In February of 2012, Cisco announced updates to their Cisco CCNP certification program. Since the world of networking and system security is constantly evolving, Cisco wanted to ensure that the skills assessed in the CCNP Security certification provided both candidates and prospective employers with the appropriate skills. This newest iteration of the CCNP Security certification adds additional support for newer features revolving around the ASA platform, including support for the newest 8.3 and 8.4 software versions and AnyConnect 3.0.
Securing Networks with Cisco Routers and Switches (SECURE)
The SECURE objectives and exam have not been changed with the current upgrade of the CCNP Security certification. The following lists shows the objectives of the SECURE exam.
Pre-Production Design
- Choose Cisco IOS technologies to implement HLD
- Choose Cisco products to implement HLD
- Choose Cisco IOS features to implement HLD 2
- Integrate Cisco network security solutions with other security technologies
- Create and test initial Cisco IOS configurations for new devices/services
Complex Operations Support
- Optimize Cisco IOS security infrastructure device performance
- Create complex network security rules to meet the security policy requirements
- Optimize security functions, rules, and configuration
- Configure & verify NAT to dynamically mitigate identified threats to the network
- Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
- Configure & verify the IPS features to identify threats and dynamically block them from entering the network
- Maintain, update and tune IPS signatures
- Configure & verify IOS VPN features
- Configure & verify Layer 2 and Layer 3 security features
Advanced Troubleshooting
- Advanced Cisco IOS security software configuration fault finding and repairing
- Advanced Cisco routers and switches hardware fault finding and repairing
Implementing Cisco Intrusion Prevention System (IPS)
The IPS objectives and exam have not been changed with the current upgrade of the CCNP Security certification. The following list shows the objectives of the IPS exam.
Pre-Production Design
- Choose Cisco IPS technologies to implement HLD
- Choose Cisco products to implement HLD
- Choose Cisco IPS features to implement HLD
- Integrate Cisco network security solutions with other security technologies
- Create and test initial Cisco IPS configurations for new devices/services
Complex Support Operations
- Optimize Cisco IPS security infrastructure device performance
- Create complex network security rules, to meet the security policy requirements
- Configure and verify the IPS features to identify threats and dynamically block them from entering the network
- Maintain, update and tune IPS signatures
- Use CSM and MARS for IPS management, deployment, and advanced event correlation.
- Optimize security functions, rules, and configuration
Advanced Troubleshooting
- Advanced Cisco IPS security software configuration fault finding and repairing
- Advanced Cisco IPS sensor and module hardware fault finding and repairing
Deploying Cisco ASA Firewall Solutions (FIREWALL)
When preparing for this article it became obvious that while the wording and organization of many of the objectives has changes, much of the material that is expected to be known is the same; because of this, objectives that are similar between version1 and 2 will be marked as such.
Existed in v1 curriculum
Added to the v2 curriculum
Cisco ASA adaptive security appliance Basic Configurations
- Identify the ASA product family
- Implement ASA licensing
- Manage the ASA boot process
- Implement ASA interface settings
- Implement ASA management features
- Implement ASA access control features
- Implement Network Address Translation (NAT) on the ASA
- Implement ASDM public server feature
- Implement ASA quality of service (QoS) settings
- Implement ASA transparent firewall
ASA Routing Features
- Implement ASA static routing
- Implement ASA dynamic routing
ASA Inspection Policy
- Implement ASA inspections features
ASA Advanced Network Protections
- Implement ASA Botnet traffic filter
ASA High Availability
- Implement ASA Interface redundancy and load sharing features
- Implement ASA virtualization feature
- Implement ASA stateful failover
Deploying Cisco ASA VPN Solutions (VPN)
As was stated with the FIREWALL objectives, the same is true of the VPN objectives.
Existed in v1 curriculum
Added to the v2 curriculum
Common Cisco ASA adaptive security appliance VPN Configurations Components
- Identify ASA VPN licensing requirements
- Identify the components and features of AnyConnect 3.0 Mobility (VPN, NAM, Web Sec (ScanSafe), an Telemetry)
- Implement ASA VPN connection profiles, group policies, and user policies
- Implement Simple Certificate Enrollment Protocol (SCEP) proxy operations using Cisco Adaptive Security Device Manager (ASDM)
- Implement local and external VPN authorization using ASDM/
- Implement VPN session accounting using ASDM
- Implement Cisco Secure Desktop and Independent Host Scan operations using ASDM
- Implement DAP operations using ASDM
- Implement LOCAL CA operations for Secure Sockets Layer (SSL) VPNs using ASDM
- Implement certificate maps using ASDM
- Identify the ASA IPv6 VPN capabilities
- Monitor and verify the resulting CLI commands resulting from the various VPN configurations on the ASA
ASA IP SEC S2S VPN
- Implement a security high-level design according to policy and environmental requirements by identifying Cisco ASA IPSec S2S VPN features and supporting technologies
- Implement basic IPSEC S2S VPN operations with PSK and digital certificates using ASDM
- Implement basic IKEv2 based IPSEC S2S VPN operations using ASDM
- Troubleshoot the initial provisioning IPSec S2S VPN applications due to misconfiguration
ASA EZVPN
- Implement a security high level design according to policy and environmental requirements by identifying Cisco ASA VPN client features and supporting technologies
- Implement basic EZVPN server operations on the ASA using ASDM
Basic EZVPN remote operations on the ASA 5505 using ASDM
- Implement AnyConnect 3.0 IKEv2 RA VPN operations
- Implement Client Services Server (CSS) feature
- Troubleshoot the initial provisioning IPSec RA VPN applications due to misconfiguration
ASA AnyConnect SSL VPNs
- Implement a security high-level design according to policy and environmental requirements by identifying Cisco ASA AnyConnect client features and supporting technologies
- Implement DTLS operations using ASDM
- Implement basic AnyConnect 3.0 full tunnel SSL VPN operations
- Troubleshoot AnyConnect SSL VPN operations using DART
- Implement AnyConnect Profiles using ASDM
- Implement advanced authentication in AnyConnect Full Tunnel SSL VPNs (certificate and multiauthentication) using ASDM
- Troubleshoot the initial provisioning client-based SSL VPN applications due to misconfiguration
ASA Clientless SSL VPNs
- Implement a security high level design according to policy and environmental requirements by identifying Cisco ASA clientless SSL VPN features and supporting technologies
- Implement basic Clientless SSL VPN operations using ASDM
- Implement advanced applications access using ASDM
- Implement the SSO features on the ASA in a clientless SSL VPN environment
- Implement advanced authentication in clientless SSL VPNs (certificate and multi-authentication) using ASDM
- Manage the clientless SSL VPN user interface and portal using ASDM
- Implement basic portal customization
- Troubleshoot the initial provisioning of Clientless SSL VPN applications due to misconfiguration
SSL VPN High Availability
- Implement SSL and IPSEC VPN high availability features
Summary
As can be seen from the comparisons, the majority of the material that is covered in the newer versions was previously covered. The main differences are around the newest version of the ASA software (8.3 & 8.4) and AnyConnect 3.0 and the changes that come with these newest versions. This should be good news for those already in the process of preparing for the CCNP Security, since the majority of the exam contents have not changed by a lot, most of the studying will be useful for either version of the FIREWALL and VPN exams.