Cisco Systems, Inc.

Cisco Certified Internetwork Expert (CCIE) Security

Credential: Cisco Certified Internetwork Expert (CCIE) Security  In-Demand resource  GI Bill resource
Credentialing Agency: Cisco Systems, Inc.

Renewal Period: 2 years

The Cisco Certified Internetwork Expert (CCIE) Security recognizes individuals who have the knowledge and skills to implement, maintain and support extensive Cisco Network Security Solutions using the latest industry best practices and technologies. Candidates are encouraged to have three to five years of job experience. Candidates must pass a written qualification exam, which covers networking concepts and some equipment commands, and then must pass a hands-on lab exam, which tests the ability to get a secure network running in a timed test situation.

More information can be found on the certifying agency's website.

Cisco Certified Internetwork Expert (CCIE) Security

MINIMUM REQUIREMENTS

 

Eligibility Requirements (View Details)

  • Credential Prerequisite
  • Experience: 3 years recommended
  • Education
  • Training
  • Membership
  • Other
  • Fee

Note: This credential may have multiple options for becoming eligible. Listed are the minimum requirements based on the minimum degree required. To view other options, see the Eligibility tab.

Exam Requirements (View Details)

  • Exam
  • Written Exam
  • Oral Exam
  • Practical Exam
  • Performance Assessment

RECERTIFICATION SUMMARY

Renewal Period: 2 years

  • Continuing Education
  • Exam
  • Continuing Education OR Exam
  • Fee
  • Other

AGENCY CONTACT INFORMATION

Cisco Systems, Inc.

170 West Tasman Dr.
San Jose, CA  95134

Phone: (800) 553-NETS

Contact Page

Other REQUIREMENTS

The Cisco Certified Internetwork Expert (CCIE) Security credential has the following other requirements:

Written Exam 400-251 CCIE Security

  • 1.0 Perimeter Security and Intrusion Prevention (21%)
    • 1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
    • 1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD
    • 1.3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD
    • 1.4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD
    • 1.5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing,  traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD
    • 1.6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and  TCP intercept on Cisco IOS/IOS-XE
    • 1.7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD
    • 1.8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting
    • 1.9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC
    • 1.10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes
    • 1.11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC  (Firepower appliance)
    • 1.12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet
  • 2.0 Advanced Threat Protection and Content Security (17%)
    • 2.1 Compare and contrast different AMP solutions including public and private cloud deployment models
    • 2.2 Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA)
    • 2.3 Detect, analyze, and mitigate malware incidents
    • 2.4 Describe the benefit of threat intelligence provided by AMP Threat GRID
    • 2.5 Perform packet capture and analysis using Wireshark, tcpdump, SPAN, and RSPAN
    • 2.6 Describe, implement, and troubleshoot web filtering, user identification, and Application Visibility and Control (AVC)
    • 2.7 Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA
    • 2.8 Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM on ESA
    • 2.9 Describe, implement, and troubleshoot SMTP encryption on ESA
    • 2.10 Compare and contrast different LDAP query types on ESA
    • 2.11 Describe, implement, and troubleshoot WCCP redirection
    • 2.12 Compare and contrast different proxy methods such as SOCKS, Auto proxy/WPAD, and transparent
    • 2.13 Describe, implement, and troubleshoot HTTPS decryption and DLP
    • 2.14 Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco ASA, Cisco AnyConnect, and WSA
    • 2.15 Describe the security benefits of leveraging the OpenDNS solution.
    • 2.16 Describe, implement, and troubleshoot SMA for centralized content security management
    • 2.17 Describe the security benefits of leveraging Lancope
  • 3.0 Secure Connectivity and Segmentation (17%)
    • 3.1 Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5
    • 3.2 Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, and MKA
    • 3.3 Describe, implementc and troubleshoot remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts
    • 3.4 Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication
    • 3.5 Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP and smart tunnels on Cisco ASA and Cisco FTD
    • 3.6 Describe, implement, and troubleshoot site-to-site VPNs such as GETVPN, DMVPN and IPsec
    • 3.7 Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)
    • 3.8 Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN clustering and dual-hub DMVPN deployments
    • 3.9 Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5, ISAKMP/IKEv1, IKEv2, SSL,  TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP
    • 3.10 Describe the security benefits of network segmentation and isolation
    • 3.11 Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN
    • 3.12 Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP
    • 3.13 Describe, implement, and troubleshoot infrastructure segmentation methods such as VLAN, PVLAN, and GRE
    • 3.14 Describe the functionality of Cisco VSG used to secure virtual environments
    • 3.15 Describe the security benefits of data center segmentation using ACI, EVPN, VXLAN, and NVGRE
  • 4.0 Identity Management, Information Exchange, and Access Control (22%)
    • 4.1 Describe, implement, and troubleshoot various personas of ISE in a multinode deployment
    • 4.2 Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS configuration for AAA
    • 4.3 Describe, implement, and troubleshoot AAA for administrative access to Cisco network devices using ISE and ACS
    • 4.4 Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.
    • 4.5 Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy using ISE as the AAA server
    • 4.6 Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure
    • 4.7 Describe, implement, verify, and troubleshoot BYOD on-boarding and network access flows with an internal or external CA
    • 4.8 Describe, implement, verify, and troubleshoot ISE and ACS integration with external identity sources such as LDAP, AD, and external RADIUS
    • 4.9 Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML
    • 4.10 Describe, implement, verify, and troubleshoot provisioning of AnyConnect with ISE and ASA
    • 4.11 Describe, implement, verify, and troubleshoot posture assessment with ISE
    • 4.12 Describe, implement, verify, and troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor
    • 4.13 Describe, implement, verify, and troubleshoot integration of MDM with ISE
    • 4.14 Describe, implement, verify, and troubleshoot certificate based authentication using ISE
    • 4.15 Describe, implement, verify, and troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)
    • 4.16 Describe the functions and security implications of AAA protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST,  EAP-TEAP, EAP- MD5, EAP-GTC), PAP, CHAP, and MS-CHAPv2
    • 4.17 Describe, implement, and troubleshoot identity mapping on ASA, ISE, WSA and FirePOWER
    • 4.18 Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC
  • 5.0 Infrastructure Security, Virtualization, and Automation (13%)
    • 5.1 Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques
    • 5.2 Describe, implement, and troubleshoot device hardening techniques and control plane protection methods, such as CoPP and IP Source routing.
    • 5.3 Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and securing device access
    • 5.4 Describe, implement, and troubleshoot data plane protection techniques such as iACLs, uRPF, QoS, and RTBH
    • 5.5 Describe, implement, and troubleshoot IPv4/v6 routing protocols security
    • 5.6 Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP snooping, and VACL
    • 5.7 Describe, implement, and troubleshoot wireless security technologies such as WPA, WPA2, TKIP, and AES
    • 5.8 Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection (MFP)
    • 5.9 Describe, implement, and troubleshoot monitoring protocols such as NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER
    • 5.10 Describe the functions and security implications of application protocols such as SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC,  NTP, and DHCP
    • 5.11 Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP, BGP, EIGRP, OSPF/OSPFv3,  RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP
    • 5.12 Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv
    • 5.13 Describe the security principles of ACI such as object models, endpoint groups, policy enforcement, application network profiles, and contracts
    • 5.14 Describe the northbound and southbound APIs of SDN controllers such as APIC-EM
    • 5.15 Identify and implement security features to comply with organizational security policies, procedures, and standards such as BCP 38, ISO 27001, RFC  2827, and PCI-DSS
    • 5.16 Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in Cisco SAFE
    • 5.17 Validate network security design for adherence to Cisco SAFE recommended practices
    • 5.18 Interpret basic scripts that can retrieve and send data using RESTful API calls in scripting languages such as Python
    • 5.19 Describe Cisco Digital Network Architecture (DNA) principles and components.
  • 6.0 Evolving Technologies (10%)
    • 6.1 Cloud
    • 6.2 Network Programmability (SDN)
    • 6.3 Internet of Things (IoT)

Practical Exam Lab Exam v5.0

The Cisco CCIE Security Lab Exam version 5.0 is an eight-hour, hands-on exam that requires a candidate to plan, design, implement, operate, and troubleshoot complex security scenarios for a given specification. Knowledge of troubleshooting is an important skill and candidates are expected to diagnose and solve issues as part of the CCIE lab exam.

  • Module 1: Troubleshooting module
  • Module 2: Diagnostic module
  • Module 3: Configuration module

Exam Preparation Resources

There are a number of resources available to help you prepare for the Cisco Certified Internetwork Expert (CCIE) Security examination:

Testing Information

Testing for this credential is handled by Pearson VUE. The test centers are located in the U.S. They also have some test centers on military bases.

To find out more, use the following links on the Pearson VUE website:

For more information on the Cisco Systems, Inc. testing process, visit the agency website.

RECERTIFICATION

Cisco Certified Internetwork Expert (CCIE) Security

Renewal Period: 2 years

The Cisco Certified Internetwork Expert (CCIE) Security credential has the following recertification information:

To maintain active status, every 24-months CCIEs are required to pass one of the following before the certification expiration date:

  • Earn the required credits through the Cisco Continuing Education Program, or
  • Pass any current CCIE Written Exam OR CCIE Lab Exam or
  • Pass the current CCDE Written Exam OR current CCDE Practical Exam, or
  • Pass the Cisco Certified Architect (CCAr) interview AND the CCAr board review to extend lower certifications.

Additional considerations for the Cisco Certified Internetwork Expert (CCIE) Security include:

  • Although not required, candidates are strongly encouraged to have three to five years of job experience before attempting certification.

In Demand

This certification is considered in demand

COOL Bucks

See your installation Education Service Officer for credential exam information and coordinating instructions.

COOL Summary

Click to go to the COOL Summary page for this MOC.

COOL Summary

Click to go to the COOL Summary page for this MOC.

COOL Summary

Click to go to the COOL Summary page for this MOC.

Some

Credential is related to some tasks associated with the duties of the military occupation (at least one critical task but less than 80%)

Most

Credential is directly related to most of the major duties associated with the military occupation (at least 80%)

Other

Credential is related to this military occupation, but is more advanced or specialized and therefore will likely require additional education, training, or experience

Promotion Points

This certification has been approved for promotion points.

Click for more information.

Star

Star credentials are MOS enhancing, as designated by the Proponent. MOS enhancing credentials are directly related to an MOS or ASI, are taught either partially or completely as part of a Program of Instruction (POI), and improves the MOS technical proficiency.

Skill Level

The Skill Level reflects the level, based on MOS training and/or experience, the Soldier should be the most prepared to successfully earn the credential. See the Table Legend for details about each level.

Proponent Funded

Indicates the credential may have funding through the MOS proponent. Some proponents offer credentialing opportunities in conjunction with military training and/or as part of MOS development beyond the training base.

Click for more information.

Navy Bucks

Credential voucher or reimbursement for credential exam, re-certification, or maintenance fee has been approved for payment through the Navy's Credential Program Office. To get a voucher request form, click 'Complete Voucher and Apply' at the top of any page.

CG Bucks

Coming Soon - Coast Guard policy regarding service member eligibility requirements to participate in the Voluntary Credentialing Program is under review with a projected release date of first quarter FY20.

Early Career

1-3 years experience; Enlisted E1 through E4

Mid Career

4-10 years experience; Enlisted E5 through E6

Late Career

10+ years experience; Enlisted E7 and Above

Early Career

1-3 years experience; Enlisted “A” School through E5

Mid Career

4-10 years experience; Enlisted E6 through E7

Late Career

10+ years experience; Enlisted E8 and Above

LaDR

This credential is recommended on the rating Learning and Development Roadmap (LaDR) for Sailors currently in the pay grade indicated on the icon, BUT MAY BE TAKEN BY SAILORS IN OTHER PAY GRADES.

Click for more information.

GI Bill®

Reimbursement for exam fees has been approved for payment through the GI Bill. Click for external link to GI Bill licensing and certification information.

Note: GI Bill approval data is updated quarterly. For the latest information, visit the WEAMS Licenses/Certifications Search page. Make sure to select "Both" in the LAC Category Type drop-down before searching.

Click here for more information.

ANSI

This credential has been accredited by ANSI. Click for external link to the ANSI web site.

Click here for more information.

ICAC

This credential has been accredited by ICAC. Click for external link to the ICAC web site.

Click here for more information.

ABSNC

This credential has been accredited by ABSNC. Click for external link to the ABSNC web site.

Click here for more information.

NCCA

This credentialing program has been accredited by NCCA. Click for external link to the NCCA web site.

Click here for more information.

IAS

This credential has been accredited by IAS. Click for external link to the IAS web site.

Click here for more information.

Low

May be difficult to attain: minimum education requirement is a Bachelor's degree, and/or minimum experience is 10 or more years.

Note: In some cases “years of experience” refers to time actively on duty or while holding a certain occupation or prior certification and not always in consecutive calendar years. Additional years required for certain preliminary stages may not be included in this classification. For requirements measured in hours, 1080 hours was considered a year. For days, 365 days was considered a year. Please review all prerequisites and requirements for eligibility, and additional information for details.

Medium

Moderate ease of attainment: minimum education requirement = Associate's and/or prerequisite and/or minimum experience = more than 2 years and less than 10 years of experience.

Note: In some cases “years of experience” refers to time actively on duty or while holding a certain occupation or prior certification and not always in consecutive calendar years. Additional years required for certain preliminary stages may not be included in this classification. For requirements measured in hours, 1080 hours was considered a year. For days, 365 days was considered a year. Please review all prerequisites and requirements for eligibility, and additional information for details.

High

Highly attainable: mimum education requirement = HS or less and/or minimum experience = 2 years or less experience and no additional requirements.

Note: In some cases “years of experience” refers to time actively on duty or while holding a certain occupation or prior certification and not always in consecutive calendar years. Additional years required for certain preliminary stages may not be included in this classification. For requirements measured in hours, 1080 hours was considered a year. For days, 365 days was considered a year. Please review all prerequisites and requirements for eligibility, and additional information for details.

MOS is Military Occupational Specialty
ASI is Additional Skill Identifier
WOMOS is Warrant Officer Military Occupational Specialty

Army e-learning

State-of-the art Computer Based Training available for free to the Army Workforce. Click for more information.

Click here for more information.

NKO e-learning

Credential preparation courses are provided at no cost through Navy e-Learning. Click for external link to the Navy Knowledge Online (NKO) web site, then select the “Navy e-Learning” link within the “Learning” tab to proceed to Navy e-Learning.

Bright Outlook – new job opportunities are very likely in the future for this job
Registered Apprenticeship
Click here for External link to: My Next Move for Veterans - Computer Network Architects
Click here for External link to: My Next Move salary info for Computer Network Architects
Click here for External link to: My Next Move for Veterans - Computer Network Support Specialists
Click here for External link to: My Next Move salary info for Computer Network Support Specialists
Click here for External link to: My Next Move for Veterans - Computer User Support Specialists
Click here for External link to: My Next Move salary info for Computer User Support Specialists
Click here for External link to: My Next Move for Veterans - Information Security Analysts
Click here for External link to: My Next Move salary info for Information Security Analysts
Click here for External link to: My Next Move for Veterans - Network and Computer Systems Administrators
Click here for External link to: My Next Move salary info for Network and Computer Systems Administrators
This is an official U.S. Navy website
Updated: October 16, 2019
Top