Monday, September 28, 2009

Hints and tips for the CCIE Security from the guy who actually writes the tests!

Hi again guys,

Well as you may have saw in my previous blog entry, I am at networkers Brisbane and in my techtutorial for CCIE Security my tutor was Yusuf Bhaiji who actually writes the CCIE Security coursework, here are some hints and tips I picked up:

  • There is no more Windows CA Server! Unlike the previous exams where a Windows CA server was setup ready to use, in the new exam you must setup your own Crypto PKI server on the router itself, easy enough but something to keep in mind
  • This is a common question so its nice to get an answer, for those of you who like using the ASDM and SDM you will be unhappy to know that these are NOT enabled and CANNOT be enabled for the exam, the files are actually deleted off the flash drives of the routers and the ASA's. So NO GUI's for the routers or ASA's
  • In saying that however you ARE allowed to use the GUI for IPS
  • IOS IPS version 5 is used
  • Don't underestimate the implicit and explicit troubleshooting questions that you will get
  • Don't underestimate the core knowledge questions, they are going to be difficult! Look for a book coming out in December from Yusuf featuring up to 300 sample core knowledge questions.
  • You must know virtualization on the IPS devices and multiple contexts on the ASA's as these will feature HEAVILY in the exam
  • You must understand all the different types of VPN including the new GETVPN, Dynamic VTI and VTI (I have done a blog post on VTI already and one is coming up for Dynamic VTI)
  • You will be asked to implement at LEAST three different types of VPN's so know them backwards
  • You need to know about IPSEC redundancy (another topic about that will be posted soon.)
  • In the new version of IPS 6.1 all high risk attacks are denied by default, some questions will try and use this to trip you up deliberately! So watch out for this.
  • Control-Plane and Management plane policing are heavily heavily focused on as these are new topics in this blueprint, you can always expect topics that are new to the blueprint to be tested heavily.
  • You will have 0 initial config done on the ACS Server
  • You can expect questions like "Someone has attempted to configure an IPSEC tunnel between router X and ASA Y, But it is not working" and you will need to troubleshoot and resolve (Explicit troubleshooting)
  • You can expect questions like"the following traffic was captured during an attack earlier today" followed by a screenshot of a packet capture and you must identify the attack and use appropriate methods to mitigate the attack from occurring in the future within the constraints confined in the question (for example, something like "Due to your ISP's routing policy you must not use reverse-path forwarding to protect against this attack")
I hope this helps some of you out there!