摘要:CCIE Security LAB exam will update the outline
The new third edition of the CCIE Security LAB released the outline of the , in April 2009 will be introduced, not too many hardware changes, the specific hardware, software version and test the following outline, the red part is new.HardwareCisco 3800 Series Integrated Services Routers (ISR)Cisco 1800 Series Integrated Services Routers (ISR)Cisco Catalyst 3560 Series SwitchesCisco ASA 5500 Series Adaptive Security AppliancesCisco IPS Series 4200 Intrusion Prevention System sensorsCisco Secure Access Control Server for WindowsSoftware
Cisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routersCisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or aboveCisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.xCisco IPS Software Release 6.1.xCisco VPN Client Software for Windows, Release 5.xCisco Secure ACS for Windows Version 4.1
V3 Blueprint
Ⅰ Implement secure networks using Cisco ASA Firewalls
Perform basic firewall InitializationConfigure device managementConfigure address translation (nat, global, static)
Configure Access Control List
Configure IP routingConfigure object groupsConfigure VLANsConfigure filteringConfigure failoverConfigure Layer 2 Transparent FirewallConfigure security contexts (virtual firewall)Configure Modular Policy FrameworkConfigure Application-Aware InspectionConfigure high availability solutionsConfigure QoS policies
Ⅱ Implement secure networks using Cisco IOS Firewalls
Configure CBACConfigure Zone-Based FirewallConfigure AuditConfigure Auth ProxyConfigure PAMConfigure access controlConfigure performance tuningConfigure advanced IOS Firewall features
Ⅲ Implement secure networks using Cisco VPN solutions
Configure IPsec LAN-to-LAN (IOS/ASA)Configure SSL VPN (IOS/ASA)Configure Dynamic Multipoint VPN (DMVPN)Configure Group Encrypted Transport (GET) VPNConfigure Easy VPN (IOS/ASA)Configure CA (PKI)Configure Remote Access VPNConfigure Cisco Unity ClientConfigure Clientless WebVPNConfigure AnyConnect VPNConfigure XAuth, Split-Tunnel, RRI, NAT-TConfigure High AvailabilityConfigure QoS for VPNConfigure GRE, mGREConfigure L2TPConfigure advanced Cisco VPN features
Ⅳ Configure Cisco IPS to mitigate network threats
Configure IPS 4200 Series Sensor ApplianceInitialize the Sensor ApplianceConfigure Sensor Appliance managementConfigure virtual Sensors on the Sensor ApplianceConfigure security policiesConfigure promiscuous and inline monitoring on the Sensor ApplianceConfigure and tune signatures on the Sensor ApplianceConfigure custom signatures on the Sensor ApplianceConfigure blocking on the Sensor ApplianceConfigure TCP resets on the Sensor ApplianceConfigure rate limiting on the Sensor ApplianceConfigure signature engines on the Sensor ApplianceUse IDM to configure the Sensor ApplianceConfigure event action on the Sensor ApplianceConfigure event monitoring on the Sensor ApplianceConfigure advanced features on the Sensor ApplianceConfigure and tune Cisco IOS IPSConfigure SPAN & RSPAN on Cisco switchesⅤ Implement Identity ManagementConfigure RADIUS and TACACS+ security protocolsConfigure LDAPConfigure Cisco Secure ACSConfigure certificate-based authenticationConfigure proxy authenticationConfigure 802.1xConfigure advanced identity management featuresConfigure Cisco NAC Framework
Ⅵ Implement Control Plane and Management Plane Security
Implement routing plane security features (protocol authentication, route filtering)Configure Control Plane PolicingConfigure CP protection and management protectionConfigure broadcast control and switchport securityConfigure additional CPU protection mechanisms (options drop, logging interval)Disable unnecessary servicesControl device access (Telnet, HTTP, SSH, Privilege levels)Configure SNMP, Syslog, AAA, NTPConfigure service authentication (FTP, Telnet, HTTP, other)Configure RADIUS and TACACS+ security protocolsConfigure device management and security
Ⅶ Configure Advanced Security
Configure mitigation techniques to respond to network attacksConfigure packet marking techniquesImplement security RFCs (RFC1918/3330, RFC2827/3704)Configure Black Hole and Sink Hole solutionsConfigure RTBH filtering (Remote Triggered Black Hole)Configure Traffic Filtering using Access-ListsConfigure IOS NATConfigure TCP InterceptConfigure uRPFConfigure CARConfigure NBARConfigure NetFlowConfigure Anti-Spoofing solutionsConfigure PolicingCapture and utilize packet capturesConfigure Transit Traffic Control and Congestion ManagementConfigure Cisco Catalyst advanced security features
Ⅷ Identify and Mitigate Network Attacks
Identify and protect against fragmentation attacksIdentify and protect against malicious IP option usageIdentify and protect against network reconnaissance attacksIdentify and protect against IP spoofing attacksIdentify and protect against MAC spoofing attacksIdentify and protect against ARP spoofing attacksIdentify and protect against Denial of Service (DoS) attacksIdentify and protect against Distributed Denial of Service (DDoS) attacksIdentify and protect against Man-in-the-Middle (MiM) attacksIdentify and protect against port redirection attacksIdentify and protect against DHCP attacksIdentify and protect against DNS attacksIdentify and protect against Smurf attacksIdentify and protect against SYN attacksIdentify and protect against MAC Flooding attacksIdentify and protect against VLAN hoping attacksIdentify and protect against various Layer2 and Layer3 attacks