GCFW (SEC-502) passed

It's been a month and a half since I ordered the GCFW OnDemand, taught by Chris Brenton. It was either this or the GCIA and I decided to go with the former since I felt it might be the easier course to "relax through" during the holidays as I've already been doing some firewall / VPN work over the years.

Compared to the GSEC, the material in the GCFW was much more practical for my own day-to-day work. After going through the OnDemand (and before hitting the books themselves), I was able to immediately put into practice some of the things I picked up in the course. I guess this is like an immediate return-on-investment.

That said, for me personally a good bulk of the material wasn't anything new. Over the last month I've been lazily studying through this stuff and my pages of notes from the course books amounted to maybe fourteen pages (my GSEC notes were twice that). The GCFW books also amount to less pages than the GSEC's. I'm not putting the GCFW down or anything, but I was hoping it would get more in-depth with iptables and pf, but I guess the concepts conveyed were still solid. What was a bit hazy for me before has now been positively reinforced and while I don't by any means consider myself an expert-level firewall admin, I think SANS offers a pretty good course. One other thing that let me down a bit was that the audio MP3s for one of the days was incomplete. I confirmed with SANS that some of the audio was simply not available. I'd assume for the next revision of the course they'll fill that gap.

Not a fair comparison here, but I was looking through the table of contents in a Cisco ASA book (by Cisco Press) and I noticed there weren't a whole lot of topics on the different kinds of attacks against perimeter systems which the ASA appliances are supposed to mitigate. This is where vendor-neutral training comes in very, very handy.

I also happen to deal with various vendors when it comes to firewall and VPN gateways at work so seeing a quick round-up of some top vendors was pretty handy and eye-opening (although the applicability of those issues vary depending on code versions, etc.).

Onto the exam... You're given four hours to go through one hundred and fifty questions. I spent about two hours and managed to pass with a 96%, which is better than the 88% I got on the practice exam a week ago. I'll admit though that having printed reference materials helped a lot, otherwise I'd probably have ended up in the 80+% range.

Overall, I enjoyed the GCFW learning experience very much. Although I wish there was a bit more material in some areas, I think the instructor would have had a hard time properly fitting that into a 5.5-day class worth of lectures. The guy knows his stuff. I paid for the GCFW OnDemand completely out-of-pocket (with the discount code) but it was still worth it overall. My next SANS course should definitely be the GCIA whenever I can afford it (or my employer decides that training budget is available).

Find more posts tagged with

Comments

Bl8ckr0uter

Congrats! Are you thinking about doing any Gold papers so you can do you GSE?

docrice

I'd like to do one or two Gold papers eventually (after all, having an accepted practical assignment is what elevates the GIAC cert status to the "real" level as it was intended originally). Thinking about the GSE is such a long way off right now. For me, I'd rather focus on what's more important in the present and see if life circumstances allow the pursuit of the GSE / CCIE / [really impressive cert] as time goes on.

Bl8ckr0uter

docrice wrote: »

I'd like to do one or two Gold papers eventually (after all, having an accepted practical assignment is what elevates the GIAC cert status to the "real" level as it was intended originally). Thinking about the GSE is such a long way off right now. For me, I'd rather focus on what's more important in the present and see if life circumstances allow the pursuit of the GSE / CCIE / [really impressive cert] as time goes on.

Ah. Any suggestions for a noob thinking of taking the test at some point?

ipchain

Congratulations! That is an incredible score as well. I am sure you'll have lots of fun with GCIA once you get to it.

Thanks for the review of the exam. Although I would love to do the GCFW,I will likely have to skip it to focus on GPEN and GSEC.

I'm actually going through the OnDemand material for GCIA at the moment. Lots of packet analysis...fun, fun, fun!

Paul Boz

Good job man, Brenton teaches the hell out of that class. I enjoyed it. I very rarely enjoy MP3s of lecture material but love his accent and humor.

docrice

Bl8ckr0uter wrote: »

Ah. Any suggestions for a noob thinking of taking the test at some point?

I think most of the topics listed on the SEC-502 site pretty much gives you the blueprint on what to study for.

http://www.sans.org/security-training/perimeter-protection-in-depth-3627-tid

Definitely understand IP, knowing how TCP / UDP / ICMP stimulus-response works (if you know the basics of Nmap, that should clue you in well), layer 2 MITM attacks, reading tcpdump, use / abuse of IP fragments, and Cisco standard / extended / reflexive ACLs.

I think the kind of information which may not be generally available are the pros and cons of specific vendors (important, but not too important), as well as which tools you need to focus on. The names of those tools aren't listed on that website. While you don't necessarily need to know these tools in-depth, you should have some kind of passing familiarity with them (or a handy reference). Not sure what to recommend in this case as naming which tools are mentioned in the course / exam might be crossing the line in terms of disclosure.

There is also an evaluation test which you can take which might clue you into the kind of subject matter you're expected to know for the exam:

http://www.sans.org/training/S502_evaluation_test.pdf

rogue2shadow

Congrats man

TrainingDaze

congrats man and great score! Thanks for sharing your experience with the OnDemand and glad to hear that you feel it was worth it. If I don't get picked as a volunteer this spring then I'll probably do the same as you and pony up for gcih.

SephStorm

congrats and thanks for the review. What are you job duties in therms of FW responsibilities? i.e, what is your previous experience with firewalls? And what would be the prerequisite knowledge necessary before looking at the class?

docrice

I've worked with Cisco PIX / ASA, Check Point FW-1, iptables, pf, as well as your usual IOS access lists in varying capacities for some years now (mostly PIX). I've also manage(d) Cisco IPsec / Juniper / Nortel / F5 / Aventail / Check Point gateways for remote access scenarios. The basic perimeter management has been part of my daily responsibilities, but it's not my only job focus (I got the server stuff too).

If I were completely new to firewalls and VPNs, getting through the GCFW would no doubt be a lot tougher. I guess this is one of those "validate existing knowledge" certs for me. However, I will say that if you know how IP works pretty well, you'll have a good start. After all, that first day of the course goes over IP / TCP / UDP / ICMP, headers, behavior, and their creative bending. You should also definitely get comfortable reading and using tcpdump.

If anything, if you have no firewall experience and want to get your hands dirty to prepare for the class / cert challenge, get working on iptables and learn to read the logs.

SephStorm

Thats exactly what I need to know. We'll see what this year has to offer!

Paul Boz

docrice wrote: »

If anything, if you have no firewall experience and want to get your hands dirty to prepare for the class / cert challenge, get working on iptables and learn to read the logs.

Even to a small degree, learning snort will help you apply the TCPDump knowledge directly. I did not really apply TCPDump results to the FW side but when I dug into the Snort material it really used the TCPDump analysis skills. Now that I'm doing the GCIA I find it that much relevant.

isairamm

Hi Docrice,

I would like to know how to start preparing for GCFW and GCIA, hope you could help me.

Regds,
Sai

docrice

I'd recommend starting with the forum sticky:

http://www.techexams.net/forums/sans-institute-giac-certifications/68043-post-your-sans-giac-study-material-recommendations-here.html