Jan
31

In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

  • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
  • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
  • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
  • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
  • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.

PIX/ASA FIREWALL

BASIC CONFIGURATION

VLANs and IP Addressing
Configuring and Authenticating RIP
Configuring and Authenticating OSPF
Configuring EIGRP Support
Redistribution, Summarization and Route Filtering

ACCESS CONTROL

Common Configuration
Filtering with IP Access Lists
Using Object Groups
Administrative Access Management
ICMP Traffic Management
Configuring Filtering Services

NAT

Dynamic NAT and PAT
Static NAT and PAT
Dynamic Policy NAT
Static Policy NAT and PAT
Identity NAT and NAT Exemption
Outside Dynamic NAT
DNS Doctoring with Alias
DNS Doctoring with Static
Same Security Traffic and NAT
Transparent Firewall NAT

ADVANCED FIREWALL

Firewall Contexts Configuration
Administrative Context and Resource Management
Active/Standby Stateful Failover with Failover Interface
Active Stateful Failover with Failover Interface
Monitoring Interfaces with Active/Active Failover
Filtering with L2 Transparent Firewall
ARP Inspection with Transparent Firewall
Filtering Non-IP Traffic with L2 Transparent FW
Handling Fragmented Traffic
Handling Some Application Issues
BGP Through the PIX/ASA Firewall
Multicast Routing across the PIX/ASA
System Monitoring
DHCP Server
Standby Interfaces
ASA Local CA
Cisco Secure Desktop
VLAN Support for RA VPN
Inspection for Web/SSL VPN Traffic
Enhanced Service Object Groups
Enhanced ASA protection (Threat Detection)
Persistent IPsec Tunneled Flows

MODULAR POLICY FRAMEWORK

HTTP Inspection with MPF
Advanced FTP Inspection
Advanced ESMTP Inspection
Authenticating BGP Session Through the Firewall
Implementing Traffic Policing
Implementing Traffic Shaping
Implementing Low Latency Queueing
TCP Normalization
Enhanced TCP Normalization
Management Traffic and MPF
ICMP Inspection Engine

VPN

COMMON CONFIGURATIONS

IOS Router and the PIX/ASA
IOS Router and VPN3k
GRE and DMVPN
VPN3k Easy VPN/WebVPN
IOS Easy VPN
ASA Easy VPN/WebVPN

IPSEC LAN-TO-LAN

IOS and the PIX/ASA with PSK
IOS and the PIX/ASA with PSK and NAT on the Firewall
IOS and the PIX/ASA with Digital Certificates
IOS and the PIX/ASA: Matching Name in Certificate
IOS and IOS with PSK Across the PIX/ASA
IOS and IOS with PSK Across the PIX/ASA and NAT
IOS and IOS with PSK Across the PIX/ASA with Overlapping Subnets
IOS and IOS with PSK Across the PIX/ASA and NAT with IKE AM
IOS and IOS with Digital Certificates Across the PIX/ASA
IOS and VPN3k with PSK
IOS and VPN3k with PSK using CLI only
IOS and VPN3k with Digital Certificates
IOS and VPN3k with PSK: Tuning IPsec Parameters
IOS and VPN3k: Filtering Tunneled Traffic

GRE AND DMVPN

GRE Tunnels over IPsec with Static Crypto Maps
GRE Tunnels over IPsec with Crypto Profiles
DMVPN with PSK
IPsec VPN Enhancements: VTI Support
IPsec VPN Enhancements: Encrypted PSK
IOS CA: OCSP
IOS CA: Subordinate/RA Mode IOS Certificate Server (CS) Rollover
IOS CA: Key Rollover for Cerificate Renewal
Certificate ACLs
Dynamic Access Policies

EASY VPN

VPN3k and Cisco VPN Client
VPN3k and Cisco VPN Client with Split-Tunneling
VPN3k and Cisco VPN Client with HoId-Down Route
VPN3k and Cisco VPN Client with RRI
VPN3k and Cisco VPN Client with DHCP Server
VPN3k and Cisco VPN Client with RADIUS Authentication
VPN3k and Cisco VPN Client with External Group
VPN3k and Cisco VPN Client with Digital Certificates
VPN3k and IOS ezVPN Remote Client Mode with Split-Tunneling
VPN3k and IOS ezVPN Remote NW Extension Mode with RRI
IOS and IOS ezVPN Remote Client Mode with Xauth/RRI
IOS and IOS ezVPN Remote NW Extension Mode with Xuath/RRI
PIX/ASA and Cisco VPN Client with Split-Tunneling/Xauth/RRI
PIX/ASA and Cisco VPN Client with External Policy
PIX/ASA and Cisco VPN Client with RADIUS
PIX/ASA and Cisco VPN Client with Digital Certificates
The PIX/ASA and IOS ezVPN Remote NW Extension Mode
ezVPN Ehancements: Multiple Inside/Outside Interfaces
ezVPN Ehancements: Proxy DNS
ezVPN Ehancements: Peer Hostname
ezVPN Ehancements: VTI Support
ezVPN Ehancements: DPD Enhancements

WEBVPN AND SSL VPN

ASA and WebVPN Client
ASA and WebVPN Port Forwarding
ASA and SSL VPN Client
AnyConnect VPN in IOS
AnyConnect VPN in ASA
WebVPN Configuration in IOS
VPN3k and WebVPN Client
VPN3k and WebVPN Port Forwarding

VPN QOS

IOS and the PIX/ASA: Policing the L2L IPsec tunnel
IOS and VPN3k: QoS for L2L Tunnel
PIX/ASA and Cisco VPN Client: Per-Flow Policing
QoS Pre-Classify for IPsec Tunnel

ADVANCED VPN TOPICS

Decoding IPsec Debugging Output on VPN3k
IPsec and Fragmentation Issues
ISAKMP Pre-Shared Keys via AAA
IPsec NAT-T: L2L Tunnel with VPN3k and IOS Box
IKE Tunnel Endpoint Discovery (TED)
IPsec VPN High-Availability with HSRP
IPsec High Availability with NAT and HSRP
IPsec Pass-Through Inspection on the PIX/ASA
L2TP over IPsec between the ASA and Windows 2000 PC
VPN3k and PPTP Client
Using ISAKMP Profiles
Group Encrypted Transport (GET) VPN
Advanced DMVPN
IOS PPTP Server
IOS PPTP Client
DMVPN Phase 3
ASA Persistent IPsec Tunneled Flows

IOS FIREWALL

Common Configuration
Basic Access-Lists
Reflexive Access-Lists
Dynamic Access-Lists
Stateful Inspection with CBAC
CBAC Port-to-Application Mapping
Preventing DoS Attacks with CBAC
CBAC Performance Tuning
Authentication Proxy with RADIUS
Content Filtering with IOS Firewall
IOS Zone-Based Firewalls
ACL IP Option Selective Drop
IOS L2 Transparent Firewall
CBAC Enhancements (e.g. Self-traffic inspection)
IOS IPS
Application Firewall (HTTP Inspection, HTTP Applications, Instant Messaging)
Flexible Packet Matching

IDENTITY MANAGEMENT

Using RADIUS/TACACS+ for telnet Authentication
Using RADIUS/TACACS+ for Exec Authorization
TACACS+ for Command Authorization
TACACS+ Command Accounting
Service Authorization with TACACS+
Using LDAP for Authentication and Authorization
VPN AAA Authentication and Authorization
Using IOS Local AAA
Switchport Authorization with 802.1x
Using ACS RADIUS Profiles
Certificate-Based Authentication

NETWORK ADMISSION CONTROL

ACS Setup for NAC
NAC L3 IP With the ASA and Cisco VPN Client
NAC L3 IP with VPN3k and Cisco VPN Client

INTRUSION PREVENTION

BASIC CONFIGURATION

IPS Initial Setup
Configuring Inline VLAN Pair
Promiscuous Mode Monitoring with RSPAN
Monitoring IPS with IPS Event Viewer

EVENT PROCESSING

Configuring Event Summarization
Creating Custom Signature
Event Counting
Inline Blocking
Event Action Override
Event Action Filtering
IPS Network Access Control (Shunning)
Rate Limiting with IPS

ADVANCED TOPICS

Virtual Sensors
Sensor Password Recovery
Anomaly Detection
TCP Session Tracking Modes
Threat Rating
Sensor Configuration via IME

NETWORK ATTACKS

LAYER2/3 ATTACKS

Mitigating ARP Spoofing Attack with PIX/ASA
Mitigating DHCP Attacks with DHCP Snooping
Mitigating ARP Attacks in DHCP Environment
Mitigating MAC/IP Spoofing in DHCP Environment
Protecting Spanning-Tree Protocol
Protecting Against Broadcast Storms
Mitigating VLAN Hopping Attacks
Protecting Against Network Mapping
Blackhole Routing using PBR
Intrusion Prevention with PIX/ASA
Mitigating Malicious IP Options Attack
Protecting Against MitM attacks

The VOL2 upgrade will be taking place in parallel with VOL1 updates. What you should expect is removal of the VPN3k and (probably) PIX and the changes to the approximately 30% of the material. Many of the existing v2.0 tasks will remain the same, so you can practice the existing material, ignoring anything related to VPN3k (but not the PIX, as many of the PIX features remain unmodified in the new blueprint).

Good luck with your studies!

Further Reading:
CCIE Security Lab Expanded Blueprint

Petr Lapukhov, 4xCCIE/CCDE
About Petr Lapukhov, 4xCCIE/CCDE

Subscribe to INE Blog Updates

New Blog Posts!