服务热线: 025-86106162
二十年品牌  二十万学员的选择

CCIE安全考试大纲

日期: 2017-12-03
浏览次数: 321

CCIE安全考试(400-251)考试大纲

 

CCIE安全v5.0 将笔试及实验考试考纲合二为一,并明确指出了每项考试主题的权重。

 

思科CCIE安全笔试考试(400-251)v5.0,考试时间为2小时,考试题目90-110道,验证专业人士是否具备阐释,设计,实施,操作和故障排除的复合网络安全技能及解决方案。考生必须理解网络安全所需,以及网络安全部件之间如何互相操作,并将其翻译成设备配置语言。闭卷考试,考场中不允许带任何参考资料。

 

思科CCIE安全实验考试v5.0,考试时间为8个小时,需要考生在给定的场景中计划,设计,执行,操作并故障排除复合网络安全完成动手实验考试。故障排除的知识是一项重要的技能,在实验考试中考生需要诊断并解决网络问题。

 

下列考纲列出了CCIE安全考试中可能出现的考试内容。但是,其他相关要点也可能会出现在考试中。下面的大纲可能会在未提前通知的情况下发生改变,这是为了更好地反映考试内容及更加透明化。

 

1.0 Perimeter Security and Intrusion Prevention

1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)

1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD

1.3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD

1.4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD

1.5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing,  traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD

1.6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and  TCP intercept on Cisco IOS/IOS-XE

1.7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD

1.8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting

1.9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC

1.10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes

1.11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC  (Firepower appliance)

1.12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet

2.0 Advanced Threat Protection and Content Security

2.1 Compare and contrast different AMP solutions including public and private cloud deployment models

2.2 Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA)

2.3 Detect, analyze, and mitigate malware incidents

2.4 Describe the benefit of threat intelligence provided by AMP Threat GRID

2.5 Perform packet capture and analysis using Wireshark, tcpdump, SPAN, and RSPAN

2.6 Describe, implement, and troubleshoot web filtering, user identification, and Application Visibility and Control (AVC)

2.7 Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA

2.8 Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM on ESA

2.9 Describe, implement, and troubleshoot SMTP encryption on ESA

2.10 Compare and contrast different LDAP query types on ESA

2.11 Describe, implement, and troubleshoot WCCP redirection

2.12 Compare and contrast different proxy methods such as SOCKS, Auto proxy/WPAD, and transparent

2.13 Describe, implement, and troubleshoot HTTPS decryption and DLP

2.14 Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco ASA, Cisco AnyConnect, and WSA

2.15 Describe the security benefits of leveraging the OpenDNS solution.

2.16 Describe, implement, and troubleshoot SMA for centralized content security management

2.17 Describe the security benefits of leveraging Lancope

3.0 Secure Connectivity and Segmentation

3.1 Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5

3.2 Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, and MKA

3.3 Describe, implementc and troubleshoot remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts

3.4 Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication

3.5 Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP and smart tunnels on Cisco ASA and Cisco FTD

3.6 Describe, implement, and troubleshoot site-to-site VPNs such as GETVPN, DMVPN and IPsec

3.7 Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)

3.8 Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN clustering and dual-hub DMVPN deployments

3.9 Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5, ISAKMP/IKEv1, IKEv2, SSL,  TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP

3.10 Describe the security benefits of network segmentation and isolation

3.11 Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN

3.12 Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP

3.13 Describe, implement, and troubleshoot infrastructure segmentation methods such as VLAN, PVLAN, and GRE

3.14 Describe the functionality of Cisco VSG used to secure virtual environments

3.15 Describe the security benefits of data center segmentation using ACI, EVPN, VXLAN, and NVGRE

4.0 Identity Management, Information Exchange, and Access Control

4.1 Describe, implement, and troubleshoot various personas of ISE in a multinode deployment

4.2 Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS configuration for AAA

4.3 Describe, implement, and troubleshoot AAA for administrative access to Cisco network devices using ISE and ACS

4.4 Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.

4.5 Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy using ISE as the AAA server

4.6 Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure

4.7 Describe, implement, verify, and troubleshoot BYOD on-boarding and network access flows with an internal or external CA

4.8 Describe, implement, verify, and troubleshoot ISE and ACS integration with external identity sources such as LDAP, AD, and external RADIUS

4.9 Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML

4.10 Describe, implement, verify, and troubleshoot provisioning of AnyConnect with ISE and ASA

4.11 Describe, implement, verify, and troubleshoot posture assessment with ISE

4.12 Describe, implement, verify, and troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor

4.13 Describe, implement, verify, and troubleshoot integration of MDM with ISE

4.14 Describe, implement, verify, and troubleshoot certificate based authentication using ISE

4.15 Describe, implement, verify, and troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)

4.16 Describe the functions and security implications of AAA protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST,  EAP-TEAP, EAP- MD5, EAP-GTC), PAP, CHAP, and MS-CHAPv2

4.17 Describe, implement, and troubleshoot identity mapping on ASA, ISE, WSA and FirePOWER

4.18 Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC

5.0 Infrastructure Security, Virtualization, and Automation

5.1 Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques

5.2 Describe, implement, and troubleshoot device hardening techniques and control plane protection methods, such as CoPP and IP Source routing.

5.3 Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and securing device access

5.4 Describe, implement, and troubleshoot data plane protection techniques such as iACLs, uRPF, QoS, and RTBH

5.5 Describe, implement, and troubleshoot IPv4/v6 routing protocols security

5.6 Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP snooping, and VACL

5.7 Describe, implement, and troubleshoot wireless security technologies such as WPA, WPA2, TKIP, and AES

5.8 Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection (MFP)

5.9 Describe, implement, and troubleshoot monitoring protocols such as NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER

5.10 Describe the functions and security implications of application protocols such as SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC,  NTP, and DHCP

5.11 Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP, BGP, EIGRP, OSPF/OSPFv3,  RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP

5.12 Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv

5.13 Describe the security principles of ACI such as object models, endpoint groups, policy enforcement, application network profiles, and contracts

5.14 Describe the northbound and southbound APIs of SDN controllers such as APIC-EM

5.15 Identify and implement security features to comply with organizational security policies, procedures, and standards such as BCP 38, ISO 27001, RFC  2827, and PCI-DSS

5.16 Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in Cisco SAFE

5.17 Validate network security design for adherence to Cisco SAFE recommended practices

5.18 Interpret basic scripts that can retrieve and send data using RESTful API calls in scripting languages such as Python

5.19 Describe Cisco Digital Network Architecture (DNA) principles and components.

6.0 Evolving Technologies

6.1 Cloud

  • 6.1.a Compare and contrast Cloud deployment models

    • 6.1.a [i] Infrastructure, platform, and software services (XaaS)

    • 6.1.a [ii] Performance and reliability

    • 6.1.a [iii] Security and privacy

    • 6.1.a [iv] Scalability and interoperability

  • 6.1.b Describe Cloud implementations and operations

    • 6.1.b [i] Automation and orchestration

    • 6.1.b [ii] Workload mobility

    • 6.1.b [iii] Troubleshooting and management

    • 6.1.b [iv] OpenStack components

6.2 Network Programmability (SDN)

  • 6.2.a Describe functional elements of network programmability (SDN) and how they interact

    • 6.2.a [i] Controllers

    • 6.2.a [ii] APIs

    • 6.2.a [iii] Scripting

    • 6.2.a [iv] Agents

    • 6.2.a [v] Northbound vs. Southbound protocols

  • 6.2.b Describe aspects of virtualization and automation in network environments

    • 6.2.b [i] DevOps methodologies, tools and workflows

    • 6.2.b [ii] Network/application function virtualization (NFV, AFV)

    • 6.2.b [iii] Service function chaining

    • 6.2.b [iv] Performance, availability, and scaling considerations

6.3 Internet of Things (IoT)

  • 6.3.a Describe architectural framework and deployment considerations for Internet of Things

    • 6.3.a [i] Performance, reliability and scalability

    • 6.3.a [ii] Mobility

    • 6.3.a [iii] Security and privacy

    • 6.3.a [iv] Standards and compliance

    • 6.3.a [v] Migration

    • 6.3.a [vi] Environmental impacts on the network


News / 相关新闻 More
2019 - 11 - 11
2017 - 11 - 17
思科职业认证CCIE课程目标路由和交换领域的CCIE认证资格表示网络人士在不同的LAN、WAN接口和各种路由器、交换机的联网方面拥有专家级知识。R&S 领域的专家可以解决复杂的连接问题,利用技术解决方案提高带宽、缩短响应时间、最大限度地提高性能、加强安全性和支持全球性应用。考生应当能够安装、配置和维护LAN、WAN和拨号接入服务。方向:网络管理及实施,网络性能优化、安全设计职位:网络工程师,系统集成工程师,网络维护工程师能力:设定主干路由协议利用多层交换技术建立园区网络环境安装配置CISCO设备并进行故障诊断和排错薪水:平均年薪不低于15万人民币,Cisco认证被恰当地称为'获得高技术,高薪水的头等舱船票①充足课时;充足的课时保证学员彻底学懂学会;②免费重修:学员缺课或者学习效果不理想,可以免费重修,确保完全掌握;③自由实验:实验室免费开放,时间不限,不断提高动手操作水平;④单独辅...
2017 - 11 - 17
CCNA课程目标    思科职业技能认证的初级认证思科认证网络支持工程师(CCNA)表示具备基本的和初步的网络知识。拥有CCNA认证的人士可以为小型网络(不超过100个节点)安装、配置和操作LAN、WAN和拨号接入服务,主要解决了网络的基本连通问题,具备初级网络工程师水平。通过CCNA课程的学习,您可以完成如下任务:1.在什么情况下应用集线器、交换机和路由器 2.利用Cisco IOS软件确认端口、协议、地址和可连接性3.根据要求互连交换机和路由器 4.配置交换机和路由器以支持LAN和WAN 服务5.设置IP子网以便于有效地管理网络6.通过配置访问列表来控制对网络段或网络资源的访问7.确认交换机、路由器及其配置的网络服务是按我们的预期在工作8.判断网络故障的原因并解决之9.对一些实际工程案例有一定的分析和解决能力学员要求计算机或相关通信专业,零基础或...
2017 - 11 - 16
思科职业认证CCIE课时安排
  • 微信扫一扫
  • 咨询电话:
  • 025-86106162
    18936898390


  • 一键加QQ群:
  • 思琦网络CCIE&HCIE群5
  • 销售咨询:蒋晗
  • QQ:2461907609 微信号:sqnjkf
    高级讲师:樊琦
    QQ:3052350132
    微信号:18936898390
    QQ:2461907609
  • 公司地址:
  • 江苏省南京市白下区洪武路38号正洪大厦19层 (南京总部)

    安徽省芜湖市鸠江区东部星城西区商务楼74-8室 (芜湖分部)

    重庆市高新区科园一路210号渝高广场D座10层 (重庆分部)

siqiwangluo.com  ©2017-11- 22 南京思琦网络科技有限公司 
犀牛云提供企业云服务
思琦在线咨询