GCFW (SEC-502) passed

docricedocrice Posts: 1,706Member
It's been a month and a half since I ordered the GCFW OnDemand, taught by Chris Brenton. It was either this or the GCIA and I decided to go with the former since I felt it might be the easier course to "relax through" during the holidays as I've already been doing some firewall / VPN work over the years.

Compared to the GSEC, the material in the GCFW was much more practical for my own day-to-day work. After going through the OnDemand (and before hitting the books themselves), I was able to immediately put into practice some of the things I picked up in the course. I guess this is like an immediate return-on-investment.

That said, for me personally a good bulk of the material wasn't anything new. Over the last month I've been lazily studying through this stuff and my pages of notes from the course books amounted to maybe fourteen pages (my GSEC notes were twice that). The GCFW books also amount to less pages than the GSEC's. I'm not putting the GCFW down or anything, but I was hoping it would get more in-depth with iptables and pf, but I guess the concepts conveyed were still solid. What was a bit hazy for me before has now been positively reinforced and while I don't by any means consider myself an expert-level firewall admin, I think SANS offers a pretty good course. One other thing that let me down a bit was that the audio MP3s for one of the days was incomplete. I confirmed with SANS that some of the audio was simply not available. I'd assume for the next revision of the course they'll fill that gap.

Not a fair comparison here, but I was looking through the table of contents in a Cisco ASA book (by Cisco Press) and I noticed there weren't a whole lot of topics on the different kinds of attacks against perimeter systems which the ASA appliances are supposed to mitigate. This is where vendor-neutral training comes in very, very handy.

I also happen to deal with various vendors when it comes to firewall and VPN gateways at work so seeing a quick round-up of some top vendors was pretty handy and eye-opening (although the applicability of those issues vary depending on code versions, etc.).

Onto the exam... You're given four hours to go through one hundred and fifty questions. I spent about two hours and managed to pass with a 96%, which is better than the 88% I got on the practice exam a week ago. I'll admit though that having printed reference materials helped a lot, otherwise I'd probably have ended up in the 80+% range.

Overall, I enjoyed the GCFW learning experience very much. Although I wish there was a bit more material in some areas, I think the instructor would have had a hard time properly fitting that into a 5.5-day class worth of lectures. The guy knows his stuff. I paid for the GCFW OnDemand completely out-of-pocket (with the discount code) but it was still worth it overall. My next SANS course should definitely be the GCIA whenever I can afford it (or my employer decides that training budget is available).
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/

Comments

  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users
    Congrats! Are you thinking about doing any Gold papers so you can do you GSE?
  • docricedocrice Posts: 1,706Member
    I'd like to do one or two Gold papers eventually (after all, having an accepted practical assignment is what elevates the GIAC cert status to the "real" level as it was intended originally). Thinking about the GSE is such a long way off right now. For me, I'd rather focus on what's more important in the present and see if life circumstances allow the pursuit of the GSE / CCIE / [really impressive cert] as time goes on.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Bl8ckr0uterBl8ckr0uter Posts: 5,031Inactive Imported Users
    docrice wrote: »
    I'd like to do one or two Gold papers eventually (after all, having an accepted practical assignment is what elevates the GIAC cert status to the "real" level as it was intended originally). Thinking about the GSE is such a long way off right now. For me, I'd rather focus on what's more important in the present and see if life circumstances allow the pursuit of the GSE / CCIE / [really impressive cert] as time goes on.


    Ah. Any suggestions for a noob thinking of taking the test at some point?
  • ipchainipchain Posts: 297Member
    Congratulations! That is an incredible score as well. I am sure you'll have lots of fun with GCIA once you get to it.

    Thanks for the review of the exam. Although I would love to do the GCFW,I will likely have to skip it to focus on GPEN and GSEC.

    I'm actually going through the OnDemand material for GCIA at the moment. Lots of packet analysis...fun, fun, fun!
    Every day hurts, the last one kills.
  • Paul BozPaul Boz Posts: 2,621Member
    Good job man, Brenton teaches the hell out of that class. I enjoyed it. I very rarely enjoy MP3s of lecture material but love his accent and humor.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • docricedocrice Posts: 1,706Member
    Ah. Any suggestions for a noob thinking of taking the test at some point?

    I think most of the topics listed on the SEC-502 site pretty much gives you the blueprint on what to study for.

    http://www.sans.org/security-training/perimeter-protection-in-depth-3627-tid

    Definitely understand IP, knowing how TCP / UDP / ICMP stimulus-response works (if you know the basics of Nmap, that should clue you in well), layer 2 MITM attacks, reading tcpdump, use / abuse of IP fragments, and Cisco standard / extended / reflexive ACLs.

    I think the kind of information which may not be generally available are the pros and cons of specific vendors (important, but not too important), as well as which tools you need to focus on. The names of those tools aren't listed on that website. While you don't necessarily need to know these tools in-depth, you should have some kind of passing familiarity with them (or a handy reference). Not sure what to recommend in this case as naming which tools are mentioned in the course / exam might be crossing the line in terms of disclosure.

    There is also an evaluation test which you can take which might clue you into the kind of subject matter you're expected to know for the exam:

    http://www.sans.org/training/S502_evaluation_test.pdf
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • rogue2shadowrogue2shadow Cyber Ninja III Posts: 1,501Member ■■■■■■■■□□
    Congrats man

  • TrainingDazeTrainingDaze Posts: 62Member ■■□□□□□□□□
    congrats man and great score! Thanks for sharing your experience with the OnDemand and glad to hear that you feel it was worth it. If I don't get picked as a volunteer this spring then I'll probably do the same as you and pony up for gcih. :)
  • SephStormSephStorm Posts: 1,732Member
    congrats and thanks for the review. What are you job duties in therms of FW responsibilities? i.e, what is your previous experience with firewalls? And what would be the prerequisite knowledge necessary before looking at the class?
  • docricedocrice Posts: 1,706Member
    I've worked with Cisco PIX / ASA, Check Point FW-1, iptables, pf, as well as your usual IOS access lists in varying capacities for some years now (mostly PIX). I've also manage(d) Cisco IPsec / Juniper / Nortel / F5 / Aventail / Check Point gateways for remote access scenarios. The basic perimeter management has been part of my daily responsibilities, but it's not my only job focus (I got the server stuff too).

    If I were completely new to firewalls and VPNs, getting through the GCFW would no doubt be a lot tougher. I guess this is one of those "validate existing knowledge" certs for me. However, I will say that if you know how IP works pretty well, you'll have a good start. After all, that first day of the course goes over IP / TCP / UDP / ICMP, headers, behavior, and their creative bending. You should also definitely get comfortable reading and using tcpdump.

    If anything, if you have no firewall experience and want to get your hands dirty to prepare for the class / cert challenge, get working on iptables and learn to read the logs.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • SephStormSephStorm Posts: 1,732Member
    Thats exactly what I need to know. We'll see what this year has to offer!
  • Paul BozPaul Boz Posts: 2,621Member
    docrice wrote: »
    If anything, if you have no firewall experience and want to get your hands dirty to prepare for the class / cert challenge, get working on iptables and learn to read the logs.

    Even to a small degree, learning snort will help you apply the TCPDump knowledge directly. I did not really apply TCPDump results to the FW side but when I dug into the Snort material it really used the TCPDump analysis skills. Now that I'm doing the GCIA I find it that much relevant.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • isairammisairamm Posts: 2Registered Users ■□□□□□□□□□
    Hi Docrice,

    I would like to know how to start preparing for GCFW and GCIA, hope you could help me.

    Regds,
    Sai
Sign In or Register to comment.