbound ACL only → return traffic allowed (no ACL on inbound)
- ACLs both directions → need explicit permits for outbound and return

ACL packet filter — stateless, one direction; return traffic needs its own rule.
Supplementary figure from Panagiss CCNAmd
Defense in depth: firewalls at security boundaries + internal ACLs on routers for segmentation. See the ACL topic for placement rules.
Internal vs external threats
| Threat source | Primary mitigation |
|---|---|
| External | Perimeter firewall + IPS |
| Internal | Segmentation ACLs, switch port security, host firewalls |

Defense in depth — perimeter and internal security controls.
Supplementary figure from Panagiss CCNAmd
Cryptography (CCNA awareness)
| Service | Provided by crypto |
|---|---|
| Confidentiality | Encryption — data unreadable to interceptors |
| Integrity | Hash/HMAC — detect tampering |
| Authenticity | Digital signatures, certificates |
| Non-repudiation | Sender cannot deny sending |
Symmetric vs asymmetric
| Type | Keys | Speed | Use case |
|---|---|---|---|
| Symmetric | Same shared secret key | Fast | Bulk data (AES, 3DES) |
| Asymmetric | Public/private key pair | Slow | Key exchange, signatures (RSA) |
HMAC (MD5, SHA) provides integrity using a shared symmetric key.
PKI and TLS
PKI uses a trusted Certificate Authority (CA) to solve key distribution. TLS (successor to SSL) secures HTTPS:
- Server presents certificate signed by trusted CA
- Browser verifies with CA public key
- Symmetric session keys negotiated for bulk encryption
- HMAC ensures integrity
VPN overview (awareness)
Site-to-site VPNs encrypt traffic over untrusted networks (Internet) using IPsec (ESP common; AH less common).
| IPsec mode | Use |
|---|---|
| Tunnel | Encrypts original IP header — site-to-site |
| Transport | Encrypts payload only — host-to-site |
IPsec phases:
- IKE Phase 1 — authenticate peers, build secure channel
- IKE Phase 2 — negotiate IPsec SA (transform set)
- Data transfer — encrypt interesting traffic
Interesting traffic is defined by an extended ACL — ties VPN config to ACL knowledge.
Remote access VPN connects individual users to the corporate network (client VPN).
CCNA-level mitigation summary
| Threat | Mitigation at CCNA scope |
|---|---|
| Malware / botnets | Patch management, endpoint AV, egress filtering |
| Phishing / social engineering | User training, email filtering |
| DoS/DDoS | ISP scrubbing, rate limiting, IPS (awareness) |
| Spoofing | DHCP snooping, DAI, BPDU Guard, uRPF (awareness) |
| MITM / ARP spoofing | DAI, port security, encryption |
| Password attacks | SSH not Telnet, AAA, strong passwords, VTY ACLs |
| Sniffing | Encrypt management (SSH, SNMPv3), HTTPS |
| Unauthorized access | Firewalls, ACLs, switch security |
Exam checklist
| Trap | Key fact |
|---|---|
| Virus vs worm | Virus needs human action; worm self-propagates |
| IDS vs IPS | IDS alerts; IPS blocks inline |
| ACL vs stateful FW | ACLs don't track connection state |
| SNMPv1/v2c | Community strings sent in clear text |
| DDoS vs DoS | DDoS = many sources; harder to filter |
| ICMPv6 in IPv6 ACLs | Blanket deny breaks NDP — see IPv6 topic |