CCIE Security Topics and Reading list

I have started to get my reading list ready. I definitely need to get some more shelving in the house.

I think it might be easier to break each section down, and find the appropriate books and documents. That way I can work on the essential books first.

There are six major sections in the CCIE Security exam. You can download the complete list of topics from here. The reading lists I will be using are from Cisco, and from INE.

Section 1.0 System Hardening and Availability:

  • 1.1 Routing plane security features (for example, protocol authentication and route filtering)
  • 1.2 Control Plane Policing
  • 1.3 Control plane protection and management plane protection
  • 1.4 Broadcast control and switch port security
  • 1.5 Additional CPU protection mechanisms (for example, options drop and logging interval)
  • 1.6 Disable unnecessary services
  • 1.7 Control device access (for example, Telnet, HTTP, SSH, and privilege levels)
  • 1.8 Device services (for example, SNMP, syslog, and NTP)
  • 1.9 Transit traffic control and congestion management

Fairly general protection. There are a couple of books that will work here. Implementing Cisco IOS Network Security, and Designing Network Security (Second Edition). The first book is part of the CCNA series, so the second book might be a better option.

Essential purchase: Designing Network Security.

Section 2.0 Threat Identification and Mitigation:

  • 2.1 Identify and protect against fragmentation attacks
  • 2.2 Identify and protect against malicious IP option usage
  • 2.3 Identify and protect against network reconnaissance attacks
  • 2.4 Identify and protect against IP spoofing attacks
  • 2.5 Identify and protect against MAC spoofing attacks
  • 2.6 Identify and protect against ARP spoofing attacks
  • 2.7 Identify and protect against DoS attacks
  • 2.8 Identify and protect against DDoS attacks
  • 2.9 Identify and protect against man-in-the-middle attacks
  • 2.10 Identify and protect against port redirection attacks
  • 2.11 Identify and protect against DHCP attacks
  • 2.12 Identify and protect against DNS attacks
  • 2.13 Identify and protect against MAC flooding attacks
  • 2.14 Identify and protect against VLAN hopping attacks
  • 2.15 Identify and protect against various Layer 2 and Layer 3 attacks
  • 2.16 NBAR
  • 2.17 NetFlow
  • 2.18 Capture and utilize packet captures

Network Security Principles and Practices has good coverage of NBAR, most of these are fairly easy to mitigate, just need a decent explanation for those tricky written exam questions. This is where the CCNA study material will come in useful.

Essential purchase: Implementing Cisco IOS Network Security

Section 3.0 Intrusion Prevention and Content Security

  • 3.1 Cisco IPS 4200 Series Sensor appliance and Cisco ASA appliance IPS module
  • 3.1.a Initialize the sensor appliance
  • 3.1.b Sensor appliance management
  • 3.1.c Virtual sensors on the sensor appliance
  • 3.1.d Implement security policies
  • 3.1.e Promiscuous and inline monitoring on the sensor appliance
  • 3.1.f Tune signatures on the sensor appliance
  • 3.1.g Custom signatures on the sensor appliance
  • 3.1.h Actions on the sensor appliance
  • 3.1.i Signature engines on the sensor appliance
  • 3.1.j Use Cisco IDM and Cisco IME to manage the sensor appliance
  • 3.1.k Event action overrides and filters on the sensor appliance
  • 3.1.l Event monitoring on the sensor appliance
  • 3.2 VACL, SPAN and RSPAN on Cisco switches
  • 3.3 Cisco WSA
  • 3.3.a Implement WCCP
  • 3.3.b Active Directory integration
  • 3.3.c Custom categories
  • 3.3.d HTTPS configuration
  • 3.3.e Services configuration (web reputation)
  • 3.3.f Configure proxy bypass lists
  • 3.3.g Web proxy modes
  • 3.3.h Application visibility and control

Luckily I have done a fair bit of work on IPS modules, nevertheless, I’ll need something to fill in my weak areas. The ASA book; Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services, will be good here.

Best Cisco ASA book

In terms of the WSA there is a good document from Cisco.

Essential purchase: Cisco ASA: All-in-one Next-generation Firewall, IPS, and VPN Services
Essential download: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-1/user_guide/Cisco_IronPort_AsyncOS_7-1-0_User_Guide_for_Web_Security_Appliances.pdf

 

Section 4.0 Identity Management

  • 4.1 Identity-based AAA
  • 4.1.a Cisco router and appliance AAA
  • 4.1.b RADIUS
  • 4.1.c TACACS+
  • 4.2 Device administration (Cisco IOS routers, Cisco ASA, and Cisco ACS5.x)
  • 4.3 Network access (TrustSec model)
  • 4.3.a Authorization results for network access (ISE)
  • 4.3.b IEEE 802.1X (Cisco ISE)
  • 4.3.c VSAs (Cisco ASA, Cisco IOS, and Cisco ISE)
  • 4.3.d Proxy authentication (Cisco ISE, Cisco ASA, and Cisco IOS)
  • 4.4 Cisco ISE
  • 4.4.a Profiling configuration (probes)
  • 4.4.b Guest services
  • 4.4.c Posture assessment
  • 4.4.d Client provisioning (CPP)
  • 4.4.e Configure Microsoft Active Directory integration and identity sources

Clearly the winner here will be Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE. The clue is in the title, the other one will be Cisco Access Control Security: AAA Administration Services. Two obvious choices.

Essential purchase: Cisco ISE for BYOD and Secure Unified Access: BYOD Network Security with ISE
Essential purchase: Cisco Access Control Security: AAA Administration Services

Section 5.0 Perimeter Security and Services

  • 5.1 Cisco ASA firewalls
  • 5.1.a Basic firewall Initialization
  • 5.1.b Device management
  • 5.1.c Address translation
  • 5.1.d ACLs
  • 5.1.e IP routing and route tracking
  • 5.1.f Object groups
  • 5.1.g VLANs
  • 5.1.h Configure EtherChannel
  • 5.1.i High availability and redundancy
  • 5.1.j Layer 2 transparent firewall
  • 5.1.k Security contexts (virtual firewall)
  • 5.1.l Cisco Modular Policy Framework
  • 5.1.j Identity firewall services
  • 5.1.k Configure Cisco ASA with ASDM
  • 5.1.l Context-aware services
  • 5.1.m IPS capabilities
  • 5.1.n QoS capabilities
  • 5.2 Cisco IOS zone-based firewall
  • 5.2.a Network, secure group, and user-based policy
  • 5.2.b Performance tuning
  • 5.2.c Network, protocol, and application inspection
  • 5.3 Perimeter security services
  • 5.3.a Cisco IOS QoS and packet-marking techniques
  • 5.3.b Traffic filtering using access lists
  • 5.3.c Cisco IOS NAT
  • 5.3.d uRPF
  • 5.3.e Port to Application Mapping (PAM)
  • 5.3.f Policy routing and route maps

The ASA part is obvious, and already recommended in section 3. For the zone-based firewall? Not sure what the best book is. It’s kind of an old technology now, so i’ll be using the Cisco white paper referenced below.

Essential download: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Section 6.0 Confidentiality and Secure Access

  • 6.1 IKE (v1/v2)
  • 6.2 IPsec LAN-to-LAN (Cisco IOS and Cisco ASA)
  • 6.3 DMVPN
  • 6.4 FlexVPN
  • 6.5 GET VPN
  • 6.6 Remote-access VPN
  • 6.6.a Cisco EasyVPN Server (Cisco IOS and Cisco ASA)
  • 6.6.b VPN Client 5.X
  • 6.6.c Clientless WebVPN
  • 6.6.d Cisco AnyConnect VPN
  • 6.6.e Cisco EasyVPN Remote
  • 6.6.f SSL VPN gateway
  • 6.7 VPN high availability
  • 6.8 QoS for VPN
  • 6.9 VRF-aware VPN
  • 6.10 MACsec
  • 6.11 Digital certificates (enrollment and policy matching)
  • 6.12 Wireless access
  • 6.12.a EAP methods
  • 6.12.b WPA and WPA2
  • 6.12.c wIPS

Easy VPN is covered pretty well in Advanced IPSec VPN Design. The Complete Cisco VPN Configuration Guide covers a lot of the rest, however both seem to be a little light for FlexVPN and GET VPN. My own book, VPNs and NAT for Cisco Networks covers DMVPN pretty well. MACsec is covered well in this document. I do need to find a decent Wireless book to cover 6.12. Cisco Wireless LAN Security seems like the obvious choice.

Essential purchase: The Complete Cisco VPN Configuration Guide
Essential purchase: Advanced IPSec VPN Design
Essential purchase: Cisco Wireless LAN Security

There are some notable exception. The Cisco guidelines for the CCIE Security v4 exam make no mention of IPv6. I am sure this will probably appear somewhere. The v4 is only a couple of years old so there must be some IPv6 in it somewhere. The book IPv6 Security seems like an obvious choice

So now we have a workable book list. It is fairly short, but here it is, the ones with a red star are the ones I have already purchased. The links will take you to the appropriate Amazon page, in case you are joining me on this trip!

Designing Network Security (2nd Edition)
Implementing Cisco IOS Network Security
*Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services (3rd Edition)
*Cisco ISE for BYOD and Secure Unified Access
*Cisco Access Control Security: AAA Administration Services (Networking Technology)
*The Complete Cisco VPN Configuration Guide
*Advanced IPSec VPN Design
Cisco Wireless LAN Security

IPv6 Security

Not too bad! It will also be nice to add a little color to the bookshelves and get some orange in there.

If you can think of any essential books I should add then please comment below.