Posts from ‘CCIE Security’
Finally, Cisco has made the official announcement on the upcoming changes for CCIE Security Version 5. Both the written exam and the lab exam will be changes go live starting 31st of January 2017, which gives you the usual 6 months window to pass the Version 4 exam, before the change to Version 5 occurs. As opposed to the old blueprint, there are major changes in both the technical content and exam delivery format.
As expected, the new exam topics are inline with Cisco’s current Security product line with pretty much nothing missing. Yes, you got that right! Also, as expected, Cisco is trying to push the same exam delivery model for all CCIE tracks.
Blueprint Technical Topic Changes
We now have a Unified Exam Blueprint, covering topics for both the written and lab exam, similar to the change that was introduced with CCIE Data Center Version 2. The Blueprint for Version 5 is divided into 6 sections, with the last one being relevant only for the written exam:
- Perimeter Security and Intrusion Prevention
- Advanced Threat Protection and Content Security
- Secure Connectivity and Segmentation
- Identity Management, Information Exchange and Access Control
- Infrastructure Security, Virtualization and Automation
- Evolving Technologies*
*Written exam only
Topics removed from both written and lab exams:
- EzVPN is out now, as expected, Cisco is moving forward to its AnyConnect (IPsec and SSL) Remote Access VPN Client
- Legacy IPS, or Cisco’s old IPS technology, is out now as well
There are many topics added to the current blueprint. As we no longer have different blueprints for the written and the lab exams, it means that what’s in the blueprint can show up in both exams. Although based on the lab exam equipment changes, some technologies cannot be configured in the lab exam, you might still get questions about these technologies in the new Diagnostic section of the lab exam. This means that you should be prepared for the technologies as per the blueprint, for both exams.
New Version 5 Topics:
- ASA Clustering
- NAT for IPv6
- Cloud Web Security (CWS)
- Email Security Appliance (ESA)
- Content Security Management Appliance (SMA)
- Advanced Malware Protection (AMP)
- Virtual Security Gateway
- TrustSEC with SGT and SXP
- ACI, EVPN, VXLAN and NVGRE
- ISE Personas with multimode deployment
- MDM Integration with ISE
- Wireless concepts such as FlexCONNECT and ANCHOR
- NetFLOW/IPFIX and eStreamer
- APIC-EM Controller
- RESTful API in scripting languages such as Python
- Evolving Technologies (Cloud, SDN and IoT) being only in the written exam
Lab Exam Equipment Changes
As previously rumored, in Version 5 we have more equipment going virtual:
- FirePOWER Management Center version 6.0.1 and/or 6.1
- FirePOWER NGIPSv version 6.0.1
- Cisco FirePOWER Threat Defense version 6.0.1
- FireAMP Private Cloud
- Cisco ASAv version 9.1
- Cisco Application Policy Infrastructure Controller Enterprise Module version 1.2
- Email Security Appliance (ESA) version 9.7.1
- IOSv L2 version 15.2 (which is virtual IOS for layer 2)
- IOSv L3 version 15.5(2)T (which is virtual IOS for layer 3)
- Cisco CSR 1000v version 3.16.02S
- Cisco Unified Communications Manager version 8.6(1)
Other virtual devices have been kept from previous blueprint, with a version change:
- Cisco Identity Services Engine (ISE) version 2.1.0
- Cisco Secure Access Control System (ACS) version 188.8.131.52
- Cisco Web Security Appliance (WSA) version 9.2.0
- Cisco Wireless Controller (WLC) version 8.0.133
- Test PC is Microsoft Windows 7
- Active Directory is running on Microsoft Windows Server 2008
- AnyConnect version 4.2
As for physical devices we have the following devices in Version 5:
- Cisco Catalyst Switch C3850-12S 16.2.1 version 16.2.1
- Cisco Adaptive Security Appliance: 5512-X version 9.6.1
- Cisco 2504 Wireless Controller: 2504 version 184.108.40.206
- Cisco Aironet1602E version 15.3.3-JC
- Cisco Unified IP Phone 7965 version 9.2(3)
FirePOWER is the major new addition, where we have both the FirePOWER NGIPS and the FirePOWER Threat Defense (unified code for ASA and FirePOWER Services) being added, alongside with FirePOWER Management Center as the management platform. FireAMP will also be present through the private cloud appliance, used for advanced malware protection through big data analytics, policies, detections, and protections stored locally on premises.
ASA Firewall is now present through the physical model of ASA 5512-X, and the virtual model of ASAv. Addition of APIC-EM, which supports both the physical and virtual ASA models, is clearly interesting, being a strong proof about Cisco’s vision moving forward, which is clearly the adoption of SDN technologies in the Enterprise market.
As expected, ESA has been finally added to the game, as even in version 4 it was supposed to be in the lab exam, but Cisco decided in the end to skip it.
Routers and switches are now virtualized through IOSv for Layer 2/Layer 3 and CSR 1000v, exception being the 3850 switch model which most probably is there for some TrustSEC features not supported by virtualization (MACsec, SGT, SXP).
Finally, I would assume that the only scope for the Cisco Unified Communications Manage being in a Security CCIE lab, is for the IP Phone to register, which means you need zero knowledge about this technology.
Lab Exam Format Changes
The new lab exam format follows up with Cisco’s current vision of exam delivery, aimed to properly test you on different set of skills. The format is the same that was introduced with CCIE R&S Version 5, but of course with the Security technical topics instead of R&S ones.
The eight-hour lab format is now divided into three modules with order of the modules being fixed as follows:
- Troubleshooting module
- Diagnostic module
- Configuration module
- It’s 2 hours in length, you can optionally borrow 30 minutes from the configuration module.
- By the name, it’s a troubleshooting section, where you’ll be given a certain number of tickets/incidents that you need to fix. There is no inter-dependency between tickets and you can fix tickets in whatever order you want. You have access to devices consoles in order to reconfigure the network and fix the problems.
- This module is aimed to test your troubleshooting technical and methodology skills, and the ability to fix a problem from an unknown network topology within fixed allocated time.
- It’s 1 hour in length, and you cannot extend it
- By the name, diagnostic, it’s still a troubleshooting section, but in a different format; you’ll be given a certain number of tickets/incidents that you need to fix, there is no inter-dependency between tickets and you can fix tickets in whatever order you want; challenge is that you have NO access to devices console, instead, for each ticket, you’re being given many inputs (e-mail threads, diagrams, logs, traffic captures), out of which you have to diagnose the problem and select the correct answer(s)
- This module is aimed to test your ability to analyze and correlate multiple inputs related to a network problem within fixed allocated time, and without being given access to the devices you need to identity the root cause
- It’s 5 hours in length, but it can be 4.5 hours if you extended the troubleshooting module
- By the name, it’s a configuration section, where you’ll be given a certain number of configuration tasks, with access to devices console to implement the given requirements; this is nothing else but what was in version 4 the actual exam itself, as it had only one module; there will be dependencies between tasks, some of them will be explicitly stated, some of them you’ll have to figure it, are implicit
- This module is aimed to test your understanding of a solution design and architecture, of the traffic flows and dependencies within a network when multiple technologies are combined, ability to understand network requirements and translate it into working configuration within fixed allocated time
Passing the Lab Exam
In order to pass the lab exam, two conditions need to be satisfied:
- Pass each module, score enough points in each module to meet the minimum cut score for the module
- Total number of gained points must equal the minimum overall cut-score criteria
As each individual module tests you on different set of skills, though for the same technologies, the first criteria make sense, having to pass each module. This is to ensure that you have proved being an expert not only from the technology point of view, but also through the fact that you can make use that knowledge to fix various types of problems, being challenged in different ways. The minimum cut-score for each module is unknown, most probably because it could vary between different lab exam versions; for example you might get a more complex Diagnostic section with a lower minimum cut-score, or a less complex Diagnostic section with a higher minimum cut-score.
The second criteria also make sense, the minimum overall cut-score. This is probably to ensure that you don’t pass the exam if you passed each individual module with close to exactly the minimum module cut-score. Basically you can have a PASS for each module, but a FAIL for the exam. What this means, is that in order to have a PASS for the exam, you need to score more than the minimum cut-score for all modules, or only for some modules.
Although it might seem that you’re walking in blind, you go to the lab exam without knowing how many points are required to pass and in which of the three modules, this new lab exam format also has some benefits:
- It gives flexibility, as you can score less points in one module because of being less prepared or less knowledgeable, and more points in other modules
- It gives you a better focus, as you’re no longer chasing points in the exam, you’re now chasing to do your best in each module and prove your skills; this also implies a strategy change for the lab approach
- By passing the current lab exam format, you’ve become an expert in the field, with certified skills required to implement Cisco’s technologies into today’s and tomorrow’s networks
In conclusion, it’s now clear that if you want to become CCIE Security Version 5 certified, you will need more FirePOWER.
As a side note, INE has been experiencing phenomenal growth, and tremendous passing rates for people that have been sitting our R&S, Data Center and Collaboration bootcamps. In fact, of just the bootcamps we’ve held this year, nearly all of our students have reported back to us a pass in the 3-4 weeks following their bootcamp experience. Now mind you, these folks come to us studied up and prepared for the bootcamp, but they all credit us as being the deciding factor in their pass.
We’re also adding new content all the time, including Python scripting, Openstack and SDN such as OVS. Check out our Black Friday deals and grab an All Access Pass or sign up for a bootcamp and check out what’s new!
Tags: success story
INE is reducing the cost of our live, instructor-led bootcamps by $1,000 each. Our new pricing model will still include access to our workbooks and ATC video courses with the purchase , but will separate out the Lab Exam Voucher and access to our All Access Pass as optional add-ons to provide you with a more flexible options for both your learning style and your budget. If you would like the existing complete, bundled solution, you have until Aug 1 to make a bootcamp purchase.
See this advert for more details.
Look forward to seeing you in a bootcamp soon!
Earlier this year in April, we reported to you about a major change in policy to retakes of the CCIE Written and Lab exam. Just today Cisco updated that policy with a major blow for anyone who has been preparing under the old pretenses. Namely that: “These policy changes will be applied retroactively from the date of a candidate’s first lab attempt.” The seemingly innocuous announcement can be found on their CCIE Lab Policy page, just above the table indicating how long you must wait between attempts. This means that if you already have, for instance, two attempts (and unfortunate fails) going into August 2 (when the new policy goes into effect), you would have to wait 90 days from the time of your last attempt to retry the exam. This still gives folks a chance to get another attempt (or 2, possibly) in before this Aug 2 deadline, regardless of the number of previous failed (or missed, if you simply didn’t show) attempts. But of course the real goal of Cisco here is to try to get you to study harder before even attempting your first CCIE Lab – which isn’t a bad idea for everyone.
So as always – Happy Labbing and STUDY HARD!
In a continuing effort to protect the integrity of the CCIE program, Cisco has announced a major change regarding the retake policy of the CCIE Written and Practical Lab exams. These changes take effect on August 1, 2014. Assuming a candidate happens not to pass on their first attempt at either a written or a practical “lab” exam within a given track, the frequency with which they will be allowed to retake the exam will change dramatically from past allowances, effectively not allowing the candidate virtually ‘unlimited’ retakes within a single calendar year (more specifically, within 12 calendar months from the date of the first attempt).
Changes to CCIE Practical Lab Exam
Perhaps the most interest for most people will be the frequency with which one will be allowed to re-sit for a CCIE Lab exam. Assuming a candidate does not pass on their first attempt at a given lab exam, they will still be allowed to attempt to retake the exam after 30 days has elapsed. The major change comes with the possibility that the candidate does not pass on their second attempt – after this attempt they must now wait for another 90 days to make their third attempt. Unlikely, but assuming a failure on attempt three, and a need to sit for attempt four, the candidate must wait another 90 days. Same goes for attempt four to attempt five. After a very, very bad year whereby a need to appear a sixth time becomes necessary, the wait period goes up to a full six months between attempts. The changes can be seen in a screenshot from a recent webinar below (after the jump).
CCIE Security Version 4.0 adds new software version updates, as well as introduces new hardware platforms to the exam, such as ISE and WSA. The hardware used in our new course is available through our CCIE Security Rack Rentals. The playlist for the new CCIE SCv4 ATC is as follows. A few minor topics are still in video post-processing and will be posted shortly.
- Recommended Study Resources
- ASA Firewall Overview
- ASA Basic Initialization
- ASA IP Routing
- ASA ACLs
- ASA High Availability Overview
- ASA Active/Standby Failover
- ASA Multiple Context Mode Overview
- ASA Multiple Context Mode Configuration
- ASA Active/Active Failover
- ASA Transparent Firewall
- ASA Transparent Firewall & ARP Filtering
- ASA Transparent Failover
- ASA Modular Policy Framework (MPF) Overview
- ASA Modular Policy Framework (MPF) Configuration
- ASA Advanced TCP Inspection with MPF
- ASA Advanced Application Inspection with MPF
- ASA Quality of Service (QoS)
- ASA Network Address Translation (NAT) Part 1
- ASA Network Address Translation (NAT) Part 2
- ASA Redundant Interfaces
- Standard, Extended, Time Based, & Dynamic ACLs
- Reflexive ACLs
- TCP Intercept
- Content Based Access Control (CBAC)
- CBAC High Availability
- Zone Based Firewall (ZBPF) Overview
- ZBPF Configuration
- Port to Application Mapping (PAM)
- ZBPF Parameter Tuning
- ZBPF Application Inspection
- IOS Transparent Firewall
- ZBPF Transparent Firewall
- IPsec VPN Overview
- IOS LAN-to-LAN IPsec Configuration
- IPsec Verification & Troubleshooting
- ASA LAN-to-LAN IPsec Configuration
- IOS & ASA PKI Overview
- IPsec & PKI Certificates
- GRE over IPsec Tunnels
- IPSec Profiles & Virtual Tunnel Interfaces (VTIs)
- Easy VPN Overview
- IOS Easy VPN Server
- IOS Easy VPN Client
- IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles
- ASA Easy VPN Server
- ASA Easy VPN Server & IOS Easy VPN Client
- ASA Clientless & AnyConnect SSL VPN
- IPS Overview, Promiscuous Mode & SPAN
- IPS Promiscuous Mode & RSPAN
- IPS Blocking Devices & Custom Signatures
- IPS Inline Mode, VLAN Pairing
- IPS Virtual Sensors and Signature Engines
- WSA Overview & Initial Setup
- WSA Management, Identities, & Access Policies
- WSA HTTP Session Processing
- WSA Transparent Mode & WCCP L2 Mode
- WSA Transparent Mode & WCCP GRE Mode
- WSA HTTPS Decryption Policies
- AAA Overview, Local AAA, & Role Based CLI
- IOS AAA with ACS
- ASA AAA with ACS
- ACS IOS Auth-Proxy Authentication
- ACS IOS Auth-Proxy Authorization
- ACS ASA Cut-Through Proxy
- ISE Overview
- 802.1x, MAB, & EAP Overview
- ISE MAB Authentication
- ISE 802.1x & MAB Authorization
- ISE 802.1x Authentication
- ISE MACsec
- ISE Central Web Authentication
- ISE Profiling
Tomorrow, December 6th 2013, at 10:00 PST (GMT 18:00) I will be running a free live online session on Introduction to DMVPN for CCIE R&S v5 Candidates. You can sign-up for this seminar here. Additionally the link to attend is available at the top of the dashboard when you login to the INE Members Site.
This session is the first of many to help candidates transition from the current CCIE R&S v4 Blueprint to the recently announced CCIE R&S v5 Blueprint that goes live on June 4th 2014. We will continue to run additional sessions in the future on new topics that have been added to the CCIE R&S v5 Blueprint, such as IPv6 First Hop Security, IPsec LAN-to-LAN tunnels, GET VPN, IGP Convergence & Scalability, and BGP Convergence & Scalability, just to name a few. These sessions are not only applicable to CCIE R&S v5 candidates, but also to those pursuing the CCNA, CCNP, or CCIE Security tracks, as well as for everyday engineers looking to apply these technologies in their production environments.
Tomorrow’s session will focus on the theory of what Dynamic Multipoint VPN (DMVPN) is, what problems it was designed to solve, and where it fits in the overall network design as compared to other technologies such as MPLS Virtual Private LAN Service (VPLS) or MPLS Layer 3 VPNs. The session will also include live implementation examples of DMVPN on the Cisco IOS CLI. Expect this session to run somewhere around 2 – 3 hours in length.
I hope to see you there!
INE’s new CCIE Security V4 Advanced Technologies Class continues this week, with a focus on ASA Firewall. This week’s classes will run Wednesday Oct 9th – Friday Oct 11th at 10:00 PDT (17:00 GMT) daily, with class days running typically about 4 hours each.
Anyone with an active All Access Pass subscription or that has previously purchased the download version of the SCv3 ATC can attend the live sessions. The link to join class can be found at the top of the Members Site dashboard, or direct at http://ine.co/scv4.
Specifically this week’s classes will focus on the following topics:
- Security Levels
- Access Lists before and after 8.3
- Routed vs. Transparent Firewall
- Single vs. Multi Context Mode
- Active/Standby vs. Active/Active Failover Mode
- ASA Routing
- NAT before and after 8.3
- ASA Modular Policy Framework and Application Inspection
Yesterday marked the kickoff of the new CCIE Security v4 Advanced Technologies Class. In our first session we discussed the scope of the new CCIE Security Version 4.0 blueprint, recommended readings (which can be found at the bottom of this post), the new format of class, and technical topics that included stateless traffic filters on IOS with standard ACLs, extended ACLs, time-based ACLs, and dynamic ACLs.
Going forward the SCv4 ATC will be delivered over the next 4 – 6 weeks as shorter, more spread out class days, typically of about 4 hours apiece. The specific class schedule will be posted here on the blog at least a week in advance so you can plan which sessions you want to attend live. Anyone with an active All Access Pass subscription or that has previously purchased the download version of the SCv3 ATC can attend the live sessions. The link to join class can be found at the top of the Members Site dashboard, or direct at http://ine.co/scv4. In the short-term the next upcoming class sessions are as follows:
- 2013-09-26 10:00 PDT (17:00 GMT) – Reflexive ACLs, CBAC, & ZBPF
- 2013-09-30 10:00 PDT (17:00 GMT) – Advanced ZBPF
A longer-term schedule will be posted after the weekend. In general, the class flow will follow the below outline. If you have specific topics requests for class please feel free to post a comment below and I will take it into account.
Starting tomorrow, September 24th 2013 at 10:00 PDT (17:00 GMT), I will begin the running the new CCIE Security Advanced Technologies Class for the newest version 4.0 blueprint. Online streaming of tomorrow’s class is free for anyone to attend. Simply login to http://members.ine.com and then browse to the streaming url of http://ine.co/scv4. A link to the streaming page is also located in the members dashboard.
Tomorrow’s class will start with an introduction about the scope of the CCIE Security v4 blueprint, including the hardware and software versions, as well as the specific technologies within the scope, and then will continue with the technical topics of IOS Firewall, including stateless ACL filtering and stateful filtering with both CBAC and ZBPF.
The format of this class will be a little different than previous iterations of ATCs for Security, R&S, SP, etc. Instead of running a 5-day class with 8 – 10 hours per day, the class will be spread out over the next 4 – 6 weeks in smaller increments. This will allow you to plan your study schedule more accordingly, and ideally not have to take a full week or more of vacation time or PTO in order to attend the sessions. More details of the specific class schedule will be discussed during the class intro tomorrow.
Beyond tomorrow’s class, anyone with a currently active All Access Pass subscription or that has previously purchased the CCIE Security ATC Download will be able to attend the live streaming sessions. Streaming and download versions of the class recordings will be available sometime around November, but more updates will be posted as the live class progresses.
I hope to see you in class tomorrow!