Cisco intros CCIE Security

Cisco Systems Inc. says its new expert-level certificate in network security gives managers the knowledge they need to keep intruders at bay, but one industry observer questions the validity of Cisco’s claim.

The San Jose, Calif.-based network gear vendor last month announced a new designation, Cisco Certified Internetworking Expert (CCIE) Security. It’s supposed to teach networkers how to deploy the company’s protection platforms, such as the PIX Firewall, as well as the intricacies of network security – intrusion detection, VPNs, et cetera.

“We found…an awful lot of interest in security, a high demand for some level of certification to show that people have some qualifications,” said Mike Reid, Cisco’s Halifax-based CCIE manager. “We created the certification to address a need.”

However, a spokesman for the SANS Institute, a technology education firm in Bethesda, Md., said Cisco’s training usually doesn’t go far enough, and he wondered if the company’s latest certificate would likewise stop short.

In the regular CCIE track, “you don’t learn about the things that are configured wrong in Cisco routers,” said Alan Paller, SANS’ director of research, accusing Cisco of ignoring threats specific to its own technology and training methods.

For example, Paller said Cisco provides sample passwords in its literature and “if you tried 100 Cisco routers, you’d find that between 75 and 80 of them have one of two passwords used in the courses.”

As a result, many Cisco networks are not safe and Paller fears that CCIEs are not as security-savvy as they could be. He indicated that the situation casts the latest certification, supposedly for security expertise, in an unflattering light.

Cisco’s Reid said the company tests CCIE Security candidates not on their knowledge of the technology’s flaws, nor potential implementation problems.

However, “it’s something we can certainly look at,” he said.

For now, the new certificate addresses an industry-wide need for security experts, people versed in intrusion detection, VPN protocols and other methods of network protection, Reid said.

Spokespeople from other vendors seemed to agree that the time is right for certificates like CCIE Security.

“Look at the number of Internet users,” said Kevin Krempulek, the Toronto-based channel manager with computer security firm Symantec Corp. “It’s been on a drastic incline since the end of the ’90s. With that brings an added number of new threats. On the Internet alone there are 30,000 hacker sites where a user could download a program to be destructive, readily available.”

As well, consider the nature of network technology, Krempulek suggested. It’s designed to foster easy digital communication, but it also fosters easy access for intruders.

“E-commerce, business-to-business and the movement of data, that’s all a business enabler, allowing us to do things faster in a much more efficient process,” he said. “However, it opens a great number of security risks.”

Learning how to deal with those risks through CCIE Security isn’t easy. For starters, the candidate must pass a written qualifying test. If she passes, the student schedules a lab-based exam, wherein she must turn theory into practice.

“Because it’s a hands-on exam, you can’t just take courses, read books, walk in and take it,” Reid said. “You have to have the gear, sit down and work with it.”

Sean Barr knows all about the gruelling final. A San Francisco-based network engineer with SBC Communications, Barr passed the CCIE Security exam.

“It’s very difficult,” he said. “It puts you in an awkward position because it’s stuff you wouldn’t set up in a normal network. There’s a lot of obscurity to it.”

Although he couldn’t go into detail without breaking a non-disclosure agreement with Cisco, Barr did say CCIE Security addresses a particular need, as “people are going to become aware of how important security is in the network.”

Still, it costs a pretty penny to become a CCIE Security holder. Reid said the qualifying test is US$300 and the exam costs US$1,250. “It is quite common for people to have to take it several times,” he added.

Yes, “it is expensive,” Reid said, but the benefits outweigh the costs. For example, Cisco’s resellers often pay for employees to take the exam because with a certain number of CCIEs, the firms get discounts on Cisco equipment.

As well, CCIEs receive an average of US$48,000 more in salary than those not certified – 75 per cent above standard salary, Reid said. “The payoff is there.”

Barr said he spent approximately US$2,000 en route to winning the CCIE Security designation. He used SBC’s equipment to practice eight hours each day for three months. However, the money was not a motivating factor for him. As the owner of one CCIE designation already – the certificate indicates Barr is a master of routing and switching – he already pulls in a six-figure salary.

“It’s just fun to go in and do the labs,” Barr said.

But Paller from SANS said network security isn’t about fun and games; it’s about protection. Although it’s too soon to pass final judgement on Cisco’s Security certificate, he remains skeptical of the company’s modus operandi.

“If Cisco is actually looking at all of the threats, even the ones that their own routers create and passwords, if they teach you the things people do wrong in implementing their systems to make them weak and how to block them, that would be very helpful,” Paller said. “They sure as heck have a lot of systems out there.”