GCFW or GCIA? Or..?

CircuitMeltdown

I have a college degree in network security (information systems) and my Security+ (passed with a 900), and Network+. I know a little bit about system administration and system hardening from school, and from playing around with Windows Server and Linux Red Hat. I have one year experience in the Information Assurance/Cyber Security field. I write policy documents about the security of interconnections between two different agencies. My company recently promoted me, gave me a big raise, and offered to pay for training. I need to decide which training I want.

I want more technical experience, and I originally thought about taking the GSEC, or the CCNA Security, and getting the official training for either. But after talking to a senior manager (in Cyber Security) that routinely helps others figure out what career path to take, and which certifications to take, he said that the GSEC is not really looked upon as better than the Security+ by the industry at this time, and a friend of mine that took and passed the GSEC a few years ago said that it is basically half Security+ knowledge, and half system admin knowledge, and the sys admin part of it is really hard. He said that he took the SANS class and the cert test as a few others in his company and was the only one that passed because of the in depth Windows questions. He only knew enough about that because he had been a sys admin for several years. The senior manager I talked to recommended the GCIA, the GCIH, or the GCFA. He especially recommended the GCIH, although he said that it might be better to have the GCIA before taking the GCIH, and then the GCFA would be after that. But, that I could just skip to the GCIH if I wanted.

I am interested in all of those things, but once I looked more into it, I realized that I may want to take the GCFW first. I work with perimeter security concepts, and knowing more about the technical aspects of that may help me in my current job, as well as future jobs. I am not sure what I want to do yet. I do like the policy, but I don't see it being satisfying long term. I do network diagrams, and write detailed descriptions of security features. I have a built in BS filter, and know how to verify the information, but additional technical network design/structure concepts would help. I have always been interested in VPNs, and the technical details of NAT and routing/switching, and I am also a little interested in security auditing. I feel like in depth packet analysis like in the GCIA is something I want to learn, but I think I may want to do that a little later on, after I have more of a foundation in Security.Incident handling sounds really cool too, but I don't really want to work in a SOC at this time.

I found this site by searching about the practical applications of the training/certifications. I read a post that mentioned that the GCFW and the GCIA having a lot of overlapping material. I was wondering if I could take the GCIA because it is more recognized and "valuable" and still learn about what I was attracted to in the GCFW. Which parts overlap?

Also, I am worried about the difficulty of these, because I am still sort of a beginner. Any advice is appreciated.

docrice

Welcome to the forum. I have virtually every certification you mentioned (except the GCFA) so I think I can answer some of your questions. By the way, a 900 on Security+ is a perfect score. Good job on that.

The GSEC has a lot of material, but as mentioned elsewhere in this forum, it's like a Security+ on steroids. On most of the common topics, it goes a bit more in-depth technically than the Security+, and the last two days are dedicated to a lot of the security concepts pertaining to Windows and Unix. If you don't have a lot of hands-on technical experience, the GSEC shines its value here. However, how easy it would be for you will depend on a number of factors. I will agree with your manager in that I don't feel the GSEC is a super-cert. It just happens to be the most recognized GIAC cert (like how most people are aware of the CCNA name versus the CCNP, even though the latter is a step higher towards the top of the food chain). I'd highly suggest taking the free assessment for this course to see where you're at: https://portal.sans.org/assessments/ (note that having a decent amount of both Windows and Unix sysadmin experience really helps, and if you don't already have much of it, then factor that into the difficulty of the material).

For the CCNA Security, you can self-study for this. It's a logical progression from the base CCNA, but because it's Cisco, it's more about configuring security features within Cisco devices than about security. Maybe having an old Cisco 2621XM router with security features support will help, and you can search through the CCNA Security forums here for specifics about that.

I felt the GCIH was a lot like an introduction to an array of tools that attackers use to get into a network through a progression of various attack phases (recon, scanning, etc.). It's all wrapped up through the eyes of a defender / incident handler and how one would go about identifying, containing, eradicating, recovering, and reporting for an improvement in organizational posture going forward. It's not so sysadmin-ish, but more of understanding both the attacker and defender's mindset. There are a lot of tools and concepts covered, although you don't necessarily go really in-depth on any. It's hard to expect deep-dive with so much content within only six days of class. There are hands-on labs which definitely help reinforce the lectures.

The GCIA and GCFW have considerable overlap in that they both review TCP/IP behavior fundamentals. You need to know how TCP works compared to UDP, what fragmentation is and how attackers leverage it, how ICMP characterizes a network through the types of messages it hands you, and the various specifics about the TCP/IP headers and their fields. Knowing how IP works is fundamental in being able to manage a firewall, VPN appliance, IDS / IPS, and understanding what your logs are telling you. If your TCP/IP kung-fu is weak, you will definitely feel overwhelmed (in a good way), especially with the GCIA. These are not beginner courses. I don't feel that having a CCNA or Network+ is sufficient to having a solid grasp of TCP/IP, and perhaps I would read through the Wireshark Network Analysis book as a well-written primer:

http://www.amazon.com/Wireshark-Network-Analysis-Official-Certified/dp/1893939995/ref=sr_1_1?ie=UTF8&qid=1305270634&sr=8-1

In my opinion (and since I have more experience in some areas than others, my list order will differ from others), the difficulty level of these courses from easiest to most difficult is as follows:

GSEC - GCFW - GCIH - GCIA. I'd rate the CCNA Security somewhere in the GSEC range.

That said, GSEC covers a lot of ground, and if you haven't managed systems or networks for a decent amount of time (say, at least several years), the GSEC does throw a lot at you. I've been in the industry for over a decade and the GSEC still felt a bit overwhelming due to the sheer amount of material. It covers a lot of foundational concepts which the other courses do partially build upon, although they definitely go on their own direction and go deeper in their respective areas.

It's a tough choice, and it will highly depend what you're interested in, as well as what kind of things you have access to at work which would help you in your career short-term. I would spend some days / weeks reading through the SANS course list and contemplating what might be the most appropriate choice for you.

ipchain

Welcome to TE. You know, docrice's advise is as good as it can get. I could not agree more with everything he expressed in his post. Good luck!

cybrwarrior

I agree with docrice. The GIAC (SANS training) certifications are tough and much studying should be put in before attempting the exam. I have about 20 years experience in IT ranging from sysadmin, network admin, and security. Also with two master degrees in software engineering and computer information systems, I still find these exams tough. They are usually 150 questions given in a 4 hour time limit. So, it's about 90 seconds per question.

The GIAC exams focus mostly on vendor neutral topics, so the concepts and technologies are based on a lot of open source stuff, which makes them good certifications to obtain.

Good luck~

CircuitMeltdown

Thanks Docture, and all.

I decided to take the GCFW. I'm going to in person training in a couple months. I'm going to order the Wireshark book you reccomended and also review other TCP/IP study materials, and study materials from other areas I think I am weak in before the class.

Is the On Demand supplementary study material worth it to get?

docrice

I believe the OnDemand is an add-on option if you select the self-study method, not live instruction. Attending a SANS conference with other students seems like a lot of fun, but I can't afford the travel costs hence why I've always done the self-study route with the OnDemand option. For me, OnDemand is a nice slide-based follow-along as I usually read the printed course materials as a second-pass for my studies.

Paul Boz

I used to mentor the GCFW course and it was my first SANS cert so it has special meaning for me, so I can only say great choice

I would also recommend that you do the GCIA after, as it has much of the same type of material (very TCP/IP centric). The GCIH was the most unlike the others and I challenged the GSEC straight up with no books because its a Sec+ on steroids. Great use of your training budget for sure

docrice

I just came across this book: Inside Network Perimeter Security (2nd Edition)

http://www.amazon.com/Inside-Network-Perimeter-Security-2nd/dp/0672327376/ref=wl_it_dp_o?ie=UTF8&coliid=I1Z4FYQMA4ZGHQ&colid=3QD4OU11BV3AH

"Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates."

One of the authors is none other than Stephen Northcutt of SANS himself. The book's a bit old, but I think I might pick this up anyway.

CircuitMeltdown

docrice wrote: »

I just came across this book: Inside Network Perimeter Security (2nd Edition)

Amazon.com: Inside Network Perimeter Security (2nd Edition) (9780672327377): Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey: Books

"Additionally, discussion of tools such as firewalls, virtual private networks, routers and intrusion detection systems make Inside Network Perimeter Security, Second Edition a valuable resource for both security professionals and GIAC Certified Firewall Analyst certification exam candidates."

One of the authors is none other than Stephen Northcutt of SANS himself. The book's a bit old, but I think I might pick this up anyway.

Oh, I just posted in another thread where you were talking about this book. I wonder if it would be worth it to pick it up and read it before the class. I am all signed up now, and it's a few weeks away. I am trying to prepare the best I can so I can get the most out of the class as possible, and I don't have access to the ondemand supplement material until after the class is over.

In another post I remember seeing Paul Boz say: "You have to fully understand TCP/IP to the point where you can decode a packet in HEX format and answer questions about the contents and options. You have to know snort, TCP/Windump, architecture, auditing, etc.."
Any idea how to best prepare for all of those objectives? Any suggested reading, websites, or other study methods? Thanks.

GAngel

"I have always been interested in VPNs, and the technical details of NAT and routing/switching"

Wouldn't that be the CCNA exam.....
I don't get on this site enough anymore but it looks like you're putting the cart before the horse.