Resources
    Migrating to CCIE Securit ...
    31 January 09

    Migrating to CCIE Security Lab Blueprint v3.0

    Posted byPetr Lapukhov
    facebooktwitterlinkedin
    news-featured

    In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

    • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
    • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
    • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
    • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
    • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

    Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.

    PIX/ASA FIREWALL

    BASIC CONFIGURATION

    VLANs and IP Addressing
    Configuring and Authenticating RIP
    Configuring and Authenticating OSPF
    Configuring EIGRP Support
    Redistribution, Summarization and Route Filtering

    ACCESS CONTROL

    Common Configuration
    Filtering with IP Access Lists
    Using Object Groups
    Administrative Access Management
    ICMP Traffic Management
    Configuring Filtering Services

    NAT

    Dynamic NAT and PAT
    Static NAT and PAT
    Dynamic Policy NAT
    Static Policy NAT and PAT
    Identity NAT and NAT Exemption
    Outside Dynamic NAT
    DNS Doctoring with Alias
    DNS Doctoring with Static
    Same Security Traffic and NAT
    Transparent Firewall NAT

    ADVANCED FIREWALL

    Firewall Contexts Configuration
    Administrative Context and Resource Management
    Active/Standby Stateful Failover with Failover Interface
    Active Stateful Failover with Failover Interface
    Monitoring Interfaces with Active/Active Failover
    Filtering with L2 Transparent Firewall
    ARP Inspection with Transparent Firewall
    Filtering Non-IP Traffic with L2 Transparent FW
    Handling Fragmented Traffic
    Handling Some Application Issues
    BGP Through the PIX/ASA Firewall
    Multicast Routing across the PIX/ASA
    System Monitoring
    DHCP Server
    Standby Interfaces
    ASA Local CA
    Cisco Secure Desktop
    VLAN Support for RA VPN
    Inspection for Web/SSL VPN Traffic
    Enhanced Service Object Groups
    Enhanced ASA protection (Threat Detection)
    Persistent IPsec Tunneled Flows

    MODULAR POLICY FRAMEWORK

    HTTP Inspection with MPF
    Advanced FTP Inspection
    Advanced ESMTP Inspection
    Authenticating BGP Session Through the Firewall
    Implementing Traffic Policing
    Implementing Traffic Shaping
    Implementing Low Latency Queueing
    TCP Normalization
    Enhanced TCP Normalization
    Management Traffic and MPF
    ICMP Inspection Engine

    VPN

    COMMON CONFIGURATIONS

    IOS Router and the PIX/ASA
    IOS Router and VPN3k
    GRE and DMVPN
    VPN3k Easy VPN/WebVPN
    IOS Easy VPN
    ASA Easy VPN/WebVPN

    IPSEC LAN-TO-LAN

    IOS and the PIX/ASA with PSK
    IOS and the PIX/ASA with PSK and NAT on the Firewall
    IOS and the PIX/ASA with Digital Certificates
    IOS and the PIX/ASA: Matching Name in Certificate
    IOS and IOS with PSK Across the PIX/ASA
    IOS and IOS with PSK Across the PIX/ASA and NAT
    IOS and IOS with PSK Across the PIX/ASA with Overlapping Subnets
    IOS and IOS with PSK Across the PIX/ASA and NAT with IKE AM
    IOS and IOS with Digital Certificates Across the PIX/ASA
    IOS and VPN3k with PSK
    IOS and VPN3k with PSK using CLI only
    IOS and VPN3k with Digital Certificates
    IOS and VPN3k with PSK: Tuning IPsec Parameters
    IOS and VPN3k: Filtering Tunneled Traffic

    GRE AND DMVPN

    GRE Tunnels over IPsec with Static Crypto Maps
    GRE Tunnels over IPsec with Crypto Profiles
    DMVPN with PSK
    IPsec VPN Enhancements: VTI Support
    IPsec VPN Enhancements: Encrypted PSK
    IOS CA: OCSP
    IOS CA: Subordinate/RA Mode IOS Certificate Server (CS) Rollover
    IOS CA: Key Rollover for Cerificate Renewal
    Certificate ACLs
    Dynamic Access Policies

    EASY VPN

    VPN3k and Cisco VPN Client
    VPN3k and Cisco VPN Client with Split-Tunneling
    VPN3k and Cisco VPN Client with HoId-Down Route
    VPN3k and Cisco VPN Client with RRI
    VPN3k and Cisco VPN Client with DHCP Server
    VPN3k and Cisco VPN Client with RADIUS Authentication
    VPN3k and Cisco VPN Client with External Group
    VPN3k and Cisco VPN Client with Digital Certificates
    VPN3k and IOS ezVPN Remote Client Mode with Split-Tunneling
    VPN3k and IOS ezVPN Remote NW Extension Mode with RRI
    IOS and IOS ezVPN Remote Client Mode with Xauth/RRI
    IOS and IOS ezVPN Remote NW Extension Mode with Xuath/RRI
    PIX/ASA and Cisco VPN Client with Split-Tunneling/Xauth/RRI
    PIX/ASA and Cisco VPN Client with External Policy
    PIX/ASA and Cisco VPN Client with RADIUS
    PIX/ASA and Cisco VPN Client with Digital Certificates
    The PIX/ASA and IOS ezVPN Remote NW Extension Mode
    ezVPN Ehancements: Multiple Inside/Outside Interfaces
    ezVPN Ehancements: Proxy DNS
    ezVPN Ehancements: Peer Hostname
    ezVPN Ehancements: VTI Support
    ezVPN Ehancements: DPD Enhancements

    WEBVPN AND SSL VPN

    ASA and WebVPN Client
    ASA and WebVPN Port Forwarding
    ASA and SSL VPN Client
    AnyConnect VPN in IOS
    AnyConnect VPN in ASA
    WebVPN Configuration in IOS
    VPN3k and WebVPN Client
    VPN3k and WebVPN Port Forwarding

    VPN QOS

    IOS and the PIX/ASA: Policing the L2L IPsec tunnel
    IOS and VPN3k: QoS for L2L Tunnel
    PIX/ASA and Cisco VPN Client: Per-Flow Policing
    QoS Pre-Classify for IPsec Tunnel

    ADVANCED VPN TOPICS

    Decoding IPsec Debugging Output on VPN3k
    IPsec and Fragmentation Issues
    ISAKMP Pre-Shared Keys via AAA
    IPsec NAT-T: L2L Tunnel with VPN3k and IOS Box
    IKE Tunnel Endpoint Discovery (TED)
    IPsec VPN High-Availability with HSRP
    IPsec High Availability with NAT and HSRP
    IPsec Pass-Through Inspection on the PIX/ASA
    L2TP over IPsec between the ASA and Windows 2000 PC
    VPN3k and PPTP Client
    Using ISAKMP Profiles
    Group Encrypted Transport (GET) VPN
    Advanced DMVPN
    IOS PPTP Server
    IOS PPTP Client
    DMVPN Phase 3
    ASA Persistent IPsec Tunneled Flows

    IOS FIREWALL

    Common Configuration
    Basic Access-Lists
    Reflexive Access-Lists
    Dynamic Access-Lists
    Stateful Inspection with CBAC
    CBAC Port-to-Application Mapping
    Preventing DoS Attacks with CBAC
    CBAC Performance Tuning
    Authentication Proxy with RADIUS
    Content Filtering with IOS Firewall
    IOS Zone-Based Firewalls
    ACL IP Option Selective Drop
    IOS L2 Transparent Firewall
    CBAC Enhancements (e.g. Self-traffic inspection)
    IOS IPS
    Application Firewall (HTTP Inspection, HTTP Applications, Instant Messaging)
    Flexible Packet Matching

    IDENTITY MANAGEMENT

    Using RADIUS/TACACS+ for telnet Authentication
    Using RADIUS/TACACS+ for Exec Authorization
    TACACS+ for Command Authorization
    TACACS+ Command Accounting
    Service Authorization with TACACS+
    Using LDAP for Authentication and Authorization
    VPN AAA Authentication and Authorization
    Using IOS Local AAA
    Switchport Authorization with 802.1x
    Using ACS RADIUS Profiles
    Certificate-Based Authentication

    NETWORK ADMISSION CONTROL

    ACS Setup for NAC
    NAC L3 IP With the ASA and Cisco VPN Client
    NAC L3 IP with VPN3k and Cisco VPN Client

    INTRUSION PREVENTION

    BASIC CONFIGURATION

    IPS Initial Setup
    Configuring Inline VLAN Pair
    Promiscuous Mode Monitoring with RSPAN
    Monitoring IPS with IPS Event Viewer

    EVENT PROCESSING

    Configuring Event Summarization
    Creating Custom Signature
    Event Counting
    Inline Blocking
    Event Action Override
    Event Action Filtering
    IPS Network Access Control (Shunning)
    Rate Limiting with IPS

    ADVANCED TOPICS

    Virtual Sensors
    Sensor Password Recovery
    Anomaly Detection
    TCP Session Tracking Modes
    Threat Rating
    Sensor Configuration via IME

    NETWORK ATTACKS

    LAYER2/3 ATTACKS

    Mitigating ARP Spoofing Attack with PIX/ASA
    Mitigating DHCP Attacks with DHCP Snooping
    Mitigating ARP Attacks in DHCP Environment
    Mitigating MAC/IP Spoofing in DHCP Environment
    Protecting Spanning-Tree Protocol
    Protecting Against Broadcast Storms
    Mitigating VLAN Hopping Attacks
    Protecting Against Network Mapping
    Blackhole Routing using PBR
    Intrusion Prevention with PIX/ASA
    Mitigating Malicious IP Options Attack
    Protecting Against MitM attacks

    The VOL2 upgrade will be taking place in parallel with VOL1 updates. What you should expect is removal of the VPN3k and (probably) PIX and the changes to the approximately 30% of the material. Many of the existing v2.0 tasks will remain the same, so you can practice the existing material, ignoring anything related to VPN3k (but not the PIX, as many of the PIX features remain unmodified in the new blueprint).

    Good luck with your studies!

    Further Reading:
    CCIE Security Lab Expanded Blueprint

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo