First Look at the CCNP Security Refresh

Nhames GroupUncategorizedFirst Look at the CCNP Security Refresh

Today Cisco announced a significant update in the CCNP Security program. As with other program changes, Cisco is allowing candidates time to complete their current studies. However they are aggressively moving everyone toward the new curriculum. Those having already passed exams toward their CCNP Security will receive appropriate credit as though they had taken the equivalent new exam(s).

The Changes

To get a clear picture of the program changes I have created a comparison of the previous and now current courses and exams.

CCNP Security Old vs New
As mentioned, CCNP Security candidates who have taken previous exams will not need to retake the equivalent current exam or exams. Cisco will give the appropriate credit toward the revised CCNP Security certification. Those currently preparing for an exam should realize that the previous exams will not be available after the date noted on the testing information area of the Cisco Learning Network. In at least some cases, these exams appear to have the last test date of April 21, 2014. So it is apparent that Cisco is very aggressively moving candidates to the new curriculum.

The Good

While this announcements includes significant changes, the intent of the program seems consistent with previous goals for the CCNP Security program. Those successful in fulfilling the requirements for the program have demonstrated proficiency as it relates to securing networked resources with Cisco solutions. This includes routers, switches, Firewalls, VPN, and content filtering appliances.

Based on each of the new exam blueprints, I think the new courses actually align a little closer to typical job roles found in an enterprise environment. This is in comparison to the previous courses that seem to align a little more closely with devices and products than roles. This becomes more obvious as a deeper look is taken into each of the exam blueprints.

CCNP Security Major Focus

When comparing the old and new blueprints, it is apparent that some of the topics that were migrated from SECURE to SENSS (the new FIREWALL). Others items have been migrated to SIMOS (the new VPN). This results in the filtering of transit traffic all being covered in one course, regardless of what device is being used. Likewise all VPN combinations seem to be covered in the single course called SIMOS.

This allows SISAS (the new, but quite different SECURE) to go much deeper into things like AAA, identity management and posturing. Therefore it covers many relevant issues found as enterprises adopt internal mobility and address challenging BYOD initiatives.

Another significant change is the migration from IPS to SITCS. The new course is much broader and more completely covers the solutions used to perform complex application level security. By covering ASA CX, Cloud Web Security, Ironport (ESA and WSA), and IPS, SITCS covers most forms of Cisco application layer protection and deep packet inspection.

The Bad

We’ve probably lost a few technologies in the program change. While I’ve not yet had an opportunity to compare the official course materials, I don’t immediately see anything that looks to include zone-based firewalls for IOS in the new blueprint. While it’s less relevant, I also don’t see any mention of traditional remote access VPNs (EZVPN). This is a natural progression in the evolution of technology and is only really bad if it is still found in a given environment.

One other thing I notice is that it will be more difficult to purchase a lab incrementally. Based on the blueprint, I believe that both SENSS and SIMOS will require routers, switches and firewalls at a minimum. SITCS and SISAS are even more challenging and expensive to build a lab for. So unless Cisco announces a solution with VIRL/CML or Cisco Learning Labs, I think individual preparation may require lab rentals.

The Ugly

While I believe there are some significant changes to the CCNP Security, I believe these changes are positive. While it is completely cosmetic, I find the new acronyms challenging and something that will have to be memorized by those they pertain to. Without prior knowledge, it was much easier for me to guess what was covered in FIREWALL than in the new SENSS course. So to have conversations around this program, I may need to keep a cheat sheet around so I can differentiate between SENS, SITCS, SISAS and SIMOS. In fairness, there may not be an easy way to create self explanatory short names for these. This problem likely arose when the content was aligned with function, as opposed to devices.


The CCNP Security program was starting to get a little long in the tooth. Having realized the need to more completely cover security solutions that are relevant today, Cisco revamped this program. Like the continual change in our industry, this program change is more evolutionary than revolutionary. I certainly think the changes are steps in the right direction, a commitment to the program, and should not be dreaded or feared by candidates.

First Look at the CCNP Security Refresh

Posted on by Paul Stewart, CCIE 26009 (Security)

Post your comments here

Your email address will not be published. Required fields are marked *