1.1 Explain common threats against on-premises and cloud environments 1.1.a On-premises: viruses, trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware 1.1.b Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials 1.2 Compare common security vulnerabilities such as software bugs, weak and/or hardcoded passwords, SQL injection, missing encryption, buffer overflow, path traversal, cross-site scripting/forgery 1.3 Describe functions of the cryptography components such as hashing, encryption, PKI, SSL, IPsec, NAT-T IPv4 for IPsec, pre-shared key and certificate based authorization 1.4 Compare site-to-site VPN and remote access VPN deployment types such as sVTI, IPsec, Cryptomap, DMVPN, FLEXVPN including high availability considerations, and AnyConnect 1.5 Describe security intelligence authoring, sharing, and consumption 1.6 Explain the role of the endpoint in protecting humans from phishing and social engineering attacks 1.7 Explain North Bound and South Bound APIs in the SDN architecture 1.8 Explain DNAC APIs for network provisioning, optimization, monitoring, and troubleshooting 1.9 Interpret basic Python scripts used to call Cisco Security appliances APIs
2.1 Compare network security solutions that provide intrusion prevention and firewall capabilities 2.2 Describe deployment models of network security solutions and architectures that provide intrusion prevention and firewall capabilities 2.3 Describe the components, capabilities, and benefits of NetFlow and Flexible NetFlow records 2.4 Configure and verify network infrastructure security methods (router, switch, wireless) 2.4.a Layer 2 methods (Network segmentation using VLANs and VRF-lite; Layer 2 and port security; DHCP snooping; Dynamic ARP inspection; storm control; PVLANs to segregate network traffic; and defenses against MAC, ARP, VLAN hopping, STP, and DHCP rogue attacks 2.4.b Device hardening of network infrastructure security devices (control plane, data plane, management plane, and routing protocol security) 2.5 Implement segmentation, access control policies, AVC, URL filtering, and malware protection 2.6 Implement management options for network security solutions such as intrusion prevention and perimeter security (Single vs. multidevice manager, in-band vs. out-of-band, CDP, DNS, SCP, SFTP, and DHCP security and risks) 2.7 Configure AAA for device and network access (authentication and authorization, TACACS+, RADIUS and RADIUS flows, accounting, and dACL) 2.8 Configure secure network management of perimeter security and infrastructure devices (secure device management, SNMPv3, views, groups, users, authentication, and encryption, secure logging, and NTP with authentication) 2.9 Configure and verify site-to-site VPN and remote access VPN 2.9.a Site-to-site VPN utilizing Cisco routers and IOS 2.9.b Remote access VPN using Cisco AnyConnect Secure Mobility client 2.9.c Debug commands to view IPsec tunnel establishment and troubleshooting