What Is Changing With The CCIE Security Lab Exam?
|
|
|
| 5.0/5.0 (2 votes total) |
|
|
|
Scott Morris July 21, 2006
|
Scott Morris |
With over 18 years of technical training and consulting experience and
a wealth of technical certifications, Scott Morris has proven to be
among the elite in the technical training industry. Scott is one of the
few people in the world who currently hold 4 separate CCIE
certifications, and he's actively preparing for his 5th - the CCIE
Voice. Scott has years of experience both writing and teaching CCIE lab
preparation materials with an outstanding track record of success.
Scott has also participated in editing, writing and reviewing training
books for Cisco Press, Wylie, Sybex, Que Publishing and McGraw-Hill.
His contributing author work includes Cisco Press's Managing Cisco
Network Security book ( ISBN: 1578701031) - Chapters on the PIX
Firewall; and Cisco Press's CCIE Practical Studies, Vol. 2 ( ISBN:
1587050722) - Chapter on Multicast. Scott can be reached at
[email protected] |
Scott Morris
has written 1 articles for WebKnowHow. |
View all articles by Scott Morris... |
What Is Changing With The
CCIE
Security Lab Exam?
by: Scott Morris
Beginning in January 2007, people will be feeling less secure about taking the
CCIE Security lab exam. Yes, the pun was intended! There are a number of things
that change.
What does it mean? Well, for starters, it means that I can guarantee there will
be a flood of people signing up for every available lab slot between now and the
end of December!
What are the changes?
1. Changing the software level in the PIX Firewall to 7.x
2. Adding two ASA-5510 appliances running 7.x software
3. Upgrading the IDS/IPS to the 5.x line
4. Upgrading the VPN3000 Concentrator software to 4.7x code
5. Upgrading the Catalyst 3550 software to 12.2SEE code
6. Changing the ACS software to 4.0
7. Eliminating the pre-configured ACS details
8. Adding a host PC in order to run VPN software, packet captures, admission
control and other things
What does it mean?
Lots will change. Or at least lots CAN change. But there are a few different
ways to look at this! (other than “like it” or “run like mad”) From a technology
standpoint, there are not many major things that will occur.
--PIX
Ok, so PIX/ASA 7.x code adds some interesting features. The use of “conduit” and
“outbound” are gone. Unless you are one of the older networking folks like I am,
chances are you don’t work with conduits anyway, so that should be a point on
the GOOD side! Access-lists and object-groups aren’t new, but they’re the only
way to go now.
Support for VPDN (L2TP, PPTP and PPPoE) has been removed. So it’s less stuff
than before!
Some new fixups have been added. Some support for MPF (Modular Policy Fixup,
which looks kinda like MQC) has been added. The programming structure for
interfaces has changed a little.
Support for tunnel-groups has been added and commands within the vpngroup
configuration have been updated. Some changes to RIP and OSPF have been made
with reference to the interface configuration now. Essentially those things are
more “router-like” than something really new. When broken down to the basics,
nothing is really that bad.
For new features that are really “new” instead of enhancements, look at the
multicast support on the PIX! Or more interesting, the idea of security contexts
(virtual firewalls) that can be configured.
--ASA
Well, these are new devices. They’re essentially add the same code level as the
PIX, but this means that you now have a total of not one, not two, but THREE
firewalling devices to be added into the security design of your network. Once
you have configured one firewall though, the thought process for more interfaces
or more firewalls really isn’t that much different. We just have to get over the
“Oh My” factor.
--IPS
Moving to 5.x code makes things a little different. Well, yes and no. Things
change in the administration (IDM is now Java instead of HTTP). But your
structures and thinking for configuration is very similar to what it was in 4.x
code. From an architecture standpoint, a big change is the ability to deploy the
IPS inline (active filtering) instead of on a spanning port with passive
reactions like shunning or ACL modifications. Oh yeah, there could be IPS
modules in the ASA. This isn’t REALLY announced, but it’s not really denied
either. Same stuff different platform though, no need to worry about it.
--VPN Concentrator
Other than a much more stable environment, one of the larger additions to the
code level is the changes to the WebVPN configuration (SSL-based VPN). There is
also more support for NAC (Network Admission Control) features. Being that this
is now listed on the BluePrint, that could become more interesting for the
Concentrator as well as PIX/ASA and Router-based configurations!
--3550 Catalyst
In all honesty, this is the easy part. Yes, there are some new features here,
but when you look at the blueprint and start to formulate ideas in your head,
there isn’t much that leaps out!
--ACS
The change here is that we now have to have an idea of how to actually configure
the ACS software. In the past, it was just this AAA server that we needed to
contact and grab information from. Perhaps it was complex in terms of
authorization levels, ACLs, etc. but now we actually have to add that
configuration part into the mix!
When it comes to implementing NAC in a network, the ACS server will play a large
role in the configuration side of things and what to measure and test for.
--Host PC
This part, in and of itself, is actually very interesting. Previously (and
currently!) there were many things that we configured and just “pretended” that
they worked or what we saw. Now, with the addition of a host PC, you can
actually test things out from a host someplace within the network infrastructure
to see what will or will not work.
Couple this with the list of new attacks that you need to be familiar with
mitigating and we start to see a whole new picture emerging.
What am I going to do???
That’s always a personal decision, but let’s paint this a different way. Yes,
there are many new things, and a slew of new “possible” scenarios that could be
worked up. The exam is still only eight hours long. So whatever sets of
technologies and designs they plan to dump on you, the timing will still be
there. By that, the depth may not be as bad as what you think!
At the same time, by making our ability to have some more robust security
designs mixed into the exams, the CCIE Security test becomes MUCH MORE
real-world in its orientation. That should be a benefit to many people who have
been working in the industry for a long time. Gone are the days of configuring
something that you would never, ever see in real life, and here are days of
realistic scenarios and configurations. So your test may be about things that
actually make sense and can be tested!
So where does the line get drawn? Well, that’s half the fun of the CCIE. You
never really know. And one person’s exam (even if we did violate NDA, which we
won’t) could be COMPLETELY different that another person’s exam. We may see
things like the launching of “live” attacks from the backbone into your Pod/HostPC.
You could then be responsible for capturing, identifying and mitigating the
attack in semi-real-time. You can’t get much more real-world than that!
In the new version of the blueprint, ALL router-based setups (other than IOS
Firewall/CBAC/VPN) are specifically not listed. This means the lab is not 6-8
router + 2 switches + PIX + 2 ASA + VPN + IDS + ACS + Host. Your lab of items to
be responsible for are just the security-related devices.
Concentrate not on the quantity of things that are different. Concentrate
instead on how much more realistic the new version of the lab will be! Everyone
is in the same boat though, and unknown things tend to scare people.
If you are in the middle of preparation right now though, you have some serious
questions to ask yourself. If you are “close” to passing, stay on track as you
have five more months with the old blueprint. If you are relatively new to
preparation, or haven’t seriously started, or have a lot of real-world detailed
security deployment experience; then I would suggest that you wait until January
to take the lab.
No matter which path you take though, do not hold back in your preparation. Any
technology, no matter how complex it seems, can be broken down into simple
tasks. Start reviewing these technologies and the blueprint. Start looking at
what things you already know and you will find the list is much smaller for
“new” things than what it may look like!
Make your decisions on the lab soon though, as testing slots will fill up fast!
Always remember there is a 28-day cancellation window before payment is due. So
you may find dates randomly open up. You just need to pay constant attention to
the scheduling web site to see new openings!
IPexpert's
CCIE
Security Lab Exam |