Starting from scratch...

Hello everyone,

I've been a system/network Admin for about 12 years now was laid off 6 months ago, still out of work, and was at burn out and swore I would never go back to IT..........but here I am now, refreshed and ready to go again, but I would love to, need to, go down a different path - IT security, specifically FW's. I have basic knowledge of firewalls and administered ISA server for a couple of years so I do have some basic experience, but absolutely have no experience or have ever seen the Checkpoint interface or know anything about it.

From looking at Checkpoints website I would like to start with the CCSA route and would be so proud and releived if I could obtain that certification (would be my first non MS cert!).
But I'm confused at what to start with. Should it be the CCSA NGX R65 or NGX & NSA??? What's the difference?
Is Checkpoint a software based FW? or is it only installed on a Nokia platform?

They have an ATC that offers a 2 day course but what can I possibly learn in 2 days that would help me obtain the CCSA.

What's more important of course than the cert would be the training. should I buy the product and install it on a home pc? and what books or study guides would you consider? Is a home lab practical??? How dud you guys do it?

Can anyone help out and guide me down this new and intimidating and exciting road??:)
Thanks!!!

Find more posts tagged with

Comments

Turgon

openallnight wrote: »

Hello everyone,

I've been a system/network Admin for about 12 years now was laid off 6 months ago, still out of work, and was at burn out and swore I would never go back to IT..........but here I am now, refreshed and ready to go again, but I would love to, need to, go down a different path - IT security, specifically FW's. I have basic knowledge of firewalls and administered ISA server for a couple of years so I do have some basic experience, but absolutely have no experience or have ever seen the Checkpoint interface or know anything about it.

From looking at Checkpoints website I would like to start with the CCSA route and would be so proud and releived if I could obtain that certification (would be my first non MS cert!).
But I'm confused at what to start with. Should it be the CCSA NGX R65 or NGX & NSA??? What's the difference?
Is Checkpoint a software based FW? or is it only installed on a Nokia platform?

They have an ATC that offers a 2 day course but what can I possibly learn in 2 days that would help me obtain the CCSA.

What's more important of course than the cert would be the training. should I buy the product and install it on a home pc? and what books or study guides would you consider? Is a home lab practical??? How dud you guys do it?

Can anyone help out and guide me down this new and intimidating and exciting road??:)
Thanks!!!

I will bump this as I need a short break and light relief from studying routing protocols. Getting a few non MS certs is certainly a good thing. In my case the CNE and Cisco qualifications certainly helped me. Checkpoint is an appliance and is a very popular firewall. If you aspire to work with it you must get some hands on experience. Assuming you get qualified in Checkpoint, if you get a break working with it you will most likely be working alongside support professionals who have a lot of experience using Checkpoint but not certifications in it. They may be impressed that you have the certificate. They will then be disappointed to learn that you don't know how to use a checkpoint firewall. This goes for any certification you obtain. Get equipment and get some hands on.

Download the evaluation and spend many hours using checkpoint on a PC at home. Alternatively see if you can pull a used Nokia off ebay or from a reseller of used equipment. So far as the exams are concerned there are practice tests available and a range of books. You will want to look over the PDFs on the Checkpoint website. If you can afford a class so much the better because self study of anything for all it's benefits has pitfalls. Nothing beats hands on instruction by a skilled instructor. Your certification value is proportional to the extent you have become more useful to an employer.

shednik

Just too add to turgon's post I also would recommend getting some hands on practice. I know people have virtualized the firewalls and provider-1 as well. Looking at the objectives for the CCSA you don't need to learn P1 yet bit just learn smart center inside and out.

I just wanted to add I feel that if you have a good base understanding in networking overall that you can pick up checkpoint very easily, Security+ knowledge as well will just make it even easier.

Turgon

shednik wrote: »

Just too add to turgon's post I also would recommend getting some hands on practice. I know people have virtualized the firewalls and provider-1 as well. Looking at the objectives for the CCSA you don't need to learn P1 yet bit just learn smart center inside and out.

I just wanted to add I feel that if you have a good base understanding in networking overall that you can pick up checkpoint very easily, Security+ knowledge as well will just make it even easier.

Agree. You definitely want as much hands on using checkpoint as you can get before working with it in the field. The cert can give you awareness of what the technology is capable of but you really need to use it. It isn't difficult to drive. If you want to be working in areas where checkpoint upgrades, migrations and installs are involved even more hands on is essential.

PetterD

CheckPoint Firewall-1 can be installed on different types of system;

- Nokia (running IPSO os)
- Solaris
- Windows server
- RHEL
- SecurePlatform ("hardened linux" based on RHEL)

(might be some others aswell, but these are the ones i got experience with).

7-8 years ago when i started working with CheckPoint (version 4.0 and 4.1) we had alot of customers running the enforcement modules on Nokia,NT4 and a few on Solaris, nowadays 99% of our customers runs it on SecurePlatform. SecurePlatform comes as a bootable .ISO image and you can install it on a virtual machine, or any of the supported hardware platforms.

Open Servers HCL: Hardware Compatibility List)
NIC HCL: Certified Network Interfaces - All Products
VM HCL: Products supported on VMware ESX

To just play around with the Gui you can install the "SmartConsole" clients on your machine and run it in "DEMO" mode.
To play around with a real installation the easiest way is to obtain a SecurePlatform ISO-image, install it and use the included 15 days evaluation license, and have access to all the features.

A standard installation of CheckPoint Firewall-1 nowadays (atleast at our customers) is separated into 2-3 machines:

- SmartCenter (the Firewall-1 Management where the policy is configured and the logs are sent from the enforcement modules)
- 1 or 2 Enforcement module(s). If the customer wants to have HA/Failover we add an extra enforcement module and use CheckPoint ClusterXL with shared IP.

Larger customers might want to add another machine and install the "Log Module" and separate this from the SmartCenter to reduce load on the SmartCenter. Customers with 10-20+ CheckPoint firewalls often installs this on a separate machine.

For a LAB you are good to go just installing a single machine with the Enforcement module and SmartCenter on the same computer/VM.
If you later on decides that you want to have a separate SmartCenter you can install this on a separate machine.

Turgon

PetterD wrote: »

CheckPoint Firewall-1 can be installed on different types of system;

- Nokia (running IPSO os)
- Solaris
- Windows server
- RHEL
- SecurePlatform ("hardened linux" based on RHEL)

(might be some others aswell, but these are the ones i got experience with).

7-8 years ago when i started working with CheckPoint (version 4.0 and 4.1) we had alot of customers running the enforcement modules on Nokia,NT4 and a few on Solaris, nowadays 99% of our customers runs it on SecurePlatform. SecurePlatform comes as a bootable .ISO image and you can install it on a virtual machine, or any of the supported hardware platforms.

Open Servers HCL: Hardware Compatibility List)
NIC HCL: Certified Network Interfaces - All Products
VM HCL: Products supported on VMware ESX

To just play around with the Gui you can install the "SmartConsole" clients on your machine and run it in "DEMO" mode.
To play around with a real installation the easiest way is to obtain a SecurePlatform ISO-image, install it and use the included 15 days evaluation license, and have access to all the features.

A standard installation of CheckPoint Firewall-1 nowadays (atleast at our customers) is separated into 2-3 machines:

- SmartCenter (the Firewall-1 Management where the policy is configured and the logs are sent from the enforcement modules)
- 1 or 2 Enforcement module(s). If the customer wants to have HA/Failover we add an extra enforcement module and use CheckPoint ClusterXL with shared IP.

Larger customers might want to add another machine and install the "Log Module" and separate this from the SmartCenter to reduce load on the SmartCenter. Customers with 10-20+ CheckPoint firewalls often installs this on a separate machine.

For a LAB you are good to go just installing a single machine with the Enforcement module and SmartCenter on the same computer/VM.
If you later on decides that you want to have a separate SmartCenter you can install this on a separate machine.

Thanks Peter. Where do you obtain the secureplatform ISO? Is this the Checkpoint R70 download available on the CP website. I have a copy of R65 NGX at home so this isn't an issue for me personally but others may need secureplatform.

PetterD

Turgon wrote: »

Thanks Peter. Where do you obtain the secureplatform ISO? Is this the Checkpoint R70 download available on the CP website. I have a copy of R65 NGX at home so this isn't an issue for me personally but others may need secureplatform.

To download the ISO-images from CheckPoint you need an UserCenter Account with the appropriate permissions. Since i work for a reseller, I can download all the software directly from CheckPoint Download, so I havent really thought about how to get the software before

I searched around a bit and found this page:
Try Our Products - Check Point Software

Looks like you can just fill out a form and Download SecurePlatform directly from CheckPoint using a UserCenter account that you can create during the download/evaluation process.

99% of our customers run SecurePlatform, not SecurePlatform Pro. SecurePlatform and SecurePlatform Pro are using the same installation package/ISO-image, and will prompt you during the installation process. SecurePlatform Pro allows you to use advanced routing (OSPF etc). If you decide that you want to enable or disable SecurePlatform Pro after the installation of either, run the command "pro enable" or "pro disable" and reboot the machine.

SecurePlatform Pro requires an additional "SPLAT PRO" license from CheckPoint in order to activate the advanced routing features.

isharted

Note: the 99% statistic doesn't reflect the distribution for all companies. There is still a good percentage of companies on Nokia hardware (I would estimate at least 10-20%). Also, many companies use Crossbeam XOS for higher-end deployments. A much smaller percentage use Crossbeam COS.

SecurePlatform is definitely the best platform to learn with. Just don't rule out all of the others

PetterD

isharted wrote: »

Note: the 99% statistic doesn't reflect the distribution for all companies. There is still a good percentage of companies on Nokia hardware (I would estimate at least 10-20%). Also, many companies use Crossbeam XOS for higher-end deployments. A much smaller percentage use Crossbeam COS.

SecurePlatform is definitely the best platform to learn with. Just don't rule out all of the others

Thats true, the market in other countries are also a bit different from here i live and work. Any my "99%" is a guesstimate based on the customers i work for, not the rest of the world.

A very big Norwegian company is a small to medium US company..

We have quite a few old Nokias on R55 left, but they are all moving away from Nokia to SecurePlatform (or CheckPoint UTM-1 appliances).

CheckPoints release of the new UTM-1 appliances (with licensing that some times make it alot cheaper to buy a UTM-1 Appliance hardware and software, than to just purchase the license and run it on your own server) makes it very tough to sell Nokia today..

Some customers may require a specific platform (Nokia/Xbeam), but most are very happy with the performance and stability of the SecurePlatform on their own server (or the UTM-1).

CheckPoint purchased the security/appliance devision of Nokia a while ago ( Check Point Signs Agreement to Acquire Nokia's Security Appliance Business - Press Release) and its definately the UTM-1 we see most of the focus on, not Nokia.

If you want to learn more about IPSO to work on Nokias, you should definately get yourself a Nokia Appliance (just make sure it got enough "juice" since the old Nokias cant run NGX/R70.. ) If you just want your CCSA/CCSE and learn more about Firewall-1/CheckPoint, the easiest is definately SecurePlatform.

GAngel

Is there a book we can purchase for CCSA R70 and if so where do i find it.

Appleshine

wish you good luck!

boond0x

GAngel wrote: »

Is there a book we can purchase for CCSA R70 and if so where do i find it.

Sorry for bumping an old post/thread, but is the only place to get study guides for CCS R70/R75 the Checkpoint website?

That's the only place with current, updated titles.

Thx!