16 October 08
CCIE Security Lab Changes - Mid-April 2009
Posted byINE
The long rumored Security CCIE Lab changes have finally been officially announced by Cisco. The new version 3 hardware/software and blueprint will be implemented in mid-April 2009. The good news is that there are not going to be any real changes to the hardware. The new hardware and software is listed below:
Hardware
- Cisco 3800 Series Integrated Services Routers (ISR)
- Cisco 1800 Series Integrated Services Routers (ISR)
- Cisco Catalyst 3560 Series Switches
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco IPS Series 4200 Intrusion Prevention System sensors
- Cisco Secure Access Control Server for Windows
Software
- Cisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routers
- Cisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or above
- Cisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.x
- Cisco IPS Software Release 6.1.x
- Cisco VPN Client Software for Windows, Release 5.x
- Cisco Secure ACS for Windows Version 4.1
New Version 3 Blueprint
- Implement secure networks using Cisco ASA Firewalls
- Perform basic firewall Initialization
- Configure device management
- Configure address translation (nat, global, static)
- Configure ACLs
- Configure IP routing
- Configure object groups
- Configure VLANs
- Configure filtering
- Configure failover
- Configure Layer 2 Transparent Firewall
- Configure security contexts (virtual firewall)
- Configure Modular Policy Framework
- Configure Application-Aware Inspection
- Configure high availability solutions
- Configure QoS policies
- Implement secure networks using Cisco IOS Firewalls
- Configure CBAC
- Configure Zone-Based Firewall
- Configure Audit
- Configure Auth Proxy
- Configure PAM
- Configure access control
- Configure performance tuning
- Configure advanced IOS Firewall features
- Implement secure networks using Cisco VPN solutions
- Configure IPsec LAN-to-LAN (IOS/ASA)
- Configure SSL VPN (IOS/ASA)
- Configure Dynamic Multipoint VPN (DMVPN)
- Configure Group Encrypted Transport (GET) VPN
- Configure Easy VPN (IOS/ASA)
- Configure CA (PKI)
- Configure Remote Access VPN
- Configure Cisco Unity Client
- Configure Clientless WebVPN
- Configure AnyConnect VPN
- Configure XAuth, Split-Tunnel, RRI, NAT-T
- Configure High Availability
- Configure QoS for VPN
- Configure GRE, mGRE
- Configure L2TP
- Configure advanced Cisco VPN features
- Configure Cisco IPS to mitigate network threats
- Configure IPS 4200 Series Sensor Appliance
- Initialize the Sensor Appliance
- Configure Sensor Appliance management
- Configure virtual Sensors on the Sensor Appliance
- Configure security policies
- Configure promiscuous and inline monitoring on the Sensor Appliance
- Configure and tune signatures on the Sensor Appliance
- Configure custom signatures on the Sensor Appliance
- Configure blocking on the Sensor Appliance
- Configure TCP resets on the Sensor Appliance
- Configure rate limiting on the Sensor Appliance
- Configure signature engines on the Sensor Appliance
- Use IDM to configure the Sensor Appliance
- Configure event action on the Sensor Appliance
- Configure event monitoring on the Sensor Appliance
- Configure advanced features on the Sensor Appliance
- Configure and tune Cisco IOS IPS
- Configure SPAN & RSPAN on Cisco switches
- jfdk
- Implement Identity Management
- Configure RADIUS and TACACS+ security protocols
- Configure LDAP
- Configure Cisco Secure ACS
- Configure certificate-based authentication
- Configure proxy authentication
- Configure 802.1x
- Configure advanced identity management features
- Configure Cisco NAC Framework
- Implement Control Plane and Management Plane Security
- Implement routing plane security features (protocol authentication, route filtering)
- Configure Control Plane Policing
- Configure CP protection and management protection
- Configure broadcast control and switchport security
- Configure additional CPU protection mechanisms (options drop, logging interval)
- Disable unnecessary services
- Control device access (Telnet, HTTP, SSH, Privilege levels)
- Configure SNMP, Syslog, AAA, NTP
- Configure service authentication (FTP, Telnet, HTTP, other)
- Configure RADIUS and TACACS+ security protocols
- Configure device management and security
- Configure Advanced Security
- Configure mitigation techniques to respond to network attacks
- Configure packet marking techniques
- Implement security RFCs (RFC1918/3330, RFC2827/3704)
- Configure Black Hole and Sink Hole solutions
- Configure RTBH filtering (Remote Triggered Black Hole)
- Configure Traffic Filtering using Access-Lists
- Configure IOS NAT
- Configure TCP Intercept
- Configure uRPF
- Configure CAR
- Configure NBAR
- Configure NetFlow
- Configure Anti-Spoofing solutions
- Configure Policing
- Capture and utilize packet captures
- Configure Transit Traffic Control and Congestion Management
- Configure Cisco Catalyst advanced security features
- Identify and Mitigate Network Attacks
- Identify and protect against fragmentation attacks
- Identify and protect against malicious IP option usage
- Identify and protect against network reconnaissance attacks
- Identify and protect against IP spoofing attacks
- Identify and protect against MAC spoofing attacks
- Identify and protect against ARP spoofing attacks
- Identify and protect against Denial of Service (DoS) attacks
- Identify and protect against Distributed Denial of Service (DDoS) attacks
- Identify and protect against Man-in-the-Middle (MiM) attacks
- Identify and protect against port redirection attacks
- Identify and protect against DHCP attacks
- Identify and protect against DNS attacks
- Identify and protect against Smurf attacks
- Identify and protect against SYN attacks
- Identify and protect against MAC Flooding attacks
- Identify and protect against VLAN hoping attacks
- Identify and protect against various Layer2 and Layer3 attacks