CCIE Blog

After I passed the CCIE Security Written exam last Thursday I’d like to give a brief overview of how the exam is compiled and what you need to know for it.

This was the first CCIE written I did in the ‘new-style’. The written exam used to consist of 100 questions and you got 1 point per correctly answered question. The passing score was somewhere between 70 and 80, which was in my opinion a great way to score an exam.

Now Cisco uses the same style as for all other exams. The score is between the 300 and 1000 and the amount of questions between 90 and 110.

The passing score was quite low in my opinion, on my exam it was 699, so a pretty do-able job.

Blueprint

The current blueprint for the CCIE Security Lab is at version 3.0, where all the technologies have been updated to the latest and greatest. An important difference is that the blueprint for the written exam hasn’t changed since the introduction of the 3.0 and is still at version 2.0. This means that officially the PIX and VPN3000 are still part of the written. Although the chance that you’ll get a question about it is very small.

Another thing is that I think that the CCIE Security Written is the written exam which is the least aligned with the lab exam. DMVPN and GETVPN for example are not on the blueprint and are not tested (maybe at a very basic level).

There are also very few topology questions and a lot of pure theoretical questions. A large focus lies on Encryption, IPsec VPNs, the Cisco software tools, AAA and standards.

IPsec VPNs

The questions asked about IPsec are from all aspects and can be theoretical up to configuration examples. Most important is to know which port and protocol numbers IPsec uses in the different phases. You could run into some drag-n-drop question where you are asked to put the correct IP protocol and UDP port numbers.

Just a quick reminder:

IKE = IP protocol 50

AH = IP protocol 51

IKE = UDP 500

IKE NAT-T = UDP 4500

Or a drag-n-drop about which description aligns with which Phase and protocol.

IKE Main/Aggressive Mode = Phase 1

X-auth = Phase 1.5

IPsec Quick Mode = Phase 2

So be familiar with the various ways of configuring IPsec and all the required protocols and procedures.

Encryption

A lot of questions were related to the different encryption protocols and all the aspects and differences between Hash, Symmetric and Asymmetric algorithms.

Reminder:

DES/3DES and AES = Symmetric

RSA, RC4 = Asymmetric

MD5, SHA1 = Hash

Be familiar with the performance differences between the different variations and where and how they are used.

AAA

The differences between RADIUS and TACACS+ are also very important to understand, same with the implementation of SSH on the Cisco IOS platform. For the 2 AAA protocols it’s important to remember the packets than go back and forth between the device and authentication server. Screenshots of Cisco Secure ACS and asking what that configuration would do also belong to the possibility.

Software Tools

The software tools are not very much tested on the lab exam, that’s why they are thoroughly tested on the written. You could run into a lot of questions about Cisco Secure Agent, Cisco Trust Agent, Cisco SecureDesktop, Cisco Security Manager (CSM), SDM and ASDM. All are tested on the written. You don’t have to know every little detail, but mainly what they do, where they are used and how they get installed or perhaps automatically downloaded.

Standards

This is the most pesky thing about the written is that Cisco wants you to know a LOT of RFC’s and ISO standards. According to the Cisco CCIE Security Written Blueprint the standards you need to know are:

Security General

A. Policies – Security Policy Best Practices

B. Information Security Standards (ISO 17799, ISO 27001, BS7799)

C. Standards Bodies

D. Common RFCs (e.g. RFC1918, RFC2827, RFC2401)

E. BCP 38

F. Attacks, Vulnerabilities and Common Exploits – recon, scan, priv escalation, penetration, cleanup, backdoor

G. Security Audit & Validation

H. Risk Assessment

I. Change Management Process

J. Incident Response Framework

K. Computer Security Forensics

Knowing which addresses belong to RFC1918 (10/8, 172.16/12 and 192.168/16) and what RFC2827 describes (Source IP address spoofing). Besides that you could run into questions like: What does ISO 27001 describe?

Be familiar with all the rules, RFC’s and standards what they describe, since it’s not really usable knowledge, still it never hurts to learn anything new.

Misc

Other small topics that are not tested on the lab exam like Multicast and IPv6 could be tested on the written, but also on a very basic level. It would suffice to have a basic understanding of what multicast is and what multicast features the ASA has and what security features on Multicast IOS has.

I hope I was able to give a basic overview of what is tested in the CCIE Security Written exam and you will be able to have an idea on how the exam is put together. Good luck and enjoy all your studies!!

Rick Mur

CCIE2 #21946 (R&S, Service provider)

Sr. Support Engineer — IPexpert, Inc.