Evolution of CCIE Security

I have been teaching the CCIE Security track since it started and have taught all the versions including the current one, version 6, which I continue to teach. I am going to share some of my experiences and insights regarding the evolution of CCIE Security as I think it will be interesting for Network Engineers to have this background knowledge.

I have been privileged [i.e. am old enough now ;-) ] to have worked and taught in the IT field since the early 1990s. I have seen networks & network security evolve from being a luxury item into a necessity. I passed my CCIE Security exam in 2003, that was CCIE Security v1. It was predominantly a Routing & Switching exam with a bit of Security added on top. I also passed my CCIE Routing & Switching exam around the same time. At this time, 65% of the 2 exams were almost identical. L2 technologies made up 30% of the exam. This section included Ethernet Switches, Frame relay and ATM Switches as well. The next big section was IGPs, another 30%. Believe it or not, 15% of the CCIE Security v1 exam was BGP. Only the last 35% of the exam was the Security part of the exam! The Security part included basic IPSec/GRE VPNs, PIX Firewall (Basic Initialization), and a section on the Router-based IDS (IOS-IDS).

Right from the start, CISCO made a decision to take an evolutionary path rather than a revolutionary one by easing engineers into the new field of Network Security rather than forcing the change on them overnight. When I reflect back on it, I think this was a really smart business decision on CISCO's part.

The next phase came with the introduction of additional security devices to the topology. CCIE Security v2 included the Cisco IDS & VPN Concentrator devices. VPN Concentrator was the first device from Cisco that had the Web VPN capability. With this version, you could start to see the shift from Routing & Switching to Security as a standalone stream. There was a considerable cutdown on the Routing and Switching related questions in the exams. The ACS Server was also introduced in this version. Although the ACS Server was present in the v1 topology, it was in the backbone and was pre-configured. This exam also included a heavier dose of VPNs, including the mGRE/DMVPNs type of VPNs.

The next major security device introduced to the CCIE Security exam was the ASA Firewall. This was done in CCIE Security version 3. The ASA has been an integral part of the CCIE Security exam since then. It is still an important part of the current version. This exam also saw the introduction of VPN technologies like GET VPN and EZVPN.

Version 4, released in 2012, saw the introduction of the ISE, WLC & WSA devices to the exam. CCIE Security v4 was when the exam started to feel like a full-blown Security exam with little or no direct correlation with Routing / Switching. Over the course of 4 evolutions, CISCO had fully established Security as a standalone CCIE track with little overlap with Routing and Switching. You still needed to have a solid Routing & Switching foundation but the topics were not tested like they were prior to this version. The Flex VPN & IKEv2 technologies were also included in the exam.

CCIE Version 5 saw the introduction of the Firepower devices (FTD & NG-IPS). It also saw the inclusion of the ESA device. Although these devices were introduced, the coverage was light. The main firewall being used was still the ASA. The emphasis for VPNs was on Flex VPN, AnyConnect Remote-Access VPN & GET VPN. ISE also started to have a bigger footprint on these exams.

CCIE Version 6, the current version which was released in 2020, is similar to version 5 in terms of the devices being tested (remember evolution and not revolution is CISCO's mantra). ASA was the main firewall in CCIE Security v5. The focus of this exam will be on the FTD as the firewall. The ESA should also see a bigger coverage in this exam. But the main difference in my opinion is the introduction of the Design element to the exam. They want you to understand the technologies beyond just configuring the devices. For example, given a customer requirement, you should be able to pick the appropriate technology to fulfill the requirement.

In my opinion, network security is not implemented by using one magic device. It is a layered approach to securing your network at different levels for different threats. You need to be able to have perimeter protection using Firewalls (FTD, ASA), you need IPS devices to analyze incoming packets against a database of known network attacks (FTD, NG-IPS), you need to be able to make sure e-mails coming into your network are clean (ESA), you need to make sure that the devices that are logging into to internal networks are authorized (ISE), you need to make sure that your internal users are visiting sites that follow the corporate policy (WSA) and that your external communication is protected (VPNs). I personally like and agree with CISCO's decision to focus on Design as it makes learning required to pass the exams more relevant to real-world implementations. After all these certifications are meant to train engineers for everyday problems that they face in their work environments.

The current CCIE Security has been designed to enhance your knowledge on all fronts. It exposes you to various devices and technologies.

Based on my personal experience as well as the combined experience of thousands of students that I have taught, I can assure you that embarking on the CCIE Security journey will make you a better security engineer.

Please feel free to ask any follow-up questions that you may have, I will try to answer them to the best of my knowledge.

Cheers, Khawar