News Stay informed about the latest enterprise technology news and product updates.

Seven questions for Cisco's CCIE security track manager

CCIE security track version 4 is approaching and will include new Cisco ASA firewall features and troubleshooting information. Cisco's CCIE security track manager explains.

Cisco's CCIE security track version 4.0 is fast approaching, and with it will come new exams that include questions on new Cisco ASA features and troubleshooting information. In this interview, CCIE security track manager Natalie Timms offers perspective on the track's future.

What technologies are covered in the CCIE security track these days?

Natalie Timms: All of the CCIE exams offer what are called blueprints. The blueprint offers an outline of the higher level topics that you can expect to be asked about in an exam. In the exam version 3 blueprints we have sections on firewalls, VPN, IPS/IDS and identity -- things like RADIUS, TACACS, and Cisco Secure. Then we’ve got sections about locking down and hardening devices -- control plane policing, management plane protection, etc. We also cover how to tweak various knobs on devices, and what those knobs really do to protect things like your CPU from attack. Then we have a section on advanced security, covering topics like NAT and using QoS to deflect attacks. The candidate is expected to understand the various types of attacks that could occur in a network and on network devices, and how to enable network devices to not only prevent those attacks, but also to audit them, keep an audit trail and go back later to act on them.

The CCIE security track has been at version 3 since April 2009. How far away are we from version 4?

Timms: I’m in the process of developing what will be version 4.0. It is quite a lengthy process. It takes quite a while to develop the content and get all the feedback we need. I think that the most important thing to remember is that when you’re looking to advance a major revision, you need to give the candidates at least six months notice that there’s going to be a change. What we’ll do is announce the new blueprint for version 4, and that blueprint will be available for at least six months before we go live with the exams.

When will candidates see the Cisco ASA 8.3/8.4 versions appear on the CCIE Security exams?

Timms: It will be in the new version of the exam. Once we come up with a blueprint for a version, it will give an idea of the types of features that you’re going to be asked about. [Until then] it’s not really fair to candidates to all of a sudden start slipping in different [questions].

Is Cisco working with Cisco Press to bring a new CCIE Security Official Exam Certification Guide to market? Are we going to see a 3.0 version released, or will we skip to a 4.0 track book?

Timms: The next book is going to be tied to the 4.0 track. I think that’s really where we need to go because we have more of a focus on troubleshooting. That way it’s not just a book about configuration and basic security features. I’ve got the right amount of time to make sure something’s published around the same time or maybe a little bit after the exams’ release.

What is Cisco doing to maintain CCIE exam integrity?

Timms: You sometimes hear of folks who pass the exam because they’ve been really good rote learners. What we’re going to see with the exams going forward is that it gets harder and harder to [pass] by just memorizing answers. We want you to be able to think.

The other important thing with the exams is that not everybody gets the same version of the exam. There are a number of different versions, the main reason being to mitigate the cheating. I spend a lot of time looking at stats as well as pass rates, and getting information about where we think there might be some cheating going on. You hear of folks spending thousands of dollars getting questions and answers from websites. But you know what? Once you’re actually in the hot seat and you’re at work with a problem and you can’t [solve it], you’re the only one that’s going to look like an idiot.

What’s the current state of the open-ended questions (OEQs) and troubleshooting sections that have been a source of frustration to some lab candidates?

Timms: The OEQs were brought in as a way to mitigate some of the cheating that was going on. They haven’t been very popular. You have to be really careful asking [these] questions because you can’t let a lot of subjectivity come into the grading. Someone might show that they know about a particular topic, but perhaps English is not their first language or they struggle to express themselves. People don’t want to feel that they were marked incorrectly because they were unable to articulate an answer. I believe it’s a relief to some people that these OEQs are now gone, and instead we’ve brought in more troubleshooting questions. I say  ‘more’ because there were already a number of troubleshooting questions in the existing exams. The exam is weighted so that roughly 30% of your mark comes from troubleshooting questions, the other 70% coming from configuration.

Is there a lot of technology overlap between the CCIE routing and switching and security tracks?

Timms: There is some overlap, but it’s fairly minor. There’s an expectation that you not only know how routing and switching works, but also how to make changes on switches and routers that are outside of the range of the simpler security features. The routing and switching track does have sections on security, but it's really focused on features you use to secure generic routing and switching functions. They are limited to the security features available in Cisco IOS, and they tend to be no-brainer features to turn on. But what you’ll find is that there’s nothing on how to configure a security appliance like a Cisco ASA firewall. There’s not a lot of real heavy-duty locking down of CPU and management plane protection type of features. Some of the more advanced security attacks are not found in the routing and switching track, either.

You can find out more about the CCIE Security track by visiting Learning at Cisco.

About the author: Ethan is a network engineer, blogger and CCIE #20655. He's also a host on Packet Pushers, an independent podcast covering the data networking industry. Follow Ethan at or @ecbanks on Twitter for social networking.

Dig Deeper on Mobile and wireless network technology

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.