CCIE Security Updated Just Ahead of Cisco Live
Well, we had all heard the rumors that it was coming down the line, and today Cisco decided to make it official just ahead of Cisco Live. Something very interesting thing about this update -no doubt as a result of really listening to the community's voice in regards to the things that threaten the enterprise most these days- is that they've added a heavy emphasis on Bring Your Own Device (BYOD) over wireless threats. With the addition of a Wireless Lan Controller (WLC) and at least a single AP, along with the Identity Services Engine (ISE). For those of you who may not be familiar with the ISE, this is basically an evolution of a few devices combined into one - it is sort of a mix of the ACS, NAC Appliance and NAC Profiler. However, it is NOT a replacement for the ACS, namely because it does not do TACACS+, instead only supporting RADIUS for 802.1x and NAC. This is the reason that Cisco decided to leave ACS server in there - but upgrading it to v5.x (most likely 5.3). Also, if you happen to not have any experience with wireless technologies in general - you're in luck! INE is releasing our 20-hour CCNA Wireless class later today, which covers Lightweight Access Points (LWAP) being controlled by WLCs, and those WLCs being controlled by higher-up Wireless Control System (WCS). In fact, since I've mentioned the WCS, it's quite interesting that Cisco (in sort of a nonchalant way) mentions that the ASA firewalls may be configured by "Cisco Prime Tools". If you aren't familiar with Cisco Prime, it is basically the new branding of Cisco's network management as a whole. LMS would now fall under Prime, something called Prime NCS (evolution of Cisco's WCS), and Prime Tools fall under the new Prime branding.
There's also a smidge of Voice device authentication as well, though it doesn't even begin to really touch on Unified Communications security - something I still think will largely be addressed in the next CCIE Voice update. Basically they have a 7900 phone (probably 7965) and you do NOT have to configure the Unified Communications Manager (UCM) server to get it to work, you only have to dot1x authenticate it onto the wired network. Basically setup the ISE or ACS to auth it and interact with the actual phone display to input your credentials. Don't be concerned - it's nothing difficult at all.
Cisco also (finally) introduces their IronPort acquisition to the exam, by way of the S-series Web Security Appliance (WSA). This device goes way beyond days of old where you blocked or allowed certain websites, but rather digs deep into the functionality of websites and web-based applications and provides 'acceptable use enforcement' of these sites or webapps. Take for example Facebook. Many (if not most) companies these days have a social presence and use Facebook as a tool to conduct business, but that doesn't mean they want their users surfing FB all day. The WSA allows strategic enforcement of what is and is not allowed to occur via these type web sites. It also blocks against threats such as malware.
They mention simply including "VPN Client Software" which will no doubt be the Cisco Secure Services Client v5 installed on one or possibly more Windows 7 virtual desktops placed around the topology. This would make sense for both wired and wireless 802.1x authentication with the ACS/ISE. Something we also go into in the new 20-hour CCNA Wireless class I just recorded a few weeks back. Question is whether AnyConnect Secure Mobility Client will also be tested. It's not in there per-se, but that doesn't mean it isn't possible.
The addition of at least one 2911 ISR-G2 only makes sense, as IOS version 15.2 can't be run on an older ISRs (making me wonder why the inclusion of the older ISR is even there, save maybe that there are far more deployed currently).
Links to both the new v4 blueprint and v4 hardware/software equipment list, as well as a more detailed checklist for studying:
There are obviously still a lot of questions that need to be answered by Cisco to have a complete and full picture of this new version of the prestigious CCIE Security exam, and those will no doubt be addressed during the 8-hour seminar this Sunday at Cisco Live in San Diego. I should note that this 8-hour session is an additional charge ($799) on top of your normal admittance to the convention - it is not considered a "breakout session", all of which come included with your convention pass. Some obvious questions might be:
- Will we need to know how to configure ASA via Prime Tools, or is that simply another option?
- How many Windows 7 desktops will there be, and will we be using AnyConnect NAM on them or something like CSSC?
- Will there be both ASA and ASA-x versions? And if so, what would be the reason? (ASA-X series runs 8.6, whereas ASA only goes up to 8.4, amongst other things
- And many others we'll come up with and have asked and answered
You can be sure that INE will be there, tweeting and live-blogging from the event.
Follow me and stay updated throughout the conference!