Network (Security) Analyst/ (Security) Engineer: Core skills

Bl8ckr0uter

Well last night I came to the conclusion that I don't want to work with systems. Because of my CCNA/CCNA:S I have been getting a fair number of calls about network analyst/engineer positions. Some of them are Network Security Analyst and some (but not a lot) are Network Security Engineers positions.

At any rate, I am getting ready to beef up my resume and my knowledge. I am wondering what would be considered core skills for a (Jr) Network Analyst/Engineer or a (JR) Network Security Analyst/Engineer. For those of you that work in any of these roles, I'd like to hear from you. I know these titles can vary in meaning from company to company but I think Network Engineer is a consistently means CISCO/Juniper Networking and possible X Firewall brand.

ibcritn

That's a really good question I am interested in seeing the responses. I would gain skills with IDS (Snort). I would also throw away wireshark and use TCPdump/Windump, Vulnerability scanners would also be helpful (Nessus).

Wireshark is typically not used in security roles because it has many vulnerabilities.

Edit - I don't work in a directly network role. I use a lot of tools to evaluate entire systems, which include networking components.

networker050184

From a purely technical standpoint, the core to doing anything with networks will be routing and switching. From there you can branch off into other areas of specialization.

To start off I'd suggest you start down the CCNP path or at least learning the equivalent information even if you don't want to get the certification. After that since you seem to be very interested in security you can start down those paths. The CCNP Security would be a good idea if you plan on working with Cisco equipment but it is very vendor specific. If I were trying to get into security I'd probably go with the more vendor neutral stuff as they seem to be more popular and would open more doors for you.

Bl8ckr0uter

networker050184 wrote: »

From a purely technical standpoint, the core to doing anything with networks will be routing and switching. From there you can branch off into other areas of specialization.

To start off I'd suggest you start down the CCNP path or at least learning the equivalent information even if you don't want to get the certification. After that since you seem to be very interested in security you can start down those paths. The CCNP Security would be a good idea if you plan on working with Cisco equipment but it is very vendor specific. If I were trying to get into security I'd probably go with the more vendor neutral stuff as they seem to be more popular and would open more doors for you.

I have been thinking of doing the CCNP for a little while now but we have such a small set of gear it kind of made me not want to do it. I might give it a shot though. I know the SWITCH Material would be very helpful. We don't do much as far as routing is concerned (a few static routes).

My thoughts were CCNP:R/S>CCNP:S>GCIA>GCFW>GPEN and see where that takes me.

stuh84

Bl8ckr0uter wrote: »

I have been thinking of doing the CCNP for a little while now but we have such a small set of gear it kind of made me not want to do it. I might give it a shot though. I know the SWITCH Material would be very helpful. We don't do much as far as routing is concerned (a few static routes).

My thoughts were CCNP:R/S>CCNP:S>GCIA>GCFW>GPEN and see where that takes me.

I did the CCNP with 4 switches, one borrowed. The routing stuff I did entirely in Dynamips, it shouldn't be too hard to get hold of the switches you'd need for it.

cisco_certs

The Network Security Engineer that works with us has CCNP-Sec. He also have I think 10 years of experience on the firewall. However, even with the CCNP-sec, he is a jack of all trades. Like one of those guys that doesnt need a cert and is able to understand the full view of networking. He is now studying for CISSP.

Like the other poster says, Routers and Switches are the core skills. I think your plan is correct:

CCNP, CCNP-Sec then go to Security + (if you want DOD), C|EH or go straight to CISSP.

Goodluck

Bl8ckr0uter

stuh84 wrote: »

I did the CCNP with 4 switches, one borrowed. The routing stuff I did entirely in Dynamips, it shouldn't be too hard to get hold of the switches you'd need for it.

I have 2 2950s and I might pick up a 3550. That'll be all I will be able to afford. At work we use 3550s, 3560s and a few 3750s so I should get some practice there if I need to.
I should have a Dell Poweredge T110 that I plan to use for for ESXI. Do you know if you can use Dynamips in ESXI?

cisco_certs wrote: »

Like the other poster says, Routers and Switches are the core skills. I think your plan is correct:

CCNP, CCNP-Sec then go to Security + (if you want DOD), C|EH or go straight to CISSP.

I have Security+ already. I am going to knock out WCNA next month and the CEH in march and switch soon after that.

WCNA>CEH>LPIC(for school)>CCNP>SANS

SteveO86

I would definitely say CCNP.. You might not have much to work with now but CCNP/CCNP:Sec could open many doors for you with much larger networks.

I work primarily with Cisco so my opinion will be biased to anything with the word Cisco

As far as skill sets of a Network Analyst.. You'll definitely want to be more familiar with the finer details found in packets, as well as the overall flow of traffic in your network. Understanding Netflow is good as well. And being more a big picture type guy.

As far as the security aspect vulnerability scan are good to use, and understanding the results of the scan, knowing what ports are used for which protocol. Understanding Zone Based Firewalls and in depth packet/protocol inspection.

My official title at work is Network Analyst but I've never really gave it too much thought. It has always been just a title me. I just understand and optimize what I can, and if I have to turn on the packet sniffer and see why it's going wrong I do.

stuh84

Bl8ckr0uter wrote: »

I have 2 2950s and I might pick up a 3550. That'll be all I will be able to afford. At work we use 3550s, 3560s and a few 3750s so I should get some practice there if I need to.
I should have a Dell Poweredge T110 that I plan to use for for ESXI. Do you know if you can use Dynamips in ESXI?

I do believe it can be done, I've seen people using it before, just allocate enough resources to the VM and it'll work just as well I expect.

cisco_certs

Bl8ckr0uter wrote: »

I have 2 2950s and I might pick up a 3550. That'll be all I will be able to afford. At work we use 3550s, 3560s and a few 3750s so I should get some practice there if I need to.
I should have a Dell Poweredge T110 that I plan to use for for ESXI. Do you know if you can use Dynamips in ESXI?




I have Security+ already. I am going to knock out WCNA next month and the CEH in march and switch soon after that.

WCNA>CEH>LPIC(for school)>CCNP>SANS

thats good. make sure you back it up with work experience.
I have 4 of 3550 at home that I lab when i was jobless but I dont think you'll need those if you have GNS3 or work at NOC (deals with switches 9hrs/day like my job)

IMO you dont even need WCNA since most of the job postings doesnt usually says "WCNA required" unlike CCNA or CCNP. You can learn wireshark without even getting the certs. But thats just my opinion.

I think CISSP is more valuable than SANS when it comes to security.

Bl8ckr0uter

stuh84 wrote: »

I do believe it can be done, I've seen people using it before, just allocate enough resources to the VM and it'll work just as well I expect.

That's pretty cool. I can't wait to try it out.

cisco_certs wrote: »

thats good. make sure you back it up with work experience.
I have 4 of 3550 at home that I lab when i was jobless but I dont think you'll need those if you have GNS3 or work at NOC (deals with switches 9hrs/day like my job)

That's a problem. I don't work in a "CCNP" level environment so in a sense I will be paper certified. So I guess I need to try to certify into a role.

cisco_certs wrote: »

IMO you dont even need WCNA since most of the job postings doesnt usually says "WCNA required" unlike CCNA or CCNP. You can learn wireshark without even getting the certs. But thats just my opinion.

Yea you are probably right about the WCNA. While it looks fun, I might not be able to justify 300 bucks on a less than popular test. I did some thinking and some talking with the wife and she feels the same way. After LPIC for school, CCNP is up.

cisco_certs wrote: »

I think CISSP is more valuable than SANS when it comes to security.

That depends on how you define value.

I am also considering adding CWNA since I will have some wireless duties but I don't know yet.

LPIC(for school)>CEH>CCNP>SANS

This is looking like a realistic plan.

cisco_certs

Like others will say here, when you get a CCNA, your first priority is to back that up with Networking job experience and getting a CCNP will only damage you.

CCNP is not something you want to passed without experience. Like Mike said a CCNA with NOC experience is more valuable than a CCNP without networking experience which is very true. My co workers will laugh at anybody that has CCNP without networking experience since lots of old school peeps on the NOC doesnt even have CCNP but is already on a CCNP level when it comes to experience. I would say most of the are CCNP and CCIP level when I look at their experience. I recommend you start looking for a NOC job. You will surely learn a lot. Otherwise, you might get destroyed on an interview due to your CCNP. They will challenge your CCNP certs and make you look dumb.


About the CISSP. I guess you are right.

CWNA is a good cert. It shows the fundamentals/basics of wireless. However, this lacks a LOT/hundreds of real life information which are very important. For example: in the real world,
How to set up WCS? How do you upgrade the version?
How to set up WLC? How do you upgrade the config? What do you type in the IOS? What is service type? how do u set this up? What is virtual? how do you set this up?
How to set up RADIUS?
What kind of authentication to choose pertaining to business networking environment?
How do you make them talk?
How to use Airmagnet? Not the basic but do you really know that inside and out of air magnet?
How to secure wireless?
and the list goes on. lol

These are the things that you cant just google or learn in CWNA. I think CWNA is the CCNA of cisco but lacks the real world /LAB.

I recommend that you get the certs of what you are touching right now at work. If its switches and routers of cisco then go Cisco certs then move on to other certs that interest you. You should align the certs to your work experience.

Goodluck

Bl8ckr0uter

A little history about BLKRTR:

I use to work for one of the largest CISCO partners in my state as a NOC tech. I did this for almost a year. I then worked for one of their rivals for about 6 months. Realistically speaking I have about a year and a half of cisco experience, not counting my current job which has laster for another 7 months. It isn't particularly deep experience but it is experience.

When I was working at the first NOC there was a guy who came in with no experience and a CCNP. He was fresh out of the army and went to netcad for 2 years to get his CCNP. He ended up being promoted to a JR Network Engineer within 3 months. He didn't know that much more than the rest of us (I just had my CCNA at the time) but management thought he would be more capable of learning higher level networking.

The types of jobs I am looking for are mostly Network Analyst jobs. Basically JR Network Engineers and such. I have also looked for other NOC jobs but I haven't really found anything worthwhile. I did some thinking last night and I feel like if I get the CCNP cert and I am honest about my abilities than it won't hurt me. If worse comes to worse I could leave it off my resume. I won't apply for SR network Engineer positions because I know I don't have the experience. But I think I should be able to work my way into a Network Analyst position.

cisco_certs

What did you do as a NOC tech?

I think with that much experience, you can be a valid CCNP.

Thats a great story that he became a JR network Engineer after 3 months. How did you guys feel about it? Did you guys talk shi*? lol

Btw, everything I said was my experience so dont let that stopped you from getting what you want. I got on my current job because i proved to everybody that says you cant do that and its not possible blah blah blah that anything is possible with hard work and dedication.

My goal also is the impossible which is
CCNP-Wireless>CCNP>CCDA>CCDP>CCIP>CCIE and adding some low level certs in between like security + and CWSP

aiming for that CCIE on 2013-2014. Everything is aligned to be the best on Wireless and the core/networking/Router & Switches. After that I will aim for security for fun but my whole goal is to become a CCIE

its funny because when I looked back now. I used to think CCNA was the impossible. I was so scared to fail. Everyone keeps telling me there's no point passing it since you dont have real world experience, you will fail on the first attempt and here I am passing all my Cisco tests on my first attempts and working for the best company that I cant even say the name since its so known and prestige that I could turn into a target.

If you want it... Go get it!

Goodluck

millworx

It's entirely subjective to the job you have in mind. For instance at my position my knowledge as a Network Engineer requires me to have a deep understanding of IP routing protocols, such as RIP, OSPF and EIGRP. I also need a deep understanding of the ASA platform, access control and IPSec VPN's, and SSL VPN's, and 802.1x authentication. Since I'm managing partner connections to the corporate extranet. We do not use BGP or MPLS in our environment.

However if you are going for a NOC position or ISP, you will most likely need a deep understanding of IS-IS, BGP (especially be familiar with route reflectors if your configuring a very large nationwide networks), MPLS VPNs, and Private VLANs, in addition to the other core routing protocols like OSPF, and EIGRP. Load balancing is a huge thing in NOC positions too, so familiarity with F5 Load balancers would be a huge plus, as well as getting your hands dirty with some ASA/PIX configurations as well. Working with clients too who request more bandwidth throughput to their cages you'll probably want to have a good understanding of etherchannel as well.

It wouldn't be too bad too from a security standpoint to familairze yourself with the IDS/IPS appliance line and its integration with Cisco MARS, the command line is a lot different from the traditional IOS, familiarize yourself with port groups, VLAN groups, setting overrides so the unit will take certain actions based on threat level, configuring the appliance for promiscuous mode or inline mode.

I'de also have a very good understanding of SNMP and Netflow because in a datacenter every device is monitored.

That being said, most NOC environments dont use JUST Cisco, but you are also looking at Juniper and Big Iron (Foundry) products as well. That would include stuff like Juniper M-Series routers and NetScreen OS based Firewalls. But if your Cisco centric, as long as you grasp the above mentioned skills your transition to other vendor platforms should come very easy.

As a network analyst you wouldn't be doing much implementation, you would be more of a troubleshoot and maintenance person. And making recommendations based on current bottlenecks and problems in your network. The analyst position will be very documentation heavy by the way. So brush up on your writing skills!

Bl8ckr0uter

cisco_certs wrote: »

What did you do as a NOC tech?

I think with that much experience, you can be a valid CCNP.

I keep telling myself that I should have enough experience.

Most monitoring, IOS upgrades, basic troubleshooting, being the eyes and ears for the Network Engineers and so on.

cisco_certs wrote: »

Thats a great story that he became a JR network Engineer after 3 months. How did you guys feel about it? Did you guys talk shi*? lol

He was a cool dude so no we were cool about it.

cisco_certs wrote: »

My goal also is the impossible which is
CCNP-Wireless>CCNP>CCDA>CCDP>CCIP>CCIE and adding some low level certs in between like security + and CWSP

You think CWSP is "low level"? Interesting.
It doesn't look to impossible, it'll just take some time.

cisco_certs wrote: »

If you want it... Go get it!

Goodluck

There is just so much I want lol. That's the problem.

btowntech

I think you should start working towards your CCNP if that is what you want. Just remember that passing an exam for CCNP does not give you the cert. It may take you a year to pass all 3 exams to earn your CCNP. By then you'll have another year of experience under your belt. You'll also realize that it will start answering questions you've had about stuff and help you to better understand things at work (networking side at least).

powerfool

CISSP is a good vendor neutral certification to get if you want to do anything that is Information Assurance/Security related. While there has been a lot of focus on this and other IA certs in regards to the DoD and federal gov't, there is a lot of private sector activity in more sensitive industries, like finance, energy, health, etc.

As far as network specific, I would think moving to CCNP Security wouldn't be bad. While there is a lot that is Cisco specific, there are general concepts that hold; further, Cisco has serious marketshare... so if you have to do vendor specific, it is the way to go.

The one area I would get a little more broad in terms of vendors is with firewalls. Sonicwall seems to be gaining traction, and Sidewinder has a good reputation (though is overly complex in my opinion).

Network/packet analysis is another good route. Learning about Wireshark and general packet analysis with it is very good. While you may need to use another tool in the field, this is something that shows you understand the concepts and will be able to pick up new tools easily enough. Other tools include Network General Sniffer, Network Instruments/NetQoS Observer, and Wild Packets. Also, TCPDump is another open option... and firewalls like Sidewinder (being a Unix platform) have it built in.

EDIT: I would say that if you are trying to quickly get yourself positioned for a stronger position, CCNP would be faster than CCNP Security. Fewer exams... plus, CCNP Security really takes your understanding of those technologies and their vulnerabilities and protections into account. I am going to go the opposite order because I am not in any rush and really want CCNP Security... and then I will be doing CCNP just to refresh my renewal clock while I am finishing an MBA.

Bl8ckr0uter

powerfool wrote: »

CISSP is a good vendor neutral certification to get if you want to do anything that is Information Assurance/Security related. While there has been a lot of focus on this and other IA certs in regards to the DoD and federal gov't, there is a lot of private sector activity in more sensitive industries, like finance, energy, health, etc.
.

Probably some point in 2k12 I'll look at getting my CISSP. I still don't have enough experience and I know I could do associates, right now I don't think it would be an acurate representation of my skills and knowledge to get it. I don't have CISSP level IA knowledge and honestly I want to get a few more "techie" certs first.

powerfool wrote: »

As far as network specific, I would think moving to CCNP Security wouldn't be bad. While there is a lot that is Cisco specific, there are general concepts that hold; further, Cisco has serious marketshare... so if you have to do vendor specific, it is the way to go.

The one area I would get a little more broad in terms of vendors is with firewalls. Sonicwall seems to be gaining traction, and Sidewinder has a good reputation (though is overly complex in my opinion).

I mean I have never touched an ASA. I have logged into one like 1 time and that's it. I have actually decided to do the CSSA since we are a Sonicwall shop. Mcafee makes me want to punch someone some, well most times I deal with them.

powerfool wrote: »

Network/packet analysis is another good route. Learning about Wireshark and general packet analysis with it is very good. While you may need to use another tool in the field, this is something that shows you understand the concepts and will be able to pick up new tools easily enough. Other tools include Network General Sniffer, Network Instruments/NetQoS Observer, and Wild Packets. Also, TCPDump is another open option... and firewalls like Sidewinder (being a Unix platform) have it built in.

This is more of the track I want to take. I have decided to put myself back on the self study track for GCIA (and I am not changing anymore, I'm tired of it lol).

powerfool wrote: »

EDIT: I would say that if you are trying to quickly get yourself positioned for a stronger position, CCNP would be faster than CCNP Security.

I would agree. More people know about the CCNP than the CCSP/CCNP:Security. If I ever start working for a cisco partner or a job that will require higher level networking skills, I'll do the CCNP. I might just do it in 2012 for my renew but I don't know yet.

So my new, new path is this LPIC (school)>CSSA(work)>CEH>GCIA>GPEN

This should take me into early 2012.

Thanks for all the answers guys!!

cisco_certs

Bl8ckr0uter wrote: »

I keep telling myself that I should have enough experience.

Most monitoring, IOS upgrades, basic troubleshooting, being the eyes and ears for the Network Engineers and so on.



He was a cool dude so no we were cool about it.




You think CWSP is "low level"? Interesting.
It doesn't look to impossible, it'll just take some time.



There is just so much I want lol. That's the problem.

i said CWSP was low level because I was comparing it to Cisco tests which usually have labs.

When I said impossible, I was pertaining to CCIE. I still think its impossible but that doesnt mean Im not gonna try and get it.

I think we all wants so much.

Bl8ckr0uter

*bump*

cisco_certs wrote: »

IMO you dont even need WCNA since most of the job postings doesnt usually says "WCNA required" unlike CCNA or CCNP.

I'm really getting into this Wireshark thing, and I settled that I will do it. If nothing else, having "network analyst" on my resume can only help. Similar to the sniffer certified professional.


At any rate, I am pretty sure that I want to change things up a bit.
I know I want to take the elearn security course just for general security knowledge. I also know I want to do the SSCP (as to keep my infosec knowledge high and show my desire for infosec positions). Other than that, I think I will aim towards CCDA/CCNP as they are more affordable for my wife and I (150 per exam flies much easier than $900 ). I am not sure how much the CCDA will actually do for my resume, the material seems very interesting. Hopefully with some of the aforementioned certs, I can land a Network (or Network Security) Analyst job or possibly something like a JR Network Engineer. We will see.

Thought?

cisco_certs

Bl8ckr0uter wrote: »

*bump*




I'm really getting into this Wireshark thing, and I settled that I will do it. If nothing else, having "network analyst" on my resume can only help. Similar to the sniffer certified professional.


At any rate, I am pretty sure that I want to change things up a bit.
I know I want to take the elearn security course just for general security knowledge. I also know I want to do the SSCP (as to keep my infosec knowledge high and show my desire for infosec positions). Other than that, I think I will aim towards CCDA/CCNP as they are more affordable for my wife and I (150 per exam flies much easier than $900 ). I am not sure how much the CCDA will actually do for my resume, the material seems very interesting. Hopefully with some of the aforementioned certs, I can land a Network (or Network Security) Analyst job or possibly something like a JR Network Engineer. We will see.

Thought?

IMO CCNP/CCDA are enough to give you a good view of networking but you need to use your knowledge everyday. I think thats better off than nothing. I know a lot of network security that doesnt even know how to go around a cisco network, doesnt know how to create ACL statements or even check the log. It just amazes me how these people got hired. These people doesnt even know how to use linux, subnet, or build a network.

I would love to ask them "how can you protect a network if you dont know how a network works"? However, I dont want to get fired for asking. lol

There are also people that are Jr network engineer because the company wants to give them a spot to grow but doesnt know anything at all.

I believe that a Jr Network Engineer should have CCNA/CCNP or years of experience or have that fire burning in him that he wants to learn more even he has less experience and always willing to start a projects to make the network better.

I actually changed my plans into
CCNP > CCNP-W > CCDA = 2011
CISSP > C|EH > CCDP = 2012
CWSP > CCIP > start reading CCIE = 2013
written CCIE = 2014

shednik

I can recommend the following from experience, mainly echoing most of what has been said.

Routing & Switching
CCNA Security level knowledge
Really understand applications and how the interact with the OSI stack
wireshark will be a great friend

understanding your company's security policy
understanding your company's business model
understanding customer requirements

I feel the most important things for a candidate to have now a days are the business skills. You need to be able to talk to your customers, suggest solutions, plan them, and then implement them with little to no issues. You can be a techie as you want, but if you lack the business skills you will suffer. That has been my experience over the past 4 years. Keep sharp on your techie skills but beef up on business skills as well.

That will make a kick ass network security engineer.


joe

Bl8ckr0uter

Coming back to this thread one more time.

CCNP vs GCIA

Which one do you guys would be more valuable for someone looking for an entry level network security analyst position?


I am looking like this WCNA>CEH>SSCP>GCIA
March>May>July>EOY I might mix LPIC-1 and possibly an MCTS in there.

dynamik

Bl8ckr0uter wrote: »

CCNP vs GCIA

Which one do you guys would be more valuable for someone looking for an entry level network security analyst position?

GCIA. For example, Symantec requires all their MSS analysts to have it; I'm sure many others do as well.

I don't see any point in going beyond Cisco's associate level if you're not working with their equipment daily.

Bl8ckr0uter

You are probably right. Now to save the money.