- Course Summary
- Course Content
- Career Path ways
Security keeps on developing and effect integral parts in IT. On the off chance that security is your obsession; a CCIE Security is a definitive confirmation test to lead you to a vocation in overseeing and making end-to-end secure systems and/or networks.
The Cisco Certified Internetwork Expert Security (CCIE Security) program recognizes security experts who have the knowledge and skills to architect, engineer, implement, troubleshoot, and support the full suite of Cisco security technologies and solutions using the latest industry best practices to secure systems and environments against modern security risks, threats, vulnerabilities, and requirements.
There are no formal prerequisites for CCIE certification. Prior professional certifications or training courses are not required. As a CCIE Security candidate, you must first pass the written qualification exam and then the corresponding hands-on lab exam. You are expected to have an in-depth understanding of the exam topics and strongly encouraged to have three to five years of job experience before attempting certification.
Cisco’s CCIE Security certification is one of the most prestigious and respected certifications in IT Security. It is designed for senior network engineers, security solutions architects, network architects and other networking professionals who are involved in the implementation, operation and troubleshooting of Cisco network security products and technologies.
Achieving your CCIE Security certification demonstrates a mastery of network security skills and an expert-level knowledge of Cisco security products and solutions, and will put you among a group of the most sought-after and valued professionals in the industry.
The CCIE Security Version 5.0 Exam consists of Written followed by a Lab Exam. These exams are as follows:
- Cisco CCIE Security Written Exam (Exam Code: 400-251)
- Cisco CCIE Security Lab Exam
Students will learn to plan, design, implement, operate, and troubleshoot complex security scenarios.
- Perimeter Security and Intrusion Prevention: Deals with in-depth learning of ASA followed by various NGFW concepts like Firepower, FMC & FTD
- Advanced Threat Protection and Content Security: CWS, WSA, ESA, AMP & Interoperability
- Secure Connectivity and Segmentation: VPN Technology
- Identity Management, Information Exchange, and Access Control: AAA, ISE, ACS, AD, Splunk, LogRhythm
- Infrastructure Security, Virtualization, and Automation: SNRS, Wireless Security, APIC-EM, SAFE, DNA
- Evolving Technologies: Cloud Computing, SDN, IOT
Our CCNP Data Center Program aims at building strong theoretical knowledge along with Labs on Real Cisco Device for the following topics:
Perimeter Security and Intrusion Prevention
- 1) Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
- 2) Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD
- 3) Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD
- 4) Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD
- 5) Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing, traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD
- 6) Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and TCP intercept on Cisco IOS/IOS-XE
- 7) Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD
- 8) Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting
- 9) Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC
- 10) Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes
- 11) Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC (Firepower appliance)
- 12) Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet
Advanced Threat Protection and Content Security
- 1) Compare and contrast different AMP solutions including public and private cloud deployment models
- 2) Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA)
- 3) Detect, analyze, and mitigate malware incidents
- 4) Describe the benefit of threat intelligence provided by AMP Threat GRID
- 5) Perform packet capture and analysis using Wireshark, tcpdump, SPAN, and RSPAN
- 6) Describe, implement, and troubleshoot web filtering, user identification, and Application Visibility and Control (AVC)
- 7) Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA
- 8) Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM on ESA
- 9) Describe, implement, and troubleshoot SMTP encryption on ESA
- 10) Compare and contrast different LDAP query types on ESA
- 11) Describe, implement, and troubleshoot WCCP redirection
- 12) Compare and contrast different proxy methods such as SOCKS, Auto proxy/WPAD, and transparent
- 13) Describe, implement, and troubleshoot HTTPS decryption and DLP
- 14) Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco ASA, Cisco AnyConnect, and WSA
- 15) Describe the security benefits of leveraging the OpenDNS solution.
- 16) Describe, implement, and troubleshoot SMA for centralized content security management
- 17) Describe the security benefits of leveraging Lancope
Secure Connectivity and Segmentation
- 1) Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5
- 2) Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, and MKA
- 3) Describe, implementc and troubleshoot remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts
- 4) Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication
- 5) Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP and smart tunnels on Cisco ASA and Cisco FTD
- 6) Describe, implement, and troubleshoot site-to-site VPNs such as GETVPN, DMVPN and IPsec
- 7) Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)
- 8) Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN clustering and dual-hub DMVPN deployments
- 9) Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5, ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP
- 10) Describe the security benefits of network segmentation and isolation
- 11) Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN
- 12) Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP
- 13) Describe, implement, and troubleshoot infrastructure segmentation methods such as VLAN, PVLAN, and GRE
- 14) Describe the functionality of Cisco VSG used to secure virtual environments
- 15) Describe the security benefits of data center segmentation using ACI, EVPN, VXLAN, and NVGRE
Identity Management, Information Exchange, and Access Control
- 1) Describe, implement, and troubleshoot various personas of ISE in a multinode deployment
- 2) Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS configuration for AAA
- 3) Describe, implement, and troubleshoot AAA for administrative access to Cisco network devices using ISE and ACS
- 4) Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.
- 5) Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy using ISE as the AAA server
- 6) Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure
- 7) Describe, implement, verify, and troubleshoot BYOD on-boarding and network access flows with an internal or external CA
- 8) Describe, implement, verify, and troubleshoot ISE and ACS integration with external identity sources such as LDAP, AD, and external RADIUS
- 9) Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML
- 10) Describe, implement, verify, and troubleshoot provisioning of AnyConnect with ISE and ASA
- 11) Describe, implement, verify, and troubleshoot posture assessment with ISE
- 12) Describe, implement, verify, and troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor
- 13) Describe, implement, verify, and troubleshoot integration of MDM with ISE
- 14) Describe, implement, verify, and troubleshoot certificate based authentication using ISE
- 15) Describe, implement, verify, and troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)
- 16) Describe the functions and security implications of AAA protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-GTC), PAP, CHAP, and MS-CHAPv2
- 17) Describe, implement, and troubleshoot identity mapping on ASA, ISE, WSA and FirePOWER
- 18) Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC
Infrastructure Security, Virtualization, and Automation
- 1) Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques
- 2) Describe, implement, and troubleshoot device hardening techniques and control plane protection methods, such as CoPP and IP Source routing.
- 3) Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and securing device access
- 4) Describe, implement, and troubleshoot data plane protection techniques such as iACLs, uRPF, QoS, and RTBH
- 5) Describe, implement, and troubleshoot IPv4/v6 routing protocols security
- 6) Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP snooping, and VACL
- 7) Describe, implement, and troubleshoot wireless security technologies such as WPA, WPA2, TKIP, and AES
- 8) Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection (MFP)
- 9) Describe, implement, and troubleshoot monitoring protocols such as NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER
- 10) Describe the functions and security implications of application protocols such as SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC, NTP, and DHCP
- 11) Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP, BGP, EIGRP, OSPF/OSPFv3, RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP
- 12) Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv
- 13) Describe the security principles of ACI such as object models, endpoint groups, policy enforcement, application network profiles, and contracts
- 14) Describe the northbound and southbound APIs of SDN controllers such as APIC-EM
- 15) Identify and implement security features to comply with organizational security policies, procedures, and standards such as BCP 38, ISO 27001, RFC 2827, and PCI-DSS
- 16) Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in Cisco SAFE
- 17) Validate network security design for adherence to Cisco SAFE recommended practices
- 18) Interpret basic scripts that can retrieve and send data using RESTful API calls in scripting languages such as Python
- 19) Describe Cisco Digital Network Architecture (DNA) principles and components.
Given below is the Lab Format as prescribed by CISCO.
The eight-hour lab format consists of three modules and need to be taken in the following sequence during the day of the exam:
Module 1: Troubleshooting module (two hours)
The Troubleshooting module delivers incidents that are independent of each other, which means that the resolution of one incident does not depend on the resolution of another. The topology that is used in the Troubleshooting module is different than the topology used in the Configuration module.
The Troubleshooting module is two hours long; however, the candidate can borrow up to 30 minutes from the five hours allotted to the Configuration module. In other words, the candidate can choose to use an extra 30 minutes for either the Troubleshooting module or the Configuration module.
Module 2: Diagnostic module (one hour)
The new Diagnostic module focuses on the skills required to properly diagnose network issues, without having device access. Candidates will be provided with a set of documentation that represents a snapshot of a realistic situation: at a point in time in an investigation process that a network engineer might be facing. The main objective of the Diagnostic module is to assess the skills required to properly diagnose network issues. These skills include:
- Correlate: Discerning multiple sources of documentation (such as e-mail threads, network topology diagrams, console outputs, logs, and even traffic captures.)
These activities are naturally part of the overall troubleshooting skills. They are designed as a separated lab module because the format of the items is significantly different. In the Troubleshooting module, the candidate needs to be able to troubleshoot and resolve network security issues on actual devices.
In the Diagnostic module, the candidate needs to make choices between pre-defined options to either indicate:
- What the root cause of the issue is?
- Where is the issue located in the diagram?
- What critical piece of information allows you to identify the root cause?
- What missing piece of information allows you to identify the root cause?
Module 3: Configuration module (five hours)
The Configuration module provides a setup very close to an actual production network having various security components providing various layers of security at different points in the network. Though the major part of the module is based on virtual instances of the Cisco security appliances, the candidate may be asked to work with physical devices as well. At the beginning of the module, the candidate has full visibility of the entire module. A candidate can choose to work in the sequence in which the items are presented or can resolve items in whatever order seems preferable and logical.
NOTE: The candidate must complete the modules in sequence and is not allowed to go back and forth between modules.
Below are a few job roles for which CCIE Security certified candidates can apply and opt for:
- System Security Integrator
- Network Security Engineers
- Network Security Consultants
- System Security Engineer
To advance their career and continue with their learning candidates can go for the highest level of Cisco Certification that is CCAr. Thorough understanding of network infrastructures & principles and avalid Cisco CCDE certification can act as a prerequisite for appearing for CCAr. This exam should be attempted by candidates who already have years (minimum 10 years recommended) of industry (large production network) experience. For more details related to CCAr you can follow this link
The candidates interested in increasing their knowledge domain can also opt for any of the following certification programs in different tracks: