Evolution of CCIE Security

I have been teaching the CCIE Security track since it started and have taught all the versions including the current one, version 6, which I continue to teach.

Today, I am going to share some of my experiences and insights regarding the evolution of CCIE Security. I believe it will be interesting for Network Engineers to have this background knowledge.

My Journey with CCIE

I have been privileged (i.e., am old enough now ;-) ) to have worked and taught in the IT field since the early 1990s. I have seen networks & network security evolve from being a luxury item into a necessity.

In 2003, I passed my CCIE Security exam, which was version 1 at the time. It was predominantly a Routing & Switching exam with a bit of Security added on top. I also passed my CCIE Routing & Switching exam around the same time.

CCIE Security v1: The Beginning

At the time of CCIE Security v1, 65% of the 2 exams were almost identical. L2 technologies made up 30% of the exam, which included Ethernet Switches, Frame relay and ATM Switches. IGPs made up another 30%. Believe it or not, 15% of the CCIE Security v1 exam was BGP. Only the last 35% of the exam was the Security part!

The Security portion included basic IPSec/GRE VPNs, PIX Firewall (Basic Initialization), and a section on the Router-based IDS (IOS-IDS).

Right from the start, CISCO made a decision to take an evolutionary path rather than a revolutionary one. This eased engineers into the new field of Network Security rather than forcing the change on them overnight. When I reflect back on it, I think this was a really smart business decision on CISCO's part.

CCIE Security v2: The Next Phase

The next phase came with the introduction of additional security devices to the topology. CCIE Security v2 included the Cisco IDS & VPN Concentrator devices. VPN Concentrator was the first device from Cisco that had the Web VPN capability. With this version, you could start to see the shift from Routing & Switching to Security as a standalone stream.

CCIE Security v3: Introduction of the ASA Firewall

The next major security device introduced to the CCIE Security exam was the ASA Firewall. This was done in CCIE Security version 3. The ASA has been an integral part of the CCIE Security exam since then.

CCIE Security v4: Towards a Full-Blown Security Exam

Version 4, released in 2012, saw the introduction of the ISE, WLC & WSA devices to the exam. CCIE Security v4 was when the exam started to feel like a full-blown Security exam with little or no direct correlation with Routing / Switching. Over the course of 4 evolutions, CISCO had fully established Security as a standalone CCIE track with little overlap with Routing and Switching.

CCIE Version 5: The Introduction of Firepower Devices

CCIE Version 5 saw the introduction of the Firepower devices (FTD & NG-IPS). It also saw the inclusion of the ESA device. Although these devices were introduced, the coverage was light. The main firewall being used was still the ASA.CCIE Version 6: The Current Version

CCIE Version 6, the current version which was released in 2020, is similar to version 5 in terms of the devices being tested. ASA was the main firewall in CCIE Security v5. The focus of this exam will be on the FTD as the firewall. The ESA should also see a bigger coverage in this exam. But the main difference, in my opinion, is the introduction of the Design element to the exam. They want you to understand the technologies beyond just configuring the devices. For example, given a customer requirement, you should be able to pick the appropriate technology to fulfill the requirement.

Understanding Network Security

In my opinion, network security is not implemented by using one magic device. It is a layered approach to securing your network at different levels for different threats. You need to be able to have perimeter protection using Firewalls (FTD, ASA), you need IPS devices to analyze incoming packets against a database of known network attacks (FTD, NG-IPS), you need to ensure e-mails coming into your network are clean (ESA), you need to verify that the devices that are logging into to internal networks are authorized (ISE), you need to ensure that your internal users are visiting sites that follow the corporate policy (WSA) and that your external communication is protected (VPNs). I personally like and agree with CISCO's decision to focus on Design as it makes learning required to pass the exams more relevant to real-world implementations. After all these certifications are meant to train engineers for everyday problems that they face in their work environments.

The Current CCIE Security

The current CCIE Security has been designed to enhance your knowledge on all fronts. It exposes you to various devices and technologies.

The Benefits of Embarking on the CCIE Security Journey

Based on my personal experience as well as the combined experience of thousands of students that I have taught, I can assure you that embarking on the CCIE Security journey will make you a better security engineer.

Got Questions?

Please feel free to ask any follow-up questions that you may have, I will try to answer them to the best of my knowledge.

Cheers,
Khawar