CCIE Security study plan


It's always a good idea to have a structured study plan. I did this with my Routing and Switching CCIE, managing to stick to it (roughly). So it makes sense to do one for this as well.

My plan in it's most general sense is to:

Build up a fully working lab, bit by bit.
Use the INE videos to build up this knowledge as I go.
Read the books for the various sections.

The lab will be based around UNL, and the topology will be based around the same one used by INE. So that when I come to do their full labs, it will all be set up and all the kinks will be worked out. The topology is in my first post about the CCIE Security, but I will re-post it here to make life easier:

Cisco CCIE Security v4 topology

Sounds very broad, doesn't it. So let's break it down to a proper study plan, starting with the things that are new to me. Where I mention ATC, this is the INE Advanced Technology Class (http://streaming.ine.com/c/ccie-security-advanced-technologies-class)

1: Set up TestPC-B, Switch 2 and Switch 6. This will give me access to WSA1
2: WSA :-
  • Watch: INE video course http://streaming.ine.com/c/ccie-sc-wsa-primer. Applicable videos from the ATC.
  • Read: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-1/user_guide/Cisco_IronPort_AsyncOS_7-1-0_User_Guide_for_Web_Security_Appliances.pdf
  • Do: Set up WSA in UNetLab.
  • Covering: Section 3: Intrusion Detection and Content Security (second half)
3: Set up Switch 1 & Switch 3, giving access to ISE1 and ISE2 (Not pictured - need to complete topology)
4: ISE :-
  • Watch: INE video course http://streaming.ine.com/c/ccie-sc-ise--primer, and videos from ATC.
  • Read: Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE
  • Do: Set up ISE(s) in UNetLab/ESXi - I don't think they will run natively in UNL.
  • Covering: Section 4: Identity Management
5: Set up Switch 2 and Switch 4 - giving access to ACS1 and ACS2.
6: ACS :-
  • Watch: INE ATC videos
  • Read: Cisco Access Control Security: AAA Administration Services
  • Do: Setup ACS
  • Covering: Section 4: Identity Management
7: Set up ASAs - Now the fun really starts! I should be in a good position now to start opening up the network. We are ready to authenticate through ACS/ISE and WSA, and are working from an inside-out fashion, rather than outside-in.
  • Watch: INE ATC
  • Read: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
  • Do: Set up ASAs, for VLANs, failover/HA, transparent mode, routed mode and anything else I can think of.
  • Covering: Section 5: Perimeter Security and Services 
8: VPNs
9: IPS
  • Watch: INE ATC
  • Read: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
  • Do: Set up IPS
  • Covering: Section 3: Intrusion Detection and Content Security (first half)
10: Hardening and availability
  • Watch: INE ATC
  • Read: Designing Network Security
  • Do: Set up hardened services on routers
  • Covering: Section 1: System Hardening and Availability
11: Wireless stuff
  • Watch: INE ATC
  • Read: Cisco Wireless LAN Security
  • Do: Set up Wireless components - vWLC, an AP, a wi-fi client
  • Covering: Section 6: Confidentiality and Secure Access
12: Miscellaneous other stuff - need to cover section 2: Threat Identification and Mitigation
  • Watch: Not sure yet.
  • Read: Implementing Cisco IOS Network Security
  • Do: General protection
  • Covering: Section 2: Threat Identification and Mitigation
13: IPv4 and IPv6 routing protocol security. Although it's not stated, explicitly, section 1.1 does refer to IGP authentication, so with the aid of part 8 (VPNs), we can add on some IGPs and EGPs.
  • Do: Implement IGPs and set up authentication.
By this stage I should have gone back and forward, as the network expands, adding and building on to WSA, ISE and ACS knowledge. As I go through the topology I will be changing it, and then when complete, it will be published, definitely here, probably on the UNL site as well. Then we get to the final stages.

14: Do written exam
15: Practice - do INE Security workbooks and full scale labs.
16: Lab - take the lab exam.
17: Profit? Re-take lab exam? Who knows!

I am not attaching any timelines to this at the moment though. I'll start doing that closer to the end.

What do you reckon? A workable plan? Missing anything?

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »