简介：

CCIE Security简介： CCIE Security 针对的是负责设计和实施思科安全网络的网络人士。安全领域的 CCIE 认证表示网络人士拥有专家级网络安全知识，可以从事大型企业或跨国企业网络的安全维护与设计工作。 1.可以解决复杂的连接问题。 2.利用技术解决方案提高带宽、缩短响应时间、最大限度地提高性能、加强安全性和支持全球性应用。

课程设置：

安全CCIE适合人群：

已经通过CCNP或者具备相应水平者，从事网络相关工作人员。同时也建议学员对CCIE R&S比较熟悉

安全CCIE课程内容：

◆ IGP  深入讲述OSPF/EIGRP/RIP协议的原理，以及路由重分布的原理、各路由控制的方法和工具的使用，讲解大型IGP应用的案例

◆ 交换 深入讲述多层交换的原理、VLAN和私有VLAN、MST、RSTP，SPAN/RSPAN、交换机安全、Ethernet channel、802.1X、DHCP/ARP欺骗的防护、交换机QOS-WRR/SRR等等。

◆ ASA  PIX/ASA的地址转换和连接、访问控制列表和内容过滤、对象分组、AAA的控制、高级协议防护、VPN虚拟专用网络配置，理解pix/ASA使用Cisco的EASY VPN实现远程接入、webvpn、透明/虚拟防火墙、PIX/ASA的双A的配置

◆ AAA  讲解路由器、交换机、PIX、ASA、VPN3000各种网络设备的AAA配置

◆ 网络攻击 各种常见的网络攻击手段以及防护手段

◆ 安全 Feature CISCO 各种不同类型的网络设备的安全特征集

◆ IPS  讲解IPS的特征集修改、IPS的拦截、IPS的管理、IPS的事件过滤、IPS的告警控制、IPS的响应行为控制等等

◆ IOS Firewall 讲解CBAC以及如何利用IOS来抵御攻击

◆ BGP  深入 讲述BGP的原理和注意事项，以及实施的考虑等等

◆ VPN  各种类型的VPN讲解，DMVPN、IPSEC VPN、EZVPN、GRE、MPLS VPN等等知识点

安全CCIE课时介绍：

学习周期为5－9个月，理论课120小时，可以免费重听，实验机时不限

实验内容：

注: 以下所列之技术是CCIE Security

LAB考试所涉及的范围，一些与之相关的但未列出知识点也可能涉及。另外，作为一项重要的技能，随机性的排错也是考试的一部分。新的产品特性在其发布六个月后可能被列入考纲。

Implement secure networks using Cisco ASA Firewalls

Perform basic firewall Initialization

Configure device management

Configure address translation (nat, global, static)

Configure ACLs

Configure IP routing

Configure object groups

Configure VLANs

Configure filtering

Configure failover

Configure Layer 2 Transparent Firewall

Configure security contexts (virtual firewall)

Configure Modular Policy Framework

Configure Application-Aware Inspection

Configure high availability solutions

Configure QoS policies

Implement secure networks using Cisco IOS Firewalls

Configure CBAC

Configure Zone-Based Firewall

Configure Audit

Configure Auth Proxy

Configure PAM

Configure access control

Configure performance tuning

Configure advanced IOS Firewall features

Implement secure networks using Cisco VPN solutions

Configure IPsec LAN-to-LAN (IOS/ASA)

Configure SSL VPN (IOS/ASA)

Configure Dynamic Multipoint VPN (DMVPN)

Configure Group Encrypted Transport (GET) VPN

Configure Easy VPN (IOS/ASA)

Configure CA (PKI)

Configure Remote Access VPN

Configure Cisco Unity Client

Configure Clientless WebVPN

Configure AnyConnect VPN

Configure XAuth, Split-Tunnel, RRI, NAT-T

Configure High Availability

Configure QoS for VPN

Configure GRE, mGRE

Configure L2TP

Configure advanced Cisco VPN features

Configure Cisco IPS to mitigate network threats

Configure IPS 4200 Series Sensor Appliance

Initialize the Sensor Appliance

Configure Sensor Appliance management

Configure virtual Sensors on the Sensor Appliance

Configure security policies

Configure promiscuous and inline monitoring on the Sensor Appliance

Configure and tune signatures on the Sensor Appliance

Configure custom signatures on the Sensor Appliance

Configure blocking on the Sensor Appliance

Configure TCP resets on the Sensor Appliance

Configure rate limiting on the Sensor Appliance

Configure signature engines on the Sensor Appliance

Use IDM to configure the Sensor Appliance

Configure event action on the Sensor Appliance

Configure event monitoring on the Sensor Appliance

Configure advanced features on the Sensor Appliance Configure and tune Cisco IOS IPS

Configure SPAN & RSPAN on Cisco switches

Implement Identity Management

Configure RADIUS and TACACS+ security protocols

Configure LDAP

Configure Cisco Secure ACS

Configure certificate-based authentication

Configure proxy authentication

Configure 802.1x

Configure advanced identity management features

Configure Cisco NAC Framework

Implement Control Plane and Management Plane Security

Implement routing plane security features (protocol authentication, route filtering)

Configure Control Plane Policing

Configure CP protection and management protection

Configure broadcast control and switchport security

Configure additional CPU protection mechanisms (options drop, logging interval)

Disable unnecessary services

Control device access (Telnet, HTTP, SSH, Privilege levels)

Configure SNMP, Syslog, AAA, NTP

Configure service authentication (FTP, Telnet, HTTP, other)

Configure RADIUS and TACACS+ security protocols

Configure device management and security

Configure Advanced Security

Configure mitigation techniques to respond to network attacks

Configure packet marking techniques

Implement security RFCs (RFC1918/3330, RFC2827/3704)

Configure Black Hole and Sink Hole solutions

Configure RTBH filtering (Remote Triggered Black Hole)

Configure Traffic Filtering using Access-Lists

Configure IOS NAT

Configure TCP Intercept

Configure uRPF

Configure CAR

Configure NBAR

Configure NetFlow

Configure Anti-Spoofing solutions

Configure Policing

Capture and utilize packet captures

Configure Transit Traffic Control and Congestion Management

Configure Cisco Catalyst advanced security features

Identify and Mitigate Network Attacks

Identify and protect against fragmentation attacks

Identify and protect against malicious IP option usage

Identify and protect against network reconnaissance attacks

Identify and protect against IP spoofing attacks

Identify and protect against MAC spoofing attacks

Identify and protect against ARP spoofing attacks

Identify and protect against Denial of Service (DoS) attacks

Identify and protect against Distributed Denial of Service (DDoS) attacks

Identify and protect against Man-in-the-Middle (MiM) attacks

Identify and protect against port redirection attacks

Identify and protect against DHCP attacks

Identify and protect against DNS attacks

Identify and protect against Smurf attacks

Identify and protect against SYN attacks

Identify and protect against MAC Flooding attacks

Identify and protect against VLAN hopping attacks

Identify and protect against various Layer2 and Layer3 attacks

主要的参考书目：

中文书：

CCIE安全认证考试指南

管理cisco网络安全

CSVPN认证考试指南

CSPFA认证考试指南

Cisco入侵检测系统

网络安全原理与实践

英文书：（原版及影印）

Ciscopress CCIE practical labs :security

Ciscopress CCIE Security Exam Certification Guide

Ciscopress CCIE Practical Studies Security

Ciscopress Cisco Designing Perimeter Security

Ciscopress Cisco Designing VPN Security

CiscoPress Network Security Principles and Practices

CiscoPress Web Security Field Guide

CiscoPress Cisco Router Firewall Security

ciscopress ccsp SECUR study guide

CiscoPress SECUR exam certification guide

ciscopress ccsp CSVPN study guide

CiscoPress CSVPN Exam Certification Guide

ciscopress ccsp CSPFA study guide

CiscoPress CSPFA Exam Certification Guide

ciscopress ccsp CSIDS study guide

ciscopress ccsp CSI study guide

ciscopress CSI exam certification guide