The Evolution of Cisco’s Firepower

July 7, 2018 at 12:25 am


If you read the post here on the blog regarding a short history of Cisco Firepower, you recall that Cisco acquired a successful company named Sourcefire and this brought the Firepower technology into the company.

Let’s take a look at the progression of products that have resulted from this acquisition, and provide some more details on the latest technology (as of this writing) which is Firepower Threat Defense (FTD).


  • Classic FirePOWER 7000 Series Appliances
  • Classic FirePOWER 8000 Series Appliances
  • VMware


  • FirePOWER Services on ASA 5500-X
    • ASA5506-X, ASA5506H-X, ASA5506W-X
    • ASA5508-X
    • ASA5516-X
    • ASA5512-X
    • ASA5515-X
    • ASA5525-X
    • ASA5545-X
    • ASA5555-X


  • Firepower Threat Defense on ASA 5500-X
  • Firepower 9300
  • VMware
  • AWS


  • Firepower Threat Defense on Firepower 4100 Series
    • 4110, 4120, 4140, 4150
  • Azure


  • Firepower Threat Defense on Firepower 2100 Series
    • 2110, 2120, 2130, 2140

Remember, FTD is so exciting because it represents the convergence of code from the Sourcefire FirePOWER software and the Cisco ASA software as well as the code representing new features.

The Sourcefire code is actually implemented as multiple software components inside the system and includes:

  • Firepower core software – includes Snort, Web server, database, and firmware
  • Software patches and hotfixes 
  • Snort rules
  • Vulnerability database (VDB)
  • Geolocation database (GDB)
  • URL filtering database
  • Security Intelligence Feed 
  • Local malware detection 
  • Integration components – might include ISE integration, AD integration, etc.

Cisco Firepower – A Brief History

July 5, 2018 at 11:24 am


Sourcefire is a Hit

Sourcefire was founded in 2001 by Martin Roesch, the creator of Snort. The company created a commercial version of the Snort software, the Sourcefire 3D System, which evolved into the company’s Firepower line of network security products. Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

What is Snort?

Snort’s open source network-based intrusion detection system (IDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol networks. Snort performs protocol analysis, content searching and matching.

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.

  • In sniffer mode, the program will read network packets and display them on the console.
  • In packet logger mode, the program will log packets to the disk.
  • In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified.

The Cisco Sourcefire Integration

Cisco began integrating the Sourcefire technology into various Cisco appliances as soon as possible. For example, the ASA 5500-X and ISR routers began offering Sourcefire capabilities soon after the acquisition.

Cisco also began releasing new hardware platforms to showcase the technology including the:

  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Series

Today, the excitement revolved around the latest implementation of the Sourcefire technology in what Cisco has named Firepower Threat Defense (FTD). FTD represents the convergence of the Cisco ASA software and the Sourcefire technology into a central code base.

Get ready for more detailed posts on this exciting technology!

CCIE Security (400-251) Written Exam Expanded Blueprint

June 10, 2018 at 10:20 am

CCIE Security

Be sure to bookmark this page. Here I will be putting together an expanded blueprint for the most current CCIE Security Written exam. This is important as the “standard” blueprint does not provide the level of detail we require for accurate and complete study and tracking.

1.0 Perimeter Security and Intrusion Prevention

1.1 Describe, implement, and troubleshoot HA features on Cisco ASA and Cisco FirePOWER Threat Defense (FTD)
1.1.a Cisco ASA Multiple Context Mode
1.1.b Cisco ASA Failover for High Availability
1.1.c FirePOWER Threat Defense High Availability

1.2 Describe, implement, and troubleshoot clustering on Cisco ASA and Cisco FTD

1.2.a ASA Clustering
1.2.b FTD Clustering

1.3 Describe, implement, troubleshoot, and secure routing protocols on Cisco ASA and Cisco FTD

1.3.a ASA Static and Default Routing
1.3.b ASA Policy Based Routing
1.3.c ASA Route Maps
1.3.d ASA BGP
1.3.e ASA OSPF
1.3.g ASA Multicast Routing
1.3.h FTD Static and Default Routing
1.3.i FTD BGP
1.3.j FTD OSPF
1.3.k FTD RIP

1.4 Describe, implement, and troubleshoot different deployment modes such as routed, transparent, single, and multicontext on Cisco ASA and Cisco FTD

1.5 Describe, implement, and troubleshoot firewall features such as NAT (v4,v6), PAT, application inspection, traffic zones, policy-based routing,  traffic redirection to service modules, and identity firewall on Cisco ASA and Cisco FTD

1.6 Describe, implement, and troubleshoot IOS security features such as Zone-Based Firewall (ZBF), application layer inspection, NAT (v4,v6), PAT and  TCP intercept on Cisco IOS/IOS-XE

1.7 Describe, implement, optimize, and troubleshoot policies and rules for traffic control on Cisco ASA, Cisco FirePOWER and Cisco FTD

1.8 Describe, implement, and troubleshoot Cisco Firepower Management Center (FMC) features such as alerting, logging, and reporting

1.9 Describe, implement, and troubleshoot correlation and remediation rules on Cisco FMC

1.10 Describe, implement, and troubleshoot Cisco FirePOWER and Cisco FTD deployment such as in-line, passive, and TAP modes

1.11 Describe, implement, and troubleshoot Next Generation Firewall (NGFW) features such as SSL inspection, user identity, geolocation, and AVC  (Firepower appliance)

1.12 Describe, detect, and mitigate common types of attacks such as DoS/DDoS, evasion techniques, spoofing, man-in-the-middle, and botnet

2.0 Advanced Threat Protection and Content Security

2.1 Compare and contrast different AMP solutions including public and private cloud deployment models

2.2 Describe, implement, and troubleshoot AMP for networks, AMP for endpoints, and AMP for content security (CWS, ESA, and WSA)

2.3 Detect, analyze, and mitigate malware incidents

2.4 Describe the benefit of threat intelligence provided by AMP Threat GRID

2.5 Perform packet capture and analysis using Wireshark, tcpdump, SPAN, and RSPAN

2.6 Describe, implement, and troubleshoot web filtering, user identification, and Application Visibility and Control (AVC)

2.7 Describe, implement, and troubleshoot mail policies, DLP, email quarantines, and SenderBase on ESA

2.8 Describe, implement, and troubleshoot SMTP authentication such as SPF and DKIM on ESA

2.9 Describe, implement, and troubleshoot SMTP encryption on ESA

2.10 Compare and contrast different LDAP query types on ESA

2.11 Describe, implement, and troubleshoot WCCP redirection

2.12 Compare and contrast different proxy methods such as SOCKS, Auto proxy/WPAD, and transparent

2.13 Describe, implement, and troubleshoot HTTPS decryption and DLP

2.14 Describe, implement, and troubleshoot CWS connectors on Cisco IOS routers, Cisco ASA, Cisco AnyConnect, and WSA

2.15 Describe the security benefits of leveraging the OpenDNS solution.

2.16 Describe, implement, and troubleshoot SMA for centralized content security management

2.17 Describe the security benefits of leveraging Lancope

3.0 Secure Connectivity and Segmentation

3.1 Compare and contrast cryptographic and hash algorithms such as AES, DES, 3DES, ECC, SHA, and MD5

3.2 Compare and contrast security protocols such as ISAKMP/IKEv1, IKEv2, SSL, TLS/DTLS, ESP, AH, SAP, and MKA

3.3 Describe, implementc and troubleshoot remote access VPN using technologies such as FLEXVPN, SSL-VPN between Cisco firewalls, routers, and end hosts

3.4 Describe, implement, and troubleshoot the Cisco IOS CA for VPN authentication

3.5 Describe, implement, and troubleshoot clientless SSL VPN technologies with DAP and smart tunnels on Cisco ASA and Cisco FTD

3.6 Describe, implement, and troubleshoot site-to-site VPNs such as GETVPN, DMVPN and IPsec

3.7 Describe, implement, and troubleshoot uplink and downlink MACsec (802.1AE)

3.8 Describe, implement, and troubleshoot VPN high availability using Cisco ASA VPN clustering and dual-hub DMVPN deployments

3.9 Describe the functions and security implications of cryptographic protocols such as AES, DES, 3DES, ECC, SHA, MD5, ISAKMP/IKEv1, IKEv2, SSL,  TLS/DTLS, ESP, AH, SAP, MKA, RSA, SCEP/EST, GDOI, X.509, WPA, WPA2, WEP, and TKIP

3.10 Describe the security benefits of network segmentation and isolation

3.11 Describe, implement, and troubleshoot VRF-Lite and VRF-Aware VPN

3.12 Describe, implement, and troubleshoot microsegmentation with TrustSec using SGT and SXP

3.13 Describe, implement, and troubleshoot infrastructure segmentation methods such as VLAN, PVLAN, and GRE

3.13.a VLANs
3.13.b PVLANs
3.13.c GRE

3.14 Describe the functionality of Cisco VSG used to secure virtual environments

3.15 Describe the security benefits of data center segmentation using ACI, EVPN, VXLAN, and NVGRE

4.0 Identity Management, Information Exchange, and Access Control

4.1 Describe, implement, and troubleshoot various personas of ISE in a multinode deployment

4.2 Describe, implement, and troubleshoot network access device (NAD), ISE, and ACS configuration for AAA

4.3 Describe, implement, and troubleshoot AAA for administrative access to Cisco network devices using ISE and ACS

4.4 Describe, implement, verify, and troubleshoot AAA for network access with 802.1X and MAB using ISE.

4.5 Describe, implement, verify, and troubleshoot cut-through proxy/auth-proxy using ISE as the AAA server

4.6 Describe, implement, verify, and troubleshoot guest life cycle management using ISE and Cisco network infrastructure

4.7 Describe, implement, verify, and troubleshoot BYOD on-boarding and network access flows with an internal or external CA

4.8 Describe, implement, verify, and troubleshoot ISE and ACS integration with external identity sources such as LDAP, AD, and external RADIUS

4.9 Describe ISE and ACS integration with external identity sources such as RADIUS Token, RSA SecurID, and SAML

4.10 Describe, implement, verify, and troubleshoot provisioning of AnyConnect with ISE and ASA

4.11 Describe, implement, verify, and troubleshoot posture assessment with ISE

4.12 Describe, implement, verify, and troubleshoot endpoint profiling using ISE and Cisco network infrastructure including device sensor

4.13 Describe, implement, verify, and troubleshoot integration of MDM with ISE

4.14 Describe, implement, verify, and troubleshoot certificate based authentication using ISE

4.15 Describe, implement, verify, and troubleshoot authentication methods such as EAP Chaining and Machine Access Restriction (MAR)

4.16 Describe the functions and security implications of AAA protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-FAST,  EAP-TEAP, EAP- MD5, EAP-GTC), PAP, CHAP, and MS-CHAPv2

4.17 Describe, implement, and troubleshoot identity mapping on ASA, ISE, WSA and FirePOWER

4.18 Describe, implement, and troubleshoot pxGrid between security devices such as WSA, ISE, and Cisco FMC

5.0 Infrastructure Security, Virtualization, and Automation

5.1 Identify common attacks such as Smurf, VLAN hopping, and SYNful knock, and their mitigation techniques

5.2 Describe, implement, and troubleshoot device hardening techniques and control plane protection methods, such as CoPP and IP Source routing.

5.3 Describe, implement, and troubleshoot management plane protection techniques such as CPU and memory thresholding and securing device access

5.4 Describe, implement, and troubleshoot data plane protection techniques such as iACLs, uRPF, QoS, and RTBH

5.5 Describe, implement, and troubleshoot IPv4/v6 routing protocols security

5.6 Describe, implement, and troubleshoot Layer 2 security techniques such as DAI, IPDT, STP security, port security, DHCP snooping, and VACL

5.7 Describe, implement, and troubleshoot wireless security technologies such as WPA, WPA2, TKIP, and AES

5.8 Describe wireless security concepts such as FLEX Connect, wIPS, ANCHOR, Rogue AP, and Management Frame Protection (MFP)

5.9 Describe, implement, and troubleshoot monitoring protocols such as NETFLOW/IPFIX, SNMP, SYSLOG, RMON, NSEL, and eSTREAMER

5.10 Describe the functions and security implications of application protocols such as SSH, TELNET, TFTP, HTTP/HTTPS, SCP, SFTP/FTP, PGP, DNS/DNSSEC,  NTP, and DHCP

5.11 Describe the functions and security implications of network protocols such as VTP, 802.1Q, TCP/UDP, CDP, LACP/PAgP, BGP, EIGRP, OSPF/OSPFv3,  RIP/RIPng, IGMP/CGMP, PIM, IPv6, and WCCP

5.12 Describe the benefits of virtualizing security functions in the data center using ASAv, WSAv, ESAv, and NGIPSv

5.13 Describe the security principles of ACI such as object models, endpoint groups, policy enforcement, application network profiles, and contracts

5.14 Describe the northbound and southbound APIs of SDN controllers such as APIC-EM

5.15 Identify and implement security features to comply with organizational security policies, procedures, and standards such as BCP 38, ISO 27001, RFC  2827, and PCI-DSS

5.16 Describe and identify key threats to different places in the network (campus, data center, core, edge) as described in Cisco SAFE

5.17 Validate network security design for adherence to Cisco SAFE recommended practices

5.18 Interpret basic scripts that can retrieve and send data using RESTful API calls in scripting languages such as Python

5.19 Describe Cisco Digital Network Architecture (DNA) principles and components.

6.0 Evolving Technologies v1.0

6.1 Cloud

6.1.a Compare and contrast Cloud deployment models
6.1.a [i] Infrastructure, platform, and software services (XaaS)
6.1.a [ii] Performance and reliability
6.1.a [iii] Security and privacy
6.1.a [iv] Scalability and interoperability
6.1.b Describe Cloud implementations and operations
6.1.b [i] Automation and orchestration
6.1.b [ii] Workload mobility
6.1.b [iii] Troubleshooting and management
6.1.b [iv] OpenStack components

6.2 Network Programmability (SDN)

6.2.a Describe functional elements of network programmability (SDN) and how they interact
6.2.a [i] Controllers
6.2.a [ii] APIs
6.2.a [iii] Scripting
6.2.a [iv] Agents
6.2.a [v] Northbound vs. Southbound protocols
6.2.b Describe aspects of virtualization and automation in network environments
6.2.b [i] DevOps methodologies, tools and workflows
6.2.b [ii] Network/application function virtualization (NFV, AFV)
6.2.b [iii] Service function chaining
6.2.b [iv] Performance, availability, and scaling considerations

6.3 Internet of Things (IoT)

6.3.a Describe architectural framework and deployment considerations for Internet of Things
6.3.a [i] Performance, reliability and scalability
6.3.a [ii] Mobility
6.3.a [iii] Security and privacy
6.3.a [iv] Standards and compliance
6.3.a [v] Migration
6.3.a [vi] Environmental impacts on the network

CCIE Security v5.0 Lab Equipment and Software

May 18, 2018 at 7:12 pm

This critical information is pretty buried on the Cisco site – so here you go! Easy to find here at in the CCIE Security category.

Virtual Machines:

Security Appliances

  • Cisco Identity Services Engine (ISE): 2.1.0
  • Cisco Secure Access Control System (ACS):
  • Cisco Web Security Appliance (WSA): 9.2.0
  • Cisco Email Security Appliance (ESA): 9.7.1
  • Cisco Wireless Controller (WLC): 8.3.102
  • Cisco Firepower Management Center Virtual Appliance: 6.0.1 and/or 6.1
  • Cisco Firepower NGIPSv: 6.0.1
  • Cisco Firepower Threat Defense: 6.0.1

Core Devices

  • IOSv L2: 15.2
  • IOSv L3: 15.5(2)T
  • Cisco CSR 1000V Series Cloud Services Router: 3.16.02.S
  • Cisco Adaptive Security Virtual Appliance (ASAv): 9.4(3)


  • Test PC: Microsoft Windows 7
  • Active Directory: Microsoft Windows Server 2008
  • Cisco Application Policy Infrastructure Controller Enterprise Module: 1.2
  • Cisco Unified Communications Manager: 8.6.(1)
  • FireAMP Private Cloud
  • AnyConnect 4.2

Physical Devices

Cisco Catalyst Switch

  • WS-C3850-24U 03.07.04E

Cisco Adaptive Security Appliance

  • 5512-X: 9.2(2)4

Cisco Aironet

  • 1602E: 15.3.3-JC

Cisco Unified IP Phone

  • 7965: 9.2(3)

Mastering the CCIE Evolving Technologies Section Sample Questions

May 29, 2017 at 3:34 pm


Here is a sample quiz using sample questions from my latest book – Mastering the CCIE Evolving Technologies Section. Have fun and good luck!

Mastering the CCIE Evolving Technologies Section

Congratulations - you have completed Mastering the CCIE Evolving Technologies Section. You scored %%SCORE%% out of %%TOTAL%%. Your performance has been rated as %%RATING%%
Your answers are highlighted below.
Shaded items are complete.

My Next Book! Mastering the CCIE Evolving Technologies Section

April 28, 2017 at 8:20 pm

CCIE Evolving Technologies

You asked for it! You got it! Terry Vinson and I are putting together an e-book (and print) for you to master this section in most of the CCIE Written Exams. I have received more questions about this section of the written exams than any other topic (pretty much ever!)

Since Cisco Systems announced these new additions to the already brutally difficult written exams, students have been in a bit of a panic about finding the scarce training materials to address these topics.

Our text follows the current blueprint letter for letter. There are plenty of practice questions to build your confidence, and no topic is left unexplored.

Thanks to, we are able to bring this product to you for a price that makes sense – the e-book version will be just $9.99!

Note this text arrives quickly – our current publication date is May 31, 2017!

Check Out My Other Books! 

CCIE Evolving Technologies – Cloud Security and Privacy

March 7, 2017 at 5:07 pm


Cloud Security and Privacy Overview

Here is another post to help you with the new Evolving Technologies section of the written exams for CCIE. This is from the Cloud section, and specifically addresses the Security and Privacy sub-bullet.

The Top Concerns

What should be your top most concerns in this area? Here they are:

  • Secure data transfers – ensuring data travels over IPsec, or similarly protected channels is critical as information moves from your users to private, or public, or hybrid clouds; obviously public and hybrid clouds can present more risk as the Internet is often the medium of transfer.
  • Secure software interfaces – the APIs you and your provider use in your cloud services must also offer security and privacy mechanisms.
  • Secure stored data – for storage in the cloud ecosystem, is your data receiving the security and privacy it requires; what about proper disposal of data by cloud providers?
  • User access control – who has access to your data in the cloud? This is especially critical if your data is maintained by a public provider with users that fall outside of your corporate scope.
  • Data separation – if you are using cloud services in a multi-tenant environment, what techniques are in use to protect data breaches from one organization to another.

Cloud Security Controls

These tend to fall into these categories:

  • Deterrent controls – intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.
  • Preventive controls – strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
  • Detective controls – intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.
  • Corrective controls – reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.

Pearson Education (InformIT)