Signed up for the SANS 502 GIAC Certified Firewall Analyst (GCFW) course just now

Paul Boz

Has anyone else here taken this course? I'm doing the self study option with test challenge. It should be very interesting. for $3500 I better get my company's money's worth

Paul Boz

I got access to the online mentoring and MP3s mid last week. The books will be here tomorrow but I'm flying to Minneanapolis in the morning so I will get them on Wednesday night. So far I am very impressed with the course. The information is very consise and is making me remember a lot of fundamentals from the Cisco studies I've done.

The course starts with a review of TCP/IP/UDP (headers, ports, fragmenting, fragment attacks, malformed headers, IP options, labs). Section 1 is primarily focused on understanding TCP/IP/UDP and how firewalls use the header and content data to make decisions. section 1 is concluded by a review of IPv6. It is very high-level.

I started section 2, perimeter protection - packet filters, this morning. Module 1 covers static and stateful firewalls. I just concluded module 2 which was on stateful inspection and NAT.

The format of the online training is very nice. Each section is broken down into several modules which are further broken down into topics. Each topic usually contains anywhere from 10-35 slides. there is then a series of quiz questions for each topic. 80% is required to pass the topic. If you don't get 80% or higher you should probably review.

Tomorrow when I'm flying I'm going to listen to the MP3s for day 1 and do the labs in the hotel. I'm going at a very fast pace right now but most of the material is a review from previou studies. The heavy material is going to be over the next few days. I plan to finish the web based stuff over the trip then crack the books when I get home. I have until December 1st to challenge the exam so I'll review the material a few times.

shednik

Good Luck Paul! Sounds awesome...I'm definitely jealous!

Paul Boz

I flew to Minneapolis yesterday and got the first day's MP3s down. The material on the MP3s is the same audio from the web based learning so it was a good review. I'm reserving all of the labs for the entire course for the end - I like to lab everything at once.

I also reviewed the IPS/IDS stuff and got some good perspectives on each respective technology. Chris Brenton makes the argument that its better to use an IDS and manage it actively than use an IPS, because a false positive from an IPS can directly impact traffic flows. On the other hand, as we all know an IDS does not. This makes a lot of sense to me. He also said that all an IPS is is a stateful inspection firewall that costs more dollars. That also makes sense.

dynamik

Dude, are you in town for awhile? Send me a PM and lets grab a beer!

Paul Boz

PM sent. I'm available tonight, otherwise I'm flying out tomorrow Hopefully we can get together. I'm at the Hotel Minneapolis on 4th street. Its a Doubletree. Its right up the street from the Metro Dome.

dynamik

I couldn't believe there was a Doubletree on 215 4th St. S and 215 4th St. SE. Insane! (of course I went to the wrong one first)

So PB is officially awesome to have a drink with; very interesting guy!

Although, it was a bit painful to hold in the laughter in as he explained to other patrons that he "robbed banks" for a living. Their minds were blown

Paul Boz

haha yeah, that double doubletree thing was insane. How the hell did they coordinate that?!

You're also an awesome dude to grab some beers with! It's funny about blowing people's minds about what I do. I encounter those types of situations pretty much everywhere I go. Sometimes I avoid it because I wind up getting into hour long conversations

Paul Boz

On the flights to and from Minneapolis I listened to the the first and half of second day MP3s. They're the same audio that is on the slides. The only thing I dislike is how long the MP3s are. Some of them are over 1 hour long and it makes rewinding a bit cumbersome.

My books arrived on Monday and were waiting for me when I got to the office on Thursday morning. They're pretty much exactly what's on the slides that come with the self study online portal but they have very good descriptions and go with the audio. Starting last night with Book 1 I started going page by page highlighting the objectives from the slides then the detailed text that relates. I worked on that a little at work today also. The exam is open book but the books don't have tables of contents or indexes so I'm making them myself in excel. I have columns for what the subject material is, what book it's in, one page its on, and special notes for quick reference. My objective is to get the highest possible score on the exam so I want to be able to quickly reference the book material so that no time is wasted.

You can bring in any normal sized backpack or briefcase full of non-electronic resources. This includes the SANS books, any other books, hand written notes, indexes, conversion charts, etc. So far I plan to bring:

- SANS books, highlighted, tabbed, and notated.
- IPv4, TCP, UDP, ICMP packet header charts with all options and bit markers
- firewall vendor product comparison chart
- various network topology diagrams
- Personal notes regarding the labs from the course

I get two practice tests with the purchase of the exam challenge so I plan to prepare for the exam as though I'm taking it in two months. At the two month point I am going to collect all of my materials for the test and simulate the exam by going to LSU's library (about five minutes from my house), checking out a quiet room for four hours, and attempting the first practice test. This will allow me to know what resources are helping my effort, what I can discard, and maybe identify areas that I'm weak in.

For the next two months I'll continue to review the materials on an ad-hock basis. The online mentoring software has unlimited practice quizzes on each sub-section of each book. This allows me to keep sharp. if I haven't reviewed a section's material in a few days I'll take the quiz and see how I do. If I have problems I re-review the slides. I want to memorize everything in these books. The week before the test I'm going to re-simulate the exam in the same fashion as at the two month mark. This will allow me a final week to review everything from a high level. I should then be able to get a high score on the exam a week later.

Paul Boz

I wrapped up book 1 last night. It was titled "TCP/IP For Firewalls" and was a very good read. It covered nothing I hadn't seen in my networking studies but was a great refresher for topics I hadn't covered in a while. It also made clear why certain areas of the IP packet are important for security. Prior to this course I never put as much value in understanding packets on a bit level. I would recommend this course and certification for anyone with a solid networking background.

Last night I started on book 2. It covers static, stateful, stateful inspection, and IDS/IPS. I've covered all of these subjects in my other certification pursuits so I should get through it very quickly. I've also already done this material in the online training and I listened to the MP3s when I was traveling last week.

Paul Boz

Book 2 came and went quickly. The last 1/5 of the book was on securing Cisco routers. I made extremely quick work of that material (CCNA level stuff on acls, hardening the router, etc). I started in on book 3 and I'm about 50 pages into it. However, I'm about to shelf it for the time being and pick up book 6. Everything that I've been doing so far has been from the packet and even bit level but book 6 is on design considerations. I enjoy design so I want to shift gears and go that route with this material at least for the time being. book 6 is the shortest of them all so I'll be right back into the hardcore stuff soon

L0gicB0mb508

Are you doing the self study? I am thinking about taking the Intrusion Detection In Depth course. How do you find the material and all that. I guess is it really worth the cash?

RTmarc

L0gicB0mb508 wrote: »

Are you doing the self study?

Paul Boz wrote:

I'm doing the self study option with test challenge.

Where did you learn to read??

L0gicB0mb508

RTmarc wrote: »

Where did you learn to read??

Missed that one. My bad.

Paul Boz

Yeah, doing self study. It's GREAT. I usually self study for everything anyway but they make it very easy. They send you the same books you test on and are the same books you'd get if you went to one of their bootcamps. The MP3s are a recording of the main instructor at a conference teching the class. The self-study online stuff allows you to quiz on the material you covered and is very nice also. I'm very pleased so far.

Paul Boz

I had some free time today so I took one of my two available practice tests. You get 4 hours to complete 150 questions. I have gone through about 85% of the material and zero labs so far and scored a 75%. You need a 70% to pass, so I was pleased.

L0gicB0mb508

Paul Boz wrote: »

Yeah, doing self study. It's GREAT. I usually self study for everything anyway but they make it very easy. They send you the same books you test on and are the same books you'd get if you went to one of their bootcamps. The MP3s are a recording of the main instructor at a conference teching the class. The self-study online stuff allows you to quiz on the material you covered and is very nice also. I'm very pleased so far.

Thanks for the insight! i'm either going to do the intrusion analyst one, or the gpen. I'm not sure yet.

Paul Boz

I set a date. I'm taking it on November the 13th. I passed my practice test on the first attempt and I have continued to improve my understanding of the material. I have about 45 days to continue studying. Currently I'm installing Snort so that I can get the basics down for the GCFW. The Snort material is pretty high-level but its still a relatively major component of the exam.

It also works into my future plans as well. Once I finish the GCFW I'll have 45 days until my training budget resets. I should be able to complete the studying required for the CCSP's SNRS. I can then pay for and take that exam early in January then spend another $3500 on the SANS GCIA (GIAC Certified Intrusion Detection/Prevention Analyst). That will be wrapped by May because you only get four months. That will leave me with $300 or so on my training budget that I can then spend on two more of the CCSP exams. That should round out next year. Hopefully I can stick to that plan.

coffeeking

Awesome plan, hope you can stick to it.

Thanks for updates on your journey to GCFW.

dynamik

L0gicB0mb508 wrote: »

Thanks for the insight! i'm either going to do the intrusion analyst one, or the gpen. I'm not sure yet.

I was surprised at how few people hold these certifications.

GPEN: 648
GCFW: 1333
GCIA: 2059

Paul Boz wrote: »

That will be wrapped by May because you only get four months.

So you have to take the exam within four months of starting the course?

coffeeking wrote: »

Awesome plan, hope you can stick to it.

He better. It's on now; he can't afford to slack off

shednik

Paul,

I want full details on the hazing for Andrew I see he's already talking smack saying you better keep up

dynamik

No, he's definitely ahead by a good amount. He'll just be hearing the footsteps if he doesn't keep up the pace

GAngel

dynamik wrote: »

I was surprised at how few people hold these certifications.

GPEN: 648
GCFW: 1333
GCIA: 2059



So you have to take the exam within four months of starting the course?



He better. It's on now; he can't afford to slack off

If you were going for one of the above certs in the past your resume was usually already stellar. Even still sans only has like 30k certified total.

Paul Boz

dynamik wrote: »

I was surprised at how few people hold these certifications.

GCFW: 1333
GCIA: 2059

So you have to take the exam within four months of starting the course?

He better. It's on now; he can't afford to slack off

Yep, very few. I'd be interested to see how many hold both but I don't know where to find that metric.

Also, yep, you have to take the exam within 4 months of paying for the course.

Paul Boz

I spent all weekend getting snort up and running in Ubuntu as well as Server 2008 and Windows XP. I'd say I have a basic understanding of at least the setup now. Over the next week I'm going to read several books I got on snort:

Syngress - Snort 2.1 - Intrusion Detection Second Ed
Managing Security with Snort and IDS Tools
Network Intrusion Detection (Snort)
Syngress - Hack the Stack - Using Snort and Ethereal to Master the 8 Layers of Insecure Network
Syngress - How to **** and Configuring Open Source Security Tools
Syngress - Snort Intrusion Detection and Prevention Toolkit

This should give me above average knowledge for the GCFW and a good intro for the GCIA.

UnixGuy

Paul Boz wrote: »

I spent all weekend getting snort up and running in Ubuntu as well as Server 2008 and Windows XP. I'd say I have a basic understanding of at least the setup now. Over the next week I'm going to read several books I got on snort:

Syngress - Snort 2.1 - Intrusion Detection Second Ed
Managing Security with Snort and IDS Tools
Network Intrusion Detection (Snort)
Syngress - Hack the Stack - Using Snort and Ethereal to Master the 8 Layers of Insecure Network
Syngress - How to **** and Configuring Open Source Security Tools
Syngress - Snort Intrusion Detection and Prevention Toolkit

This should give me above average knowledge for the GCFW and a good intro for the GCIA.

Good luck ! I'm so jealous

Paul Boz

UnixGuy wrote: »

Good luck ! I'm so jealous

Snort is free, don't be jealous, get knowledge

Paul Boz

Tonight I got EasyIDS up and running and created a test lab for Snort. Details Here.

Paul Boz

I have now completed 36/37 online learning modules and passed the "end of module" quizzes. Tonight I'm going to knock out the packet filtering lab and that will complete all of the material. Once I've done that I'm going to re-read all of the material to fill in any blanks and probably do my final practice exam this weekend. LSU has a bye week so I should be able to fill up saturday with GCFW material. I'm a month from the exam today and I feel like I could easily take/pass it now, I just want to get the highest score possible at this point.

I also created my own "book" on TCP **** and general TCP/IP packet information. So far my "book" includes:

IP/TCP/UDP header in pictorial format
IP header byte 9 values in hex and decimal format in a table
List of common TCP and UDP ports in a table
Primer on quick hex to decimal to hex conversion in case I draw a blank
TCP **** usage primer
TCP **** command guide
Printed SANS online training lab material on TCP ****
SANS Quick Reference TCP **** sheets

I'm going to make a Snort book this evening or tomorrow if time permits.

Paul Boz

I completed the last of the labs for the GCFW self study tonight when the Saints game was on commercial. I was surprised to get a "pat on the back" style certificate of completion good for 36 CPE credits. I had no idea that the self study material netted CPE creds. I'm pleased. The test is coming up shortly, I just have a week and a half or so to finish up. I'll probably take the 2nd practice test on Saturday when I get home and get my books together.

Paul Boz

I submitted my application for the GCFW gold paper today. I want to do the paper on improving outbound filtering to improve the perimeter. I should be able to do that paper without any problems. Dynamik has been waiting for almost a month for approval of his paper so I hope they work quickly to approve mine. I'm going to Andy Dufresne them if they don't expedite