Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on CCIE Security with Cisco expert Yusuf Bhaiji. Yusuf, CCIE #9305 (R&S and Security), has been with Cisco Systems, Inc. for over five years and is currently the Program Manager for the Cisco CCIE Security certification and Proctor in Cisco's Dubai and Sydney Lab. Prior to this, he was Technical Lead for the Sydney TAC Security and VPN team. Yusuf?s passion for Security and VPN- related technologies has played a dominant role in his 15 years of industry experience, from his initial master?s degree in computer science, to his numerous certifications.
Remember to use the rating system to let Yusuf know if you have received an adequate response.
Yusuf might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 6, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
What are the best books/study guides to buy for the CCIE Security Track? I see how a person could spend thousands on books with as many as are out there. Also, is there a virtual lab you prefer? I bought 23 hours of rack time on a security rack through cconlinelabs.com, is there one you would recommend besides that?
hi yusuf it;s glad to see u in the forum.
yusuf could u pls tell us are u coming out with a book for ccie practical studies just like the old . i mean for the new syllabus.
one more query is abt the ios. almost all the ios version have been upgraded for the new lab. but the ios for the routers have remain the same.
is there any possibility that cisco is upgrading the ios to 12.3T or so.
very curious to know.
waiting for ur reply.
We continue to revamp the CCIE Security blueprints, add/remove/update technologies as appropriate.
NAC appliance and other new hw are on the radar and considered as new additions. Our Content Advisory Group (CAG) is working on it, and once we finalize it, we will announce the changes. Pls note that we will give atleast 6-months headsup if we announce to add a new hardware, so that candidates can absorb and prepare for the new changes.
I am currently working on my 2nd book for CiscoPress called "Network Security Technologies & Solutions"... an All-in-one reference guide, hopefully to finish this by summer this year.
Once I complete this title, I will definately start working on revising the 2nd edition for CCIE Security Practice Labs.
With regards to IOS upgrade on routers, we are planning to change this along with hardware upgrades to ISRs (our phase 2 update). A public announcement will be made once we finalize it.
Hope that answers your query.
hi yusuf thanks a lot for ur detailed reply.
can u give any rought idea by when we could expect isr routers and the new ios in the exam including the nac appliance. so we can start buying the equippments.
cause u know the isr;s and the especially the nac appliance is very expensive.
atleast a rough idea would be really helpful.
yusuf what so u suggest giving the lab in the current blueprint or should i wait for cisco to announce he new changes and then go for it.
cause the new one will have exposure to more technologies and the latest ios features and new appliances.can u pls advice.
thanks lot once again.
waiting for ur reply.
Sorry, I cannot provide you any further details regarding future upgrades before a public announcement is made. As I mentioned earlier, once we make an announcement, we will give you 6-months notice/headsup so that you get enough time to prepare.
I suggest you make an initial attempt with the current blueprint and work your way up.
Some of the books I recommend;
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance (Frahim, Santos, ISBN# 1587052091)
CCSP IPS Exam Certification Guide (Carter, ISBN# 1587201461)
Cisco Access Control Security: AAA Administration Services (Carroll, ISBN# 1587051249)
Comparing, Designing, and Deploying VPNs (Lewis, ISBN# 1587051796)
IPSec VPN Design (Bollapragada, Khalid, Wainner, ISBN# 1587051117)
The Complete Cisco VPN Configuration Guide (Deal, ISBN# 1587052040)
Troubleshooting Virtual Private Networks (VPN) (Lewis, ISBN# 1587051044)
I cannot comment as such on vendors and their services regarding rack rentals etc. I suggest you evaluate following; content, equipment list, IOS versions, support structure, practice scenarios, and maybe some recommendations from someone who has already used their services.
my 2 cents,
i finished my CCSP in Summer 2006 and think of heading for the CCIE Security this year. Is the CCIE security exam/track in any way comparable to the CCSP training?
Can you advise some topics which will be looked at heavier or am i able to pass the written with CCSP knowledge plus some add on topics?
Thanks for reading
Yes, CCSP knowledge is the foundational step moving towards the CCIE Security cert, and with some added topics (refer to blueprints), you are in good shape to approach the CCIE.
The main diffrentiator is the hands-on lab exam which will test your knowledge and skills on all security appliance in a complex scenario. I strongly recommend you do lots of hands-on practice on all sec appliances (PIX/ASA, IPS, VPN3k, etc).
Follow the blueprints closely to ensure you master each individual topic (one-by-one) and make sure you do some practice scenarios which will help you guage your readiness.
Check out the link below for;
- Lab Equipment and IOS list
- Online Resources
- Recommended Book list
- Recommended Trainings
All the best in the pursuit of excellence.
Hello Mr. Yusuf,
Thanks for taking time for Q/A session. I am about to take my CCIE security written after months of prep. I have few things to ask you.
1) Regarding your book Practice Labs, you said above you will work on its second edition. Yes, that would be nice. I see there are hints for scenarios but those hints are out of order, referring to other questions, etc. It would be nice some solutions of the scenarios is provided much like a workbook so that reader can check and feel confident.
2) The book listed in booklist blue print under other publications, "Firewall and Internet Security by Cheswick..." is more than 4 years old, plus its subject matter is just ....you know. Penetration Testing ....by Cisco is far more superior content rich, up to date technologies. Are we working on revising booklist? Do we have plans to include some stuff from ISACA, ECCOUNCIL ...? Since we revise the topics list, I was just wondering why not book list blueprint v2?
3)any plan to include MPLS VPN? or its kind of limited under section, advanced VPN technologies in the lab.
Many thanks for reading/replying.
hi yusuf one more query abt routing in the current lab.
in the lab blueprint routing or advance routing and route-filtering are not mentioned . does it mean we won;t have it in the lab. if yes then till what extent of it.
can u pls guide us on this.
As mentioned in the new blueprints, the new exam is heavily focused on Security technologies only, and routing functions are tested on Security appliances only.
Advance Routing features such as filtering, summarization etc are no longer core objectives, and is tested mostly on written exam.
Answers to your queries inline;
1) Thanks for the comment, point taken.
2) Yes, we will update the booklist, and I recommend CiscoPress book more than others.
3) MPLS VPN technology is currently tested in CCIE SP track, and currently there are no plans to add this into the CCIE Security track.
VPN concentrator has EoS status so there are a rumors that the VPN concentrator is going to be removed from the LAB...Could you confirm this info???
Yes, since VPN3000 concetrator is announced EOS, it is very likely to be removed from the CCIE lab exam.
We are presently working on this and will make an announcement when a decision has been made. Meanwhile, it will continue to appear in the exam.
The new CCIE security blueprint(Version2) -
does not include any routing and switching.
Is all the routing and switching preconfigured?
Yes, all routing & switching is pre-configured on all devices except the security appliances (i.e. PIX/ASA, VPN3k, IDS). Candidates are required to configure everything on security appliances.
1.Which version of the vpn client we will be required to know at written exam(blueprint ver1 and ver2)
2. which version of IDS appliance we will be required to know.
Thanks in advance
Answers to your query inline;
1) Cisco VPN Client v4.x
2) Cisco Intrusion Detection System Release 5.x
Thanks for your fast response.
Do you offer the
as prep material for IDS/IPS
I didn't follow... are you saying use this for prep or use this in the lab exam?
If lab, yes, we use CLI and GUI (both) in the lab exam to configure IDS sensor.
I mean is it good document to use for prep material for written exam ( blueprint ver 1)
or do you offer better one?
I understand VPN concentrator will be removed from the future labs. Would you be able to tell us how soon that may happen?
I passed the Security written last month and just started seriously preparing for the lab. I plan to take the lab towards the end of the year. I just would skip the vpn concentrator section if it's not part of the lab at that time.
Moreover, if you can share with us what are other equipment that might be introduced in the near future.
I understand your concern, but unfortunately, I cannot disclose or share any timelines for the new changes until a formal decision is made and a general public announcement will follow accordingly.
One thing I can assure you is that we will give enough time/headsup to candidates whenever we make any change in the exam. Usually we give a 6-month headsup notice to allow candidates absorb the new change and prepare for it.
Hope that helps.
Welcome to this forum once again :)
Some questions please:
i) Can you tell us what exact release is currently running on the exam for ASA, is it 7.2(1)? , or at least is it 7.2(X)? there is some major differences between 7.0(X) and 7.2(X) like routing, http-map configuration
ii) For IPS, is the lab running 5.1?
iii) Regarding NAC, on IOS it is not supported on 12.2(T) the current IOS, how will the lab test NAC then ? (On Routers)
iv) Do we still have to prepare for promiscuous mode IPS (or IDS) deployment or line and inline-vlan pair only?
Thanks in advance for your help
1) PIX/ASA will be running version 7.2.x
2) IPS version 5.1.x
3) NAC Framework can be tested on other devices such as the Switch or VPN3k etc
4) Both, promiscuios and inline.
Hope that helps.
Thank you very much for your answers, please I would also like to know:
1) Are we penalized for over-configuration on the CCIE Security Lab? e.g. I was asked to configure some feature 'X' on a particular device , instead of enabling the feature for say two required subnets, I enable it on the whole network range and nothing in the lab breaks, will that cause me to loose points?
2) Also with respect to access-lists when configuring tcp maps for tcp option 19 for bgp through asa, or for defining crypto acls, etc . can we configure more 'generic' ACLs ? I mean in the security LAB are ACLs supposed to be as specific as possible (since its a security exam) or not? I know in the R/S exam there is leverage in this regard
another example would be a question stating 'permit ospf traffic through Router9 or ASA/PIX" and we know OSPF is only running on Router X and Router Y, could we just do "permit ospf any any"? or allow specifically "permit ospf rtX rtY " etc