Taking Another Shot At The Title: CCIE Security
- By Joe Astorino
- January 31, 2012
- 16 Comments
Good morning to all my readers out there (at least it is morning for me)! Some of you have reached out to me and wondered what has been going on lately. I know there has been a lack of fresh content on the site lately. Rest assured, I am still here and have not fallen off the map. I am still very much interested in writing technical content on the blog, but there are new things coming to light!
First off, my hosting provider may be changing at a moments notice. With that being said, I have sort of minimized my posting since the last database backup. Hopefully if and when this does happen I can figure out how to successfully migrate the site over without too many issues
Secondly, I’ve been INSANELY BUSY. I have finally followed my own advice and fully committed to taking a run at CCIE security. Why? Well, there are a few reasons I will outline here in a second. Work has also been picking up. New years and new annual budgets tend to do that. The good news is, many of the things on my personal plate for the work year revolve around security.
Now, lets talk about why I am doing this all the sudden. First and foremost is because I love the technology and have always been interested in network security. I am also obsessed with learning Cisco technology, and just about all of it interests me. After doing my first CCIE, I always envisioned trying for more. The security track is probably the next CCIE track that matches my day to day work nowadays as well. I’ve been putting off learning firewalls, IPS and other stuff for far too long because I was always strictly focused on R&S and there was usually a dedicated security group taking care of it. Since starting my new job, I have become pretty familiar with the ASA firewalls and it is something I help manage on a day to day basis. As usual, I just have a thirst for the knowledge, and it is exciting to go after something new.
Secondly, I passed the security written in February, 2011 which means I have to take a run at the lab by August this year or retake the written. There are also very strong rumors about a revised security blueprint coming at any moment now. Most people out there believe there will be significant changes. I am fortunate enough to have the full gambit of materials from both IPexpert and Internetwork Expert. I have all the workbooks, all the video on demand, and have secured rack time with both vendors. When I look at that, I see opportunity. To me, it would be a real shame if I sat dormant and let all that great content go to waste without even trying. With that being said, I went ahead and booked a lab date. You don’t need to pay until 90 days before the lab. Worst case scenario, I could always cancel with no penalty before that. On the plus side, I have my lab date reserved so that if and when a blueprint change comes, my seat is still secured.
So, I have been diving in head first. I am in for a challenge. When I did CCIE R&S, I had my entire career of experience beforehand. Many topics I was at least vaguely familiar with or had experience with on a day to day basis. Security is a whole different ballgame. I am learning many of the concepts from the ground up, which can be intimidating. For my first CCIE, it took me about 10 months and in that 10 months I did nothing but hardcore studying. This time around, I am trying for a more balanced approach. I am looking at roughly a 20 hour a week study schedule. One major challenge is time. Not only am I attempting to be more balanced in my studies, but I am attempting to do it in less time. The good news is, once you have a CCIE you know what to expect, and there is generally less pressure. At least that is my perspective. Also, some topics do have overlap with CCIE R&S v4.0 which as most of you know I taught for about a year (IOS “classic FW”, IOS ZBFW, IOS IPS, ACLs, basic routing/switching stuff, L2 catalyst security topics to name a few). I am a bit rusty on some of those topics, and some will require a great scope of knowledge, but at least I have a strong foundation.
I have been diving hard into virtualization this time. Originally, I didn’t think I would be able to book rack time so I was trying very hard to get an emulated rack up and running. I had previously used dynamips before, but not enough to do anything with it aside from basic testing. I have been real busy building a virtual lab. I put together a Ubuntu linux server with 8GB of RAM and an intel core2 Q6600 quad core processor to run things on. The box runs dynamips and dynagen (no GNS3), vmware player and qemu. Dynamips runs the routers and “switches” (3725 routers with 16 port switch modules), vmware player runs virtual machines of windows 2k3 and windows xp pro for the ACS server and test PC, and qemu runs a pair of ASAs running 8.0(2) and IPS. After a lot of time and hacking away I have figured out how to basically automate everything. I have a nice shell script that can fire up virtual racks modeled after INE, IPX, or Yusuf’s security topology. A few hacks to vmware player even allow me to start and stop the VMs from the command line and never even see them pop up graphically on the screen (look into vmrun and the vmware VIX API). It’s a beautiful thing. After it was all said and done, I can run a full INE topology (routers, firewalls, servers, IPS) at about 30% CPU load by simply running a shell script. That is with the ATC topology running, so there are routing protocols, etc going on there.
I won’t lie, the ASA and IPS take a LOT of work to figure out how to run. Even then, it is far from perfect. You have to accept the fact that it is an emulation, and some things just are not going to work at least right now. In my opinion, this is NOT a replacement for practice on real ASAs, but with that being said once you put in the time and effort and pain and frustration there is a LOT you can do with the emulation. I have to give a personal shout out and thanks to Antonio Soares (CCIE #18473) for helping me with the emulation setup. He has been a real big help to me on that front.
Aside from pulling my hair out putting together the vracks, all my other time has been spent starting to study the ASA topics. I am just getting to the point now where I will be starting some WB1 / Volume 1 labs on the ASA.
As I find the time, I am going to be posting technical things on this blog related to my CCIE security journey. This is a bit of a different flavor than what most of you are probably used to. The truth is, this site is also a benefit to me. It is a place for me to put my thoughts and things I learn on paper. In the near future, you will probably see a lot of security related posts outlining little mini-labs I have been working on, or basics of some technologies. Remember, right now I am not the teacher just another student trying to learn so it is what it is. To become the master, you must first become the student : )
Best of luck Joe – look forward to seeing you pass!
How to get all training material by IPexpert and Internetwork Expert?
Is your corporate account?
@Lorenzo — You pay for it, win a contest, or you barter legitimately with the vendor. I have firsthand experience authoring workbooks and training material. Much time, money, blood, sweat and tears is put into developing top notch products like that. The very least you can do is have the decency to pay for the products you use to help you get certified. I do assume you like getting paid for your work, right?
Hi Joe, I’m reading frequently your blog and I think it is one of the best in networking.
Maybe my poor english caused a misunderstanding: I would to ask if there is a full access pass (obviously paying money) for the products that you are using. I did’nt know this kind of access.
@Lorenzo – Sorry if I misunderstood your intentions. Sometimes that is easy to do on the internet. I know INE offers an all access pass for $159 a month that gives you access to all their stuff. IPX I am not sure, but I am sure they at least have an “end to end” type program for each of the tracks that gives you a package containing everything you would need.
Good luck!
Thanks for the info: $159 is a good price for one month, specially if you live in Europe :-)
Hey Joe,
Firstly, i have to say I`ll miss the R&S posts but look forward to an insight into the security side of the fence.
Secondly, you say you’re looking at a 20hr study week. I’m curious how you break that schedule up in terms of work/home/life balance.
Thirdly, g’luck!!
Thanks,
Neil
Good luck Joe.
With the dedication you have, it’s only a matter of time.
Good luck on your endeavor Joe.
You helped me out when i started my journey for the R&S exam and now im also thinking about getting into a second track.
I am a bit reluctant though, since everything points to a refresh of the track and i dont want to go ahead and spend alot of $ on equipment that might not cut it for the new version.
Anyways, im looking forward to following your progress.
Joe,
I have read in cisco site (http://www.cisco.com/web/learning/le3/ccie/policies/index.html#pay) that
—–output ommited —-
Due Date. Full payment must be received at least 90 days before the lab exam date. Only one e-mail notice is sent as a payment reminder. Payments generally take one to seven business days to process, so be sure to initiate payment in advance of the due date. It is important that if payment will be made by wire transfer, that the payment is scheduled well in advance to prevent the lab date being dropped. Exams for which payment is not received by the due date will be automatically dropped from the schedule. If you still wish to take the lab, you must rebook the exam online and complete your payment. There is no guarantee that your original date will still be available once it has been dropped for non-payment. If you book an exam for a date less than 90 days away, you must complete payment on the day you book the exam or the registration cannot be submitted. Candidates are ultimately responsible for making the lab payment in a timely manner and Cisco will not be held liable for any candidates automatically dropped due to non-payment.”
—–output ommited —-
“Full payment must be received at least 90 days before the lab exam date” So is this mean i can’t register and pay CCIE Security Lab after 90 days of CCIE Labs exam ? If i want register and pay CCIE 2 month after this day, i can’t because of that policy ?
But I get info from your site (http://astorinonetworks.com/2012/01/31/taking-another-shot-at-the-title-ccie-security/)
that he say “You don’t need to pay until 90 days before the lab”, so is this mean i can pay after 90 day of CCIE Labs exam ?
Please give any clue Joe …. :)
Thank U
BR
You must pay for the lab 90 days before you attempt. You can pay at any point prior to that, and do not have to pay until that point. When your lab is 90 days out you must have it paid in full.
Hi Joe,
Good luck on your CCIE Security track, i’m currently also planning to get my 2nd CCIE which is Security. Do you have any recommended reading list for Security track? And do you think using INE and IPX materials is enough?
Thanks,
Hi Jasper,
I have temporarily thrown in the towel so to speak. With the blue print change, and working on several high profile projects at work I just did not feel ready to sit the beast at the end of July. I plan on waiting for good solid material on v4.0 and then maybe jumping back into the ring. If you are going for the v3.0 lab, I know that several people have been passing recently using the materials from both IPX and INE. Best of luck to you!
Joe,
I am completing my masters in IT Security, however I want to begin working the CCIE Security track, however it’s been difficult for me to find information on (hardware if you were ambitious/foolish enough) to attempt to build your own. Which I am…can you point me to a resource or list? I gave GNS3 a quick look…but for me real hardware in-spite of the high dollar costs is the only way I can think of approaching this considering the challenge of completing successfully.
Follow up to my last post… To clarify I am wanting to understand as clearly as possible as the # of devices…as the blueprint page does detail the type. Different companies appear to have different security pod configs.
I hope this helps clarify my question a bit more.
thx.
The exact number of devices for v3.0 is well known and public information, but I assume you are going for v4.0. At the moment, all the major training vendors are working on updating their products and rack rental equipment to support v4.0 topologies. I have not heard any definitive information on number of devices, but based on the blueprint, I would expect at least 6 routers, 2 switches, 4 ASA firewalls (8.2 and 8.4+ code are covered and probably need to deal with failover as well…not to mention both the 5500 and 5500-x series are also covered), an iron port web security appliance, an ISE appliance, an ACS 5.3 server, and an IPS 4200 series sensor. The blueprint is pretty clear on what devices and code versions, just not necessarily how many. I think we will see some great topologies int eh months coming from the various training vendors. Keep your eyes peeled.