Joe and I didn’t get to go to Networkers this time (I still haven’t been!), but Brian and Brian from Internetwork Expert are there and they are liveblogging various talks at the event.  Most notably for you readers, Brian McGahan reports that changes are coming to the CCIE Security Lab Exam!  Here are a few of the most significant changes from his post:

• PIX Firewall – Removed
• VPN 3000 Concentrator – Removed
• New Routers – 3800s running 12.4T
• New ASA Software – Version 8.x

The addition of MARS and NAC to the lab are still possible, too, but not official.  In fact, Brian points out that this is not an “official” announcement of the changes at all.  Thanks to Brian and Internetwork Expert for keeping the CCIE Security community so up to date!

Some of these changes are pretty big.  Let’s look at a few of the implications that come immediately to mind.  Please keep in mind that even though I work for Cisco, I don’t have anything do to with Certification and these are NOT THE OPINIONS OF CISCO.  They are my own.

First off, the general rule is that changes will come into effect six months after the official announcement.  So, if you’re studying now and plan to take the test within the next six months, you probably don’t have anything to worry about.

PIX Firewall – Removed

I don’t think the removal of the PIX means much to test takers.  The ASA does everything the PIX does and more, so no features will go missing from the test.  Unless there’s something I’m forgetting.  If so, please weigh in with a comment!

VPN 3000 Concentrator – Removed

This removal is a bigger deal than the PIX.  Without the 3k, you have to figure that the VPN focus will shift to the ASA and IOS routers.  It’s not going away.   This is also a loss of a GUI on the test, as currently you can configure the 3k and IPS with a GUI.

New Routers – 3800s running 12.4T

This is a really big deal!  What a jump from 12.2T to the latest and greatest!  There are lots of features in 12.4T that aren’t in 12.2T that might be fair game now.  For example, WebVPN and Zone-Based Firewall.  The addition of 12.4T could greatly increase the scope of the test and the importance of the routers in the exam.   What new security features jump out at you in 12.4T?

New Switches – 3560s running 12.2(x)SE

Honestly, I’m not that familiar with the switches.  This could just be a hardware bump.  Today’s software is 12.2(x)SEE, so I don’t think that’s really changing.  Is there something that the 3560’s can do security-wise that the 3550’s can’t?

New ASA Software – Version 8.x

This is another big change!  If you’ve used ASA 8.x at all you know that the SSL VPN features have been greatly improved and expanded.  SSL VPN is listed on the current blueprint, so the topic isn’t new, but the implementation definitely is, what with AnyConnect and portal customization.  8.x also introduces Threat Detection, EIGRP, and MPF Enhancements among other things.  Check out the ASA release notes for more.

IPS 4215 Replaced With IPS 4240

This looks like just another hardward bump.  I think the real change here is…

New IPS  Software – Version 6.x

I’m not really sure what the new features are in 6.x.  I believe one major new feature is the ability to create multiple virtual sensors.  This could lead to some interesting configurations.  A quick perusal of Cisco.com also suggests that 6.x has good integration with MARS.

Thanks again to Internetwork Expert for covering Networkers.  Hopefully these inital thoughts will prove helpful, but don’t freak out if you haven’t ever seen ASA 8.x or you’re still on 12.2T, there’s still time!