Going for the CCIE Security

Heh... I guess I'm going to say my R&S thread is dormant for now. I've been working on nothing but security stuff on the side and for POCs since last July and I took the 4 month long Micronic's security class as well so I was all ready without an exam to really take. I'm banking this on the hopes and dreams that the exam gets refreshed relatively soon and I'm pretty sure it will. The entire Cisco security landscape has changed and they can't afford to keep it this stale for longer so with Cisco Live approaching, I feel like I should strike while the iron is hot and just beastmode this thing.

I got back from the partner Security VT thing last week in San Jose and put out a blog post on what I'm going to study based on what theoretically would be on the next exam. Obviously, I work at Cisco but they don't tell us when an exam is coming and there's a huge separation between the team that pumps out exams and the rest of us. That being said, a lot of what's coming on exams or how exams are crafted are based on the Cisco messaging. i.e. Cisco R&S v5 ditched PFRv2 because PFRv3 was right around the corner and forcing people to learn PFRv2 would be a direct contradiction to their iWAN messaging. When there's eventually a v6 for R&S, I would expect PFRv3 to pop it's pretty head in there (if anyone wants to contest that it's pretty, go lookup v1/OER or v2. Nuff said). With CCIE VoIP, it changed to collaboration. With CCIE DC v2, ACI is there....

So with the lack of a valid blueprint, I'm going based on Cisco trends and marketing. That being said, this is based on my best guesses. Nothing else and I think even if I'm wrong on 20%, I'm probably right on a good chunk.

Most likely what I see on the next Security lab:
- ISE
- pxGrid - Knowing how to do self-signed and CA-signed. I suspect that self-signed would be the preferred method. Like the CCIE DC didn't want it to be a VMware exam, I would think they would want to keep it away from being a Microsoft AD exam...
- Lancope
- AMP - Endpoints, networks, etc
- Some flavor of Firepower (Unknown whether it'll be the unified FTD code or the ASA with Firepower module). I doubt they would use Firepower managed by the ASDM. While that would be one of those "tricky" things they could throw in there, there isn't as many options with the ASDM part so it would be silly to put it in there. I'm thinking FMC-controlled.
- VPN in some form - The real question is WHICH types of VPN. Are they going to be ditching EZVPN? Keeping it? Who knows... I probably won't study it hard until the end when I know what's on the blueprint. S2S IPSec, SSL, Anyconnect
- ESA
- WSA
- The regular blend of IOS, WLC, and router security
- TrustSec

Not so sure about:
- Cisco Cognitive Threat Analytics
- Threatgrid
- AMP Private cloud
- Cisco Defense Orchestrator
- OpenDNS - This isn't very hard either way

Going through the most likely, I think I'm pretty strong on a lot of those so the ramp-up time isn't that bad. I need to play around with more of ISE's self-signed certificate actions and pxGrid with self-signed certs, VPN I need work on, and maybe some ESA in there but the rest, I'm pretty solid on. I'd go as far to rank me as a 7 or 8 out of 10 on most of the above. One thing I can see them potentially doing is having a section be about detecting threats and neutralizing them which I probably could be better at to be honest... I configure and troubleshoot these things often but I'm probably a 5 at actually using them to their full potential in terms of identifying more hidden threats with the information it gives me. I could see detecting and identifying threats as it's own sort of "Diag" section if that was the case so I need to get better at using the tools as an end-user.

Anyways, my goal is a little bit crazy. Most people scramble to take a CCIE lab BEFORE the exam changes. I am purposely going to study for the exam change that will eventually come. Crazy as it sounds, it's a lot easier for me given where I'm starting from and I get to use the last 8 months of labbing, my new job role in Cisco, and the 4 month class I just took. I'll keep updating this thing as I go as well as my blog as I go. Maybe you guys will learn some new stuff about the security stuff I'm working on too so win-win.

I'm making this commitment now: I'm taking the new CCIE Security lab (whenever it's announced) on the 1st day it comes out. I don't know if I'll get a pass but if I did, I would be sooooo happy. It just would validate a lot of the hard work I've been doing on the side.

Find more posts tagged with

Comments

gespenstern

Good luck. This is really inspiring, I feel a little ashamed for not having enough cool certs and not achieving what I could've.

I hope that reading this will push me further.

Hail to all overachievers and IrisTheAngel among them!

NOC-Ninja

goodluck.

very time consuming test. lol

creamy_stew

Go get it, Iris!

beastmode

This monster is not human. It feels no pain. It cannot be reasoned with

Fadakartel

Iristheangel wrote: »

Heh... I guess I'm going to say my R&S thread is dormant for now. I've been working on nothing but security stuff on the side and for POCs since last July and I took the 4 month long Micronic's security class as well so I was all ready without an exam to really take. I'm banking this on the hopes and dreams that the exam gets refreshed relatively soon and I'm pretty sure it will. The entire Cisco security landscape has changed and they can't afford to keep it this stale for longer so with Cisco Live approaching, I feel like I should strike while the iron is hot and just beastmode this thing.

I got back from the partner Security VT thing last week in San Jose and put out a blog post on what I'm going to study based on what theoretically would be on the next exam. Obviously, I work at Cisco but they don't tell us when an exam is coming and there's a huge separation between the team that pumps out exams and the rest of us. That being said, a lot of what's coming on exams or how exams are crafted are based on the Cisco messaging. i.e. Cisco R&S v5 ditched PFRv2 because PFRv3 was right around the corner and forcing people to learn PFRv2 would be a direct contradiction to their iWAN messaging. When there's eventually a v6 for R&S, I would expect PFRv3 to pop it's pretty head in there (if anyone wants to contest that it's pretty, go lookup v1/OER or v2. Nuff said). With CCIE VoIP, it changed to collaboration. With CCIE DC v2, ACI is there....

So with the lack of a valid blueprint, I'm going based on Cisco trends and marketing. That being said, this is based on my best guesses. Nothing else and I think even if I'm wrong on 20%, I'm probably right on a good chunk.

Most likely what I see on the next Security lab:
- ISE
- pxGrid - Knowing how to do self-signed and CA-signed. I suspect that self-signed would be the preferred method. Like the CCIE DC didn't want it to be a VMware exam, I would think they would want to keep it away from being a Microsoft AD exam...
- Lancope
- AMP - Endpoints, networks, etc
- Some flavor of Firepower (Unknown whether it'll be the unified FTD code or the ASA with Firepower module). I doubt they would use Firepower managed by the ASDM. While that would be one of those "tricky" things they could throw in there, there isn't as many options with the ASDM part so it would be silly to put it in there. I'm thinking FMC-controlled.
- VPN in some form - The real question is WHICH types of VPN. Are they going to be ditching EZVPN? Keeping it? Who knows... I probably won't study it hard until the end when I know what's on the blueprint. S2S IPSec, SSL, Anyconnect
- ESA
- WSA
- The regular blend of IOS, WLC, and router security
- TrustSec

Not so sure about:
- Cisco Cognitive Threat Analytics
- Threatgrid
- AMP Private cloud
- Cisco Defense Orchestrator

Going through the most likely, I think I'm pretty strong on a lot of those so the ramp-up time isn't that bad. I need to play around with more of ISE's self-signed certificate actions and pxGrid with self-signed certs, VPN I need work on, and maybe some ESA in there but the rest, I'm pretty solid on. I'd go as far to rank me as a 7 or 8 out of 10 on most of the above. One thing I can see them potentially doing is having a section be about detecting threats and neutralizing them which I probably could be better at to be honest... I configure and troubleshoot these things often but I'm probably a 5 at actually using them to their full potential in terms of identifying more hidden threats with the information it gives me. I could see detecting and identifying threats as it's own sort of "Diag" section if that was the case so I need to get better at using the tools as an end-user.

Anyways, my goal is a little bit crazy. Most people scramble to take a CCIE lab BEFORE the exam changes. I am purposely going to study for the exam change that will eventually come. Crazy as it sounds, it's a lot easier for me given where I'm starting from and I get to use the last 8 months of labbing, my new job role in Cisco, and the 4 month class I just took. I'll keep updating this thing as I go as well as my blog as I go. Maybe you guys will learn some new stuff about the security stuff I'm working on too so win-win.

I'm making this commitment now: I'm taking the new CCIE Security lab (whenever it's announced) on the 1st day it comes out. I don't know if I'll get a pass but if I did, I would be sooooo happy. It just would validate a lot of the hard work I've been doing on the side.

Good luck. I know ill see a CCIE Security # on your certs list soon lol

636-555-3226

Good luck. Anybody with a CCIE is way smarter than I am. Respect.

khurramkhan

Iris
FirePower managed by ASDM or ASA is minimal; most stuff is through defense center so not sure how they will test it . pretty basic
what about SGTs? i think ISE is incomplete without SGT testing.
with Firepower and ISE, i see the new test being a lot more GUI based stuff.
what do you think?
I am also planning for 4.1 but a bit short of ideas without blueprints so just going through the stuff
I dont come from strong R&S background but very strong security background so wondering how much depth i need to cover from BGP, EIGRP, OSPF perspective. In practical security , we mostly use static routing and rarely make ASAs participate in dyamic routing. thoughts? the theory obviously is different

regards

Iristheangel

@Khurramkhan - Exactly. That's why I said it probably won't be managed by the ASDM. FMC is where it'll be managed from.

TrustSec == SGTs. TrustSec used to be the name for all things ISE-related but now it's really just the marketing word for SGTs. That I can configure and test a little... Sometimes I'm a little rusty with my SGACLs on ISE so I need to improve that a little.

As far as GUI-based, you're right. At least for certain aspects. You still have a lot of CLI for router, VPN, IOS Security, NAT, dot1x, Anyconnect, etc configuration... I'm thinking there will be more of a mix in there instead of it being so CLI-driven in previous tests.

I can't tell you how much routing will be on the new test... I can tell you that if we'd be configuring routing on FTD, it'd be a cakewalk. If we're doing it through ASA, probably a bit of BGP, EIGRP, and OSPF - nothing crazy but enough to be dangerous.

The problem with not having a blueprint yet is that this is all guesswork but I figure if I start working my way through relevant videos and books and do some labbing, they'll eventually announce a blueprint and I'll have 6 months to the lab to really fill the erroneous gaps.

E Double U

Half (wo)man, half machine

Go Iris!

aftereffector

I'm going to keep a very close eye on your progress here! You are definitely an inspiration.

gorebrush

You are my hero. I need a regroup!

joelsfood

I figured you might do this.

Get it!

Iristheangel

gorebrush wrote: »

You are my hero. I need a regroup!

Come study with me :P Let's learn something that's not pre-8.3 ASA code together! :P

Iristheangel

Already in full swing of studying. This week, I'm studying StealthWatch. There's quite a bit of free training on their Partner/Customer portal so I'm taking advantage of that. Went through the Hardware & Licensing installation model and going through the StealthWatch for System Administrators courses today. The goal is to get through the following on-demand courses this week:
- StealthWatch Installation & Licensing - Done - Notes: https://docs.google.com/document/d/1aBusue2hHdfoPDPqAI-IzSVZKrKfyryauQpBYS2pcyQ/edit?usp=sharing
- StealthWatch for Systems Administrators - In Progress - Notes as they are added: https://docs.google.com/document/d/1Cvco1HKufE_zRE2pyNlyIUNeHlh1pPCgvNTPRnwiDF8/edit?usp=sharing
- StealthWatch Technical Professional/Expert - Not started - Future home of notes: https://docs.google.com/document/d/1Vv8hlVBvUEW_D6nJeVY3ma9pRThb1366dPOTw8B_sYk/edit?usp=sharing
- StealthWatch for Security Ops + Advanced Tuning - Not Started - Future home of notes: https://docs.google.com/document/d/1P21-FjjnrfPpSkwvadCmtV4cSnu4uHrJNABf57L4PSU/edit?usp=sharing

I don't think Stealthwatch is particularly a hard product to learn in itself but I do need to learn more about the Java console and probably could stand to play around with pxGrid integration with ISE self-signed certificates so I probably will be playing around with that later this week. I need to see about getting some extra demo licenses to stand up another instance than my demo lab that I have at work.

Danielh22185

Very cool! I will track your progress as always. I figured too you would go for IE Security. Good luck with your studies!

Iristheangel

Finished all my StealthWatch partner videos this week. Feeling pretty good about the progress. This week's goals:
- Set up a separate StealthWatch lab from my typical one that I can experiment with a bit more
- Go through the StealthWatch manual
- Get some blog posts done for StealthWatch
- Read this book which ties back to StealthWatch: http://www.amazon.com/Network-Security-NetFlow-IPFIX-Information/dp/1587144387/ref=sr_1_4?s=books&ie=UTF8&qid=1462062702&sr=1-4&keywords=Omar+Santos

After I complete all that, I'll feel solid on StealthWatch and move onto the next thing hopefully the week after: Re-reading the SSFIPS book, doing some fun labs with a vNGIPS and finally getting around to taking the SSFIPS exam which I think would definitely factor into whatever the CCIE Security v5 will be since I doubt they'll exclude Firepower

khurramkhan

Can Anyone recommend a book for V4.1? Probably the best (or closest) All In one book that i found is
CCIE Security v4.0 Quick Reference, 3rd Edition
Any ideas whether it is good for v4.1 as well? Thoughts about this?
Cheers

Iristheangel

Progress I've made on this little journey:
-Watch all the partner training videos on Stealthwatch
- Read Omar Santo's Network Security with NetFlow and IPFIX book this week and watched the corresponding video series this week
- Got two bootcamps for Stealthwatch set up for June and July
- Taking my SSFIPS exam tomorrow (finally)
- Started reading through my SSFAMP material
- Threw up a couple blog posts on NetFlow and probably will do some write-ups on Stealthwatch next

Goals for the next week:
- Read all the SSFAMP material (300 pages)
- Start on the ISE book (non-CiscoPress)
- Stealthwatch labbing

Fadakartel

Iristheangel wrote: »

Progress I've made on this little journey:
-Watch all the partner training videos on Stealthwatch
- Read Omar Santo's Network Security with NetFlow and IPFIX book this week and watched the corresponding video series this week
- Got two bootcamps for Stealthwatch set up for June and July
- Taking my SSFIPS exam tomorrow (finally)
- Started reading through my SSFAMP material
- Threw up a couple blog posts on NetFlow and probably will do some write-ups on Stealthwatch next

Goals for the next week:
- Read all the SSFAMP material (300 pages)
- Start on the ISE book (non-CiscoPress)
- Stealthwatch labbing

Nice keep it up

Iristheangel

This was sort of low hanging fruit since I run a ton of the Firepower POCs for my region and have been doing so for over a year plus the Micronics class I went to and the Todd Lammle SSFIPS book I read awhile ago. I actually booked this exam waayyyyyyy back in January and kept changing the date on Pearson since I kept having stuff come up. I decided to just get it done this week. I feel like this was more a CCENT/CCNA-level exam for Sourcefire/Firepower if I had to be honest about the test and materials so if you have production experience with the product, it should be pretty easy.

Now I'm studying SSFAMP since AMP is bound to be on the next rev of the CCIE Security. I was supposed to go to the SSFAMP class but had to miss it due to work but I got the 300 page class book so I'm going through that. I run AMP on all my home and work machines and I didn't find it terribly difficult to understand but there's always more to learn.

FirepowerScore.JPG

gorebrush

Nicely done!

Iristheangel

So excited. ISE 2.1 was released today. I've been part of the beta for that for months and if I had to put money down, I'd wager thatll be the version on the next lab exam. I loved the jump to 2.0 but I love this jump more

darkestclown

I was on the EMEA PVT and the ISE 2.1 feature set was discussed. I am doing a 6-node ISE 2.1 rollout later this month, so it will be interesting to deploy.....

Iristheangel

darkestclown wrote: »

I was on the EMEA PVT and the ISE 2.1 feature set was discussed. I am doing a 6-node ISE 2.1 rollout later this month, so it will be interesting to deploy.....

I've been running it for months.

ccnpninja

Iris, which study techniques -from your first CCIE experience- are you going to use?

Iristheangel

ccnpninja wrote: »

Iris, which study techniques -from your first CCIE experience- are you going to use?

Read a lot of books and lab a whole lot more? It's pretty much an endurance game along with knowing that you need to commit a LOT of time to it. I didn't learn any short cuts beyond slogging through it the first go around. I think the only improvement is that I realize how much of a commitment it is going into it and it's helping. I'm also further along on security than I was at DC when I started so that helps. I didn't blog a lot during the CCIE DC but definitely doing a lot of posts now with security. I think it's easier for me to dive into on a blog and less time consuming than when I first tried with DC (early on in the process)

sucanushie

Hey Iristheangel,

Have you labbed pxGRID with ISE and firepower? I have 2 ISE nodes and I thought they would both act as primary pxGrid servers like the PSN. However only one will stay active while the other disables pxGRID.

So in FPM when I enter both servers only one works because the other is disabled and when the node is back up it pxGrid doesn't fail back.

ISE PROCESS NAME STATE PROCESS ID

Database Listener running 19174
Database Server running 108 PROCESSES
Application Server running 29668
Profiler Database running 29773
AD Connector running 23841
M&T Session Database running 26568
M&T Log Collector running 29893
M&T Log Processor running 30047
Certificate Authority Service running 30367
SXP Engine Service disabled
pxGrid Infrastructure Service disabled
pxGrid Publisher Subscriber Service disabled
pxGrid Connection Manager disabled
pxGrid Controller disabled
Identity Mapping Service running 30813

Iristheangel

I have labbed pxGrid with pretty much everything.

Your two ISE nodes - what are their roles? Also what version of ISE are you on? Is this lab or prod?

Also what version of FP are you on? With FP 5.4 you have the remediation capability and with 6.0, you have just contextual sharing. In 6.1, you'll see remediation come back and be a LOT easier to deploy.

sucanushie

ISE 2.0
Node-1 Primary Admin, Seconday M&T, Active PSN, Profiling Service,Identity Services,pxGRID
Node-2 Secondary Admin, Primary M&T, Active PSN, Profiling Service,Identity Services,pxGRID

Running FPM 6.0

This is running Prod but it's net new and we are in the test phase.

When it works it's awesome and I can't wait to use ISE for identity in WSA and get rid of the CDA.

Each node is in a different city so I would like the pxGrid to be active active, but it doesn't look like it will work that way.

Sorry to fill your CCIE with a question heh

Iristheangel

Ok... first thing I'm going to say to do: Go upgrade to ISE 2.1

No. Seriously, I know it's newer but it's much better.

As far as "active-standby," it not going to affect usability. it's not "active-standby" in terms of PSN functions or anything. It's the Monitoring and PAN nodes that are active-standby. It doesn't affect the usability - you don't have to point your NADS towards only one PSN because of this so it's not going to limit your deployment at all.

Here's some more info if you want to read up on it: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-88-Configuring-pxGrid-in-an-ISE-Distributed-Environment.pdf

sucanushie

Yeah we are upgrading next week

I guess my issue is that I want my FPM to use the node that is in the same DC. When that node goes down the pxGrid services flip to the node in the other DC which is great! However they don't seem to flip back once the node comes back up. Then all the pxGrid traffic is going across the WAN.

From the GUI I can't see how to promote node that pxGrid is not running. Maybe a CLI but still annoying.

From that doc...

In this section, we cover pxGrid Active-Standby. In an ISE distributed deployment, there can be only (2) pxGridnodes. One handling the pxGrid client connections controlling the pxGrid services and the other one, for fail-over.One pxGrid node can be active at a time.