I just got back from taking the Tactical Perimeter Defense exam, the qualifying exam for the Security Certified Network Specialist (SCNS) offered by the Security Certified Program. After a search here, it looks like I may be one of the only people on the board who has actually sat for a SCP exam -- though I see at least a half dozen people that have taken courses or studied/thought about studying it for a time. These are my own experiences with the exam.
A little backstory, and my motivation to take the exam:
I started on the CCNP track in Fall of 2008, around the same time I became involved in a very interesting development project that has nothing to do with Cisco. Not having -NP level work exposure to the material, and not being able to get it at my current employer, I decided to not pursue any of the exams after ONT. Instead, I studied the information without the intention of taking the exams.
So, I haven't studied for the purposes of sitting a cert exam since Fall 2008 (the Linux+ 2009 beta was essentially a walk-in). I wanted something light, but interesting, to get me back into gear. The SCNS is marketed as a lower-level network security certification, with a promise of more interesting information in their Professional and Architect exams, each requiring the passing of the preceding exam. The SCNS seemed like a good way to get back into the swing of things, maybe pick a few things up, and if I liked it, there would be more waiting for me.
Another motivation was the DoD accreditation. After you take the SCNS, you can take the SCNP and SCNA to meet the DoD "Information Assurance - Technical" (IAT) Levels 2 and 3, respectively. However, this part is a little bizarre. For the SCNS cert, it is recommended that you have the knowledge to pass CompTIA's Security+ exam. SCNS does not fall in on the IAT spectrum, but the Security+ qualifies a candidate for IAT level 2. So, if you passed the Security+, you don't really need the Level 2 qualification from the SCNP. If DoD accreditation is what you are interested in, realize that you would probably need to pursue the SCP exams up to the Architect level to make it worth while -- that would qualify you for Level 3 technical work. On the other hand, the CISSP is a qualifying certification for Level 3 Technical
and Managerial positions within this hierarchy.
The real draw, though, was just to give myself a small challenge and have some fun with it. They say they cover Cisco IOS and some Linux utilities (iptables and Snort), so I figured I would be very well on my way.
This was all before I got the book. I have read criticisms (here and elsewhere) about the cost and content of the book, and my initial reaction was to agree.
This was the book I used, and I believe it is the only published study source explicitly for the exam. Mine cost me ~$90 US plus shipping, although I see it currently listed at $100 on Amazon. I received it last Wednesday. A few points on how I felt about using the book to study for the exam:
- It is obviously designed for classroom use rather than self-study for the exam. There are decent end-of-chapter questions... but there are no corresponding answers, making it less useful for self assessment and validating an understanding of the concepts.
- Upon first receiving it, excitedly cracking it open, and digging in, I became a little disappointed -- I had indeed wanted something light, but this material seemed exceedingly fluffy. By halfway through the book, I began to have doubts about the exam.
- Parts of the book are decent, but parts of it seem a little out of touch with reality. It goes from a pretty decent section on IPv6, to features and means of configuring IGRP in the next chapter. It also covers the syntax of IPX ACLs and SAP filters. There were some odd statements regarding Linux as well. I ignored most of this stuff -- really odd.
I ended up only glancing through the book to take note of subjects that it hit upon. I didn't find many technical errors, though the ones I did were worrisome -- like the authors appearing to have listed Secure HTTP (S-HTTP) with the definition of HTTPS. They never talk about HTTPS, which would be the more obvious one of the two to discuss in the context of the section (which is on public key cryptography). The disturbing part is that this is an easy mistake to make for someone who doesn't know these are two different things. Typically, literature covering the two would explicitly mention that they are different technologies, since it
is confusing for beginners.
Two days later, I was sure I had distilled all I was going to get out of it, and scheduled the exam for the next available day, today. When I made my mind up to schedule, I was more than a little disheartened at how basic the exam seemed -- if the book was an accurate guide for the information covered by the exam, it would hardly cover more than some basic definitions and concepts, and some silly things like installing programs. There would be no challenge. That said, before I had even determined what exam I was going to go after, I knew I wanted to follow it through and get something done. So, at worst, I wouldn't be as satisfied as I could have been.
So, on to the actual exam. What a night and day difference from the book! The book prepared me nothing at all, and I sincerely think that this is the best thing that could have happened. Because of this, I really enjoyed taking the exam. Since I had not formally prepared myself for the exam content (thanks to the book), it was really a “my experience versus the exam” scenario. This was the first time I had sat for any exam, ever, having no notion of what would come next and knowing that I had to continue -- it was pretty exciting!
There were some fluffy questions, but there were really some interesting and detailed technical questions. Quite a few of them looked rather daunting at first, but some logical analysis of the answers easily weeded out the right and wrong responses. There were even some trivia questions that you wouldn't know unless you had really studied some of this stuff in great detail (wish I could give you an example!). All said, I was happily surprised with the exam. I passed the exam, but its major saving grace was its unexpectedness -- it was just what I wanted.
If actually reading the book wasn't enough, taking the exam
really got me wondering what was up with that stack of paper. Today, I thought to look up the authors, Randy and Dawn Weaver, on the “Find a Security Pro” feature which lists all the SCN*s,
available on the SCP website.
Only one Weaver, and its not a Randy or a Dawn... the book was published in 2008, so they either let their certs lapse recently (2 year validity, and they could have passed well before writing the book), or they never took the exam to begin with. I have no way of knowing, but I think either would be entirely possible. The book presents an obvious baseline of material that you would need to be well acquainted with, but the exam goes a lot deeper.
My conclusions for this experience are as follows:
- If you are preparing for this exam, you should probably already know the introductory ideas that riddle the Weaver book, or be prepared to study quite beyond that.
- The book probably sheds the worst light on this exam, and I completely understand why people have looked elsewhere after reading it.
- The goal of the certification seems to be a hands-on version of the Security+, so if you do want to prepare for it, try it from that angle. Know the hands-on stuff. Thankfully, this was a strong point for me.
- From a practical perspective, I don't think this cert will help very much for professional growth; it doesn't seem to be well recognized. Other certs will offer more in the way of recognition. Take this spontaneously if you have the background and the money to burn, and you want a fun little challenge.
I'm curious what the Professional exam covers, but I'm not sure I'm interested enough to find out. Next up will likely be LPIC-1 and possibly 2, with SSCP a little further off on the radar. But probably no more exams until work gets sorted out with funding for a new project.
