What Is Changing With The CCIE Security Lab Exam?	5.0/5.0 (2 votes total) Rate: Select 1 - Terrible 2 - Poor 3 - Average 4 - Good 5 - Outstanding
Scott Morris July 21, 2006

What Is Changing With The CCIE Security Lab Exam?

by: Scott Morris

Beginning in January 2007, people will be feeling less secure about taking the CCIE Security lab exam. Yes, the pun was intended! There are a number of things that change. What does it mean? Well, for starters, it means that I can guarantee there will be a flood of people signing up for every available lab slot between now and the end of December!

What are the changes? 1. Changing the software level in the PIX Firewall to 7.x 2. Adding two ASA-5510 appliances running 7.x software 3. Upgrading the IDS/IPS to the 5.x line 4. Upgrading the VPN3000 Concentrator software to 4.7x code 5. Upgrading the Catalyst 3550 software to 12.2SEE code 6. Changing the ACS software to 4.0 7. Eliminating the pre-configured ACS details 8. Adding a host PC in order to run VPN software, packet captures, admission control and other things

What does it mean?

Lots will change. Or at least lots CAN change. But there are a few different ways to look at this! (other than “like it” or “run like mad”) From a technology standpoint, there are not many major things that will occur.

--PIX

Ok, so PIX/ASA 7.x code adds some interesting features. The use of “conduit” and “outbound” are gone. Unless you are one of the older networking folks like I am, chances are you don’t work with conduits anyway, so that should be a point on the GOOD side! Access-lists and object-groups aren’t new, but they’re the only way to go now.

Support for VPDN (L2TP, PPTP and PPPoE) has been removed. So it’s less stuff than before!

Some new fixups have been added. Some support for MPF (Modular Policy Fixup, which looks kinda like MQC) has been added. The programming structure for interfaces has changed a little.

Support for tunnel-groups has been added and commands within the vpngroup configuration have been updated. Some changes to RIP and OSPF have been made with reference to the interface configuration now. Essentially those things are more “router-like” than something really new. When broken down to the basics, nothing is really that bad.

For new features that are really “new” instead of enhancements, look at the multicast support on the PIX! Or more interesting, the idea of security contexts (virtual firewalls) that can be configured.

--ASA

Well, these are new devices. They’re essentially add the same code level as the PIX, but this means that you now have a total of not one, not two, but THREE firewalling devices to be added into the security design of your network. Once you have configured one firewall though, the thought process for more interfaces or more firewalls really isn’t that much different. We just have to get over the “Oh My” factor.

--IPS

Moving to 5.x code makes things a little different. Well, yes and no. Things change in the administration (IDM is now Java instead of HTTP). But your structures and thinking for configuration is very similar to what it was in 4.x code. From an architecture standpoint, a big change is the ability to deploy the IPS inline (active filtering) instead of on a spanning port with passive reactions like shunning or ACL modifications. Oh yeah, there could be IPS modules in the ASA. This isn’t REALLY announced, but it’s not really denied either. Same stuff different platform though, no need to worry about it.

--VPN Concentrator

Other than a much more stable environment, one of the larger additions to the code level is the changes to the WebVPN configuration (SSL-based VPN). There is also more support for NAC (Network Admission Control) features. Being that this is now listed on the BluePrint, that could become more interesting for the Concentrator as well as PIX/ASA and Router-based configurations!

--3550 Catalyst

In all honesty, this is the easy part. Yes, there are some new features here, but when you look at the blueprint and start to formulate ideas in your head, there isn’t much that leaps out!

--ACS

The change here is that we now have to have an idea of how to actually configure the ACS software. In the past, it was just this AAA server that we needed to contact and grab information from. Perhaps it was complex in terms of authorization levels, ACLs, etc. but now we actually have to add that configuration part into the mix!

When it comes to implementing NAC in a network, the ACS server will play a large role in the configuration side of things and what to measure and test for.

--Host PC

This part, in and of itself, is actually very interesting. Previously (and currently!) there were many things that we configured and just “pretended” that they worked or what we saw. Now, with the addition of a host PC, you can actually test things out from a host someplace within the network infrastructure to see what will or will not work.

Couple this with the list of new attacks that you need to be familiar with mitigating and we start to see a whole new picture emerging.

What am I going to do???

That’s always a personal decision, but let’s paint this a different way. Yes, there are many new things, and a slew of new “possible” scenarios that could be worked up. The exam is still only eight hours long. So whatever sets of technologies and designs they plan to dump on you, the timing will still be there. By that, the depth may not be as bad as what you think!

At the same time, by making our ability to have some more robust security designs mixed into the exams, the CCIE Security test becomes MUCH MORE real-world in its orientation. That should be a benefit to many people who have been working in the industry for a long time. Gone are the days of configuring something that you would never, ever see in real life, and here are days of realistic scenarios and configurations. So your test may be about things that actually make sense and can be tested!

So where does the line get drawn? Well, that’s half the fun of the CCIE. You never really know. And one person’s exam (even if we did violate NDA, which we won’t) could be COMPLETELY different that another person’s exam. We may see things like the launching of “live” attacks from the backbone into your Pod/HostPC. You could then be responsible for capturing, identifying and mitigating the attack in semi-real-time. You can’t get much more real-world than that!

In the new version of the blueprint, ALL router-based setups (other than IOS Firewall/CBAC/VPN) are specifically not listed. This means the lab is not 6-8 router + 2 switches + PIX + 2 ASA + VPN + IDS + ACS + Host. Your lab of items to be responsible for are just the security-related devices.

Concentrate not on the quantity of things that are different. Concentrate instead on how much more realistic the new version of the lab will be! Everyone is in the same boat though, and unknown things tend to scare people.

If you are in the middle of preparation right now though, you have some serious questions to ask yourself. If you are “close” to passing, stay on track as you have five more months with the old blueprint. If you are relatively new to preparation, or haven’t seriously started, or have a lot of real-world detailed security deployment experience; then I would suggest that you wait until January to take the lab. No matter which path you take though, do not hold back in your preparation. Any technology, no matter how complex it seems, can be broken down into simple tasks. Start reviewing these technologies and the blueprint. Start looking at what things you already know and you will find the list is much smaller for “new” things than what it may look like!

Make your decisions on the lab soon though, as testing slots will fill up fast! Always remember there is a 28-day cancellation window before payment is due. So you may find dates randomly open up. You just need to pay constant attention to the scheduling web site to see new openings!

IPexpert's CCIE Security Lab Exam