CCNP Security expenses

I think I read somewhere that cisco ASAs are like 30% of the market. They aren't "next generation" but they do have their following.

CCSP was 4 test so I guess they decided to keep that structure. They should have dropped the IPS exam and made it three test.

Maced129

There are a lot of firewall flavors out there and it depends on the company's preference and requirements I guess. Where I'm at, that's all we use is ASAs, with exception to some PaloAltos.

I'd say its definitely worth it to study the firewall portion of the CCNP:S, who knows maybe your company will start getting some Cisco firewalls especially with SecureX coming around, or maybe another job will have Cisco.

And yea I definitely agree, CCNP:S is so expensive with the exams alone. And if you buy equipment to practice with...LOL nice lottery you'd have to win to buy it all...but then again it will probably all be useful when/if you study for your CCIE:Sec.

alan2308

l!ght wrote: »

And for example if you take CCDA and CCNA, then pass 3 exams for CCNP and one exams for CCDP (ARCH), then you get two certificates: CCNP and CCDP. Total cost is more than CCNP Security (not by much), but if you divide the cost per certificate it is actually way cheaper. So, why Security path is so expensive?

The thing there is that there is overlap between R&S and Design where as that isn't true for other tracks. Security is it's own beast, as is Voice and Wireless. Its not an apples to apples comparison.

Yeah, you are totally right about the cost of hardware for labs.But is is interesting that firewalls is I think one subject that is not good to just study by concentrating on one company. I mean in Europe there are plenty of others. Astaro, etc. And they use BSD as a base. So, yeah, its a software not hardware like Cisco, but many smaller companies might go for that due to cheaper price. You can basically run pfSense or others on a not so fast computer and it will be enough for the company. It even offers everything that a company will need QoS, IPSec, Load Balancing, etc.In my case I am deciding between going for OSCP or continue to CCNA Security path.

alan2308, of course its not apples to apples. But I bet a person with CCDP and CCNP is not less worthy for the company than CCNP Se. Salary wise and otherwise.

nicklauscombs

i'm balancing out lab cost (i'm lookin' at you specifically IPS exam) by just buying rack time with vendors.

alan2308 wrote: »

The thing there is that there is overlap between R&S and Design where as that isn't true for other tracks. Security is it's own beast, as is Voice and Wireless. Its not an apples to apples comparison.

You don't think R/S, Design and Security intersect? They most certainly do. You should design with security in mind and you need to understand r/s to build a network. All of the tracks truly build off a common knowledge base (which is R/S whether you have the certification or not). Networks are complex and require all sorts of knowledge from many areas to support and secure. Consider a firewall engineer who is trying to support a problem but don't understand basic or even mid level Routing and switching or understand the design of the network. It could be a huge problem.

l!ght wrote: »

Yeah, you are totally right about the cost of hardware for labs.But is is interesting that firewalls is I think one subject that is not good to just study by concentrating on one company. I mean in Europe there are plenty of others. Astaro, etc. You can basically run pfSense or others on a not so fast computer and it will be enough for the company. It even offers everything that a company will need QoS, IPSec, Load Balancing, etc. In my case I am deciding between going for OSCP or continue to CCNA Security path.

Pfsense for the win. I think people (and by people, I mean business owners) don't leverage open source solutions since people usually equate open source to unreliable. I like pfsense and actually replaced a cisco router with a pfsense firewall and it worked great.

Yeah, I know. When or when this old generation will already leave their positions at companies? pfSense is pretty cool. Its a solid product. And actually I can argue that open source gets fixes and vulnerabilities found faster than proprietary. After all one company cannot "really" compete with the world of developers that look, test open source code.I run pfSense at home interconnected to all kinds of stuff. It works great. I would suggest it to any of my friends or "customers". And I totally agree with you about CCNP/CCDP/CCNP Security all interdependent.

TesseracT

meh, I use ASA's more than routers at the moment. I'm a CCNP and have no desire to get the CCNP Security.

My reasoning is that I've never seen the CCNP Security as a prerequisite for a job. CCNP + ASA experience yes but I don't recall ever seeing a security job I'd be turned down at because I have the CCNP but not the CCNP security. I also can't be bothered sitting a Cisco IPS exam. The time it takes + the expense is just not worth it IMO. Sourcefire and Tippingpoint have been running rings around them for years in this area. The only reason for implementing it would be as a cost-saving solution.

Well, I am more concerned with security field. And you voiced my reservations about CCNP Security. Indeed, where are the jobs with CCNP Se as a requirement? Security positions are requiring stuff like CISSP and other smaller certificates. I am getting more and more convinced to go OSCP and maybe CCNP route. Also, one more thing that is bothering me is CCNA Se covering SDM. What is the point of testing this outdated technology? Wasn't it superseded by other stuff already?

lrb

The SDM got replaced with the CCP - The CCNA Security covers SDM (and it's coverage isn't exactly massive from memory) but the CCNP Security doesn't. There are a few jobs in AU with the CCSP/CCNP Security as 'nice to have' listed but most senior jobs will still have the CCNP as a 'must have'. Personally I think the CCNP and CCNP Security is a good combo from a knowledge point of view: intermediate routing and switching knowledge mixed with knowledge of ASAs, basic security threats, and how to configure their IPS product line. However someone who does security as their sole job (i.e. consultancy, engineering, design, etc) has to know a hell of a lot more than what is covered in the CCNP Security material to a well rounded 'security person'.

And yes the IPS appliances are a pain in the arse if you have no exposure to them and just have to do the test to get the CCNP Security qualification, but the appliances themselves are actually quite good and I doubt anyone who has used them on a day-to-day basis would say otherwise. Plus for the VPN/FIREWALL/IPS exams I'd rather just use rack rental anyway.

Lastly, I've found the Juniper SRX series to the best appliance for a firewall solution: cheap, great performance, great port density, security policies in Junos are an absolute godsend, and can actually terminate GRE tunnels (and in different VRFs too!). Plus its just BSD under the hood anyway so you can pretty much do whatever you like with the devices!

lrb wrote: »

Junos are an absolute godsend, and can actually terminate GRE tunnels

What do you mean by this? ASAs can run gre tunnels.

There were rumors of a CCNA:S update to cover CCP but I don't know if they are true.

There are jobs that want CCNP:S (infact most of the jobs I have seen looking for CCSP/CCNP:S don't include CCNP, at least in my general area). I've heard mixed reviews about the cisco IPS and after sitting in a demo, I am NOT impressed. It seems like a lot of companies are killing cisco in security (in terms of features and the like). I think a course like OSCP would do any security pro a lot of good (especially a networking security pro) since often times we do things for the sake of security without understanding what we are really protecting from. There is something concrete about practical application. I remember my first DDOS attack. Fun times.....

Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.

nicklauscombs

l!ght wrote: »

Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.

they're gaining traction and i would at minimum work through the jncia-junos exam to have some fundamental knowledge if you don't deal with them hands on at work. all study material is provided free of charge on the juniper website and the exam is only $50 so why not....

The CCNP:Security track covers the general base of Cisco's security offerings. The firewall component, the VPN functionality which folded into the firewall platform after the PIX era, the general security technologies implemented in switching and routing, and the IPS. I would probably consider sitting the exam for the first three, but I could care less about their IPS unless I'm at a company that uses them.

I haven't touched Cisco's IPS personally, but I've never heard anything great about them. In my opinion, Cisco is a routing and switching technology company first, a security company second. MARS is pretty much deprecated, the ASAs are becoming stale as more functional firewalls like Palo Alto Networks gain more traction, and Juniper has a loyal following. ASAs are a very common firewall platform, but I don't consider them leading edge right now. That said, for simple common scenarios they work just fine.

As a network security engineer for an organization that has intrinsic high availability requirements, I'll be the first to say I would never consider using open source solutions for inline production traffic unless I have official vendor support (and for some reason all commercial offerings really sucked). For example, I would never use Snort inline as an IPS for a production network, but would definitely consider Sourcefire. Essentially the same technology, but if something goes wrong I can call someone in the middle of the night on a Sev1 ticket and there would be a fix commitment or an officially-provided workaround while providing a (perhaps legal) sense of assurance to management that our liabilities can be transferred somewhere in the event of major problems.

While pfSense can provide commercial support, I have to wonder how good their resources are for large demanding enterprise customers. I say this as a part-time OpenBSD user and someone who has implemented active-standby pf in the past for a startup. While good open source products can function very well, they don't provide the ASICs performance that a hardware vendor can provide. In some cases the technology can be superior, but corporations want that assurance which can be demonstrated by name. And unfortunately, the whole "No one gets fired for buying Cisco" mentality still rings true, probably for a few good reasons.

I hadn't heard of Cisco's SecureX until now, but was aware of their identity-plug-in (much like Palo Alto's User-ID). Interesting.

My comment on the OSCP - having an understanding of web application pentesting is good, but for a day-to-day firewall management context it currently isn't that relevant unless you're a jack-of-all-trades infosec guy where you deal with WAF, application data management, etc.. I would think most firewall guys sit under the "network infrastructure" part of the org chart which is part of the larger routing / switching competency, and that's a serious mouthful to take in by itself. In the grand scheme of things at the moment, I consider them different skill sets from general vendor-specific firewall management.

lrb

Bl8ckr0uter wrote: »

What do you mean by this? ASAs can run gre tunnels.

What I mean is that you can't have the GRE interface (i.e. interface TunnelXX) actually on the ASA - last time I checked you could only pass GRE packets through the firewall and reference them in firewall rules but the GRE tunnel can not actually terminate on the ASA itself. Happy to be informed differently though!

lrb

l!ght wrote: »

Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.

The Juniper certification program has nowhere near the same following as Cisco but Juniper seems to be making a MASSIVE effort to get people certified with some great incentives. For example, you take the pre-assessment test and get 50% off the corresponding exam, and they give you the resources to study for the exam for free with their fast track program (albeit these docs don't cover as much as their official courseware).

I took a look at CCNP Security track one more time. Actually, Cisco has specialist certs. So, by taking Secure and then Firewall you are not CCNP yet, but already a Firewall Specialist. Taking VPN after that will give you VPN Specialist AND ASA Specialist. So, that means 3 exams give you 3 certs. However, after that one would take IPS and become CCNP Se, and then there is no more use for those specialist certs. Maybe just to impress HR people. And again, as I calculated all the fees before, the same amount one will spend reaching CCNP Se will get them CCDP and CCNP. The same amount. However, that means each one is half the price of the CCNP Security Its more efficient to go that route. You get certs at Profesional level in two different paths. Kind of sweet.
About OSCP. Well, I guess I am kind of a generalist as oposed to specialist. I like to grab as much knowledge as possible and it seems that I just like too many things <grin>. However, yes, right now maybe firewall maintainers do not need pentesting skills. But who knows what the future will bring? Hacking tools and tricks evolve, networks become more and more complex, maybe in the future just knowing one thing or another will not be enough.

alan2308

Bl8ckr0uter wrote: »

You don't think R/S, Design and Security intersect?

What I mean is that R&S intersects a lot more with design than it does with security, not that there isn't any. R&S and Design certainly think about doing things in a secure manner, but not at the level of depth that the security guys look at things with. And Cisco's certs reflect that logic, though I can't say I completely agree with the complete lack of r&s in the CCNP Sec.

To put it another way, when one is designing a network or moving in some new switches, they know you should use SSH instead of Telnet to access the device. They also know version 2 is better than version 1 because version 1 is flawed. But they don't really care to know what's in all 650 pages of SSH: The Definitive Guide. Guys like us do care.

btowntech

l!ght wrote: »

Everyone have to start with CCNA, progress to CCNP by taking 3 exams. Ok. However, for CCNP Security you would have to get CCNA, CCNA Security and then pass 4 (!) exams to get your CCNP Security.

I remember when you had to pass 4 exams to get your CCNP (BSCI, BCMSN, ONT, ISCW). Quit looking at it from the point of what is the best bang for the buck, but which one will help you the most at this point in your career. Also, look at the objectives for the exams and figure out which certification is most beneficial. If you focus on becoming a great network engineer everything else will fall into place down the road.

One extra 642-level exam is what ... $200? That's small change in the grand scheme of things. If you really enjoy working on Cisco security products and want to achieve the certification in the area, one additional exam shouldn't feel like such a burden. One can argue that certifications are a scam and the vendors are trying to sell you shallow "investments" (I feel this may at least be partially true), but it is what it is. At the end of the day, achieving the CCNP: Security only might get additional consideration from some companies looking at your resume. What you can demonstrate for real-world results and the benefit to an organization's bottom as a professional is what really counts.

Well, i see it this way. For progression to or at any job most employers will look first for CCNP not CCNP Se. I think when companies are looking for security people they are probably require GSEC, not security certs from Cisco. Also, it is faster to get CCNP, it will give more weight to the resume, and at the same time you are working towards it you can get CCDP for the same amount of effort. I am sold. CCNP Se seems like "maybe" a next step after that. It takes less hardware to study for CCNP too. Right now I need to sponsor myself, so I would prefer not to buy old Firewalls and IPs.

In my experience (not that I've been in the game for decades or anything), security folks tend to value strong fundamentals rather than only vendor-specific training. If I were to interview someone for a firewall administration position, I wouldn't ask about all the commands on an ASA (well, maybe if that's what their experience was based on). I'd be more interested if they understand how TCP works, or how fragmentation reassembly could be used to bypass ACLs, or how to interpret a network trace. Maybe someone knowledgeable can comment on this, but I get the sense that Cisco security training doesn't actually teach you anything other than configuring Cisco security products.

So in that sense the traditional CCNP route would be a good path if you're really interested in all the routing and switching because I'm under the impression that much of the core material is very much applicable across all vendors. From a security perspective, having vendor-neutral skills is valuable.

Daniel333

Well, I am guessing if your in the USA and at the CCNP:Sec level they assume the cost of 1 or 2 extra exams isn't really a major factor. ($80k employees right?) and chances are at that level your employeer makes some sort of investment in you also. At the very least to maintain their partnership statuses.

Zartanasaurus

The costs of the professional level exams are scaled based on how many exams there are in the track. R&S, IP and Security all cost $600. Voice is $750. CCNP/IP is $200 per test. CCNP:Security is $150 per test.

SteveO86

Didn't they just raise the price of the professional level tests to $200, that's how much my BGP+MPLS test was and my QoS test has a price tag of $200 as well.

When you look at the Certs and tests:

CCNP:

ROUTE
SWITCH
TSHOOT

CCIP:

ROUTE
MPLS
BGP
QoS

CCDP

ROUTE
SWITCH
ARCH

CCNP S

SECURE
IPS
VPN
FIREWALL

CCNP: W
4 more exams

CCNP user to be 4 exams as mentioned earlier. You don't necessarily have to get your CCNP after CCNA, you could always go CCDP or CCIP. the advantage is CCNP/CCDP/CCIP all have ROUTE/SWITCH or both which is why it doesn't seem that bad. CCNP:S, CCNP: W, CCNP SPO has a different focus. It is what it is.

You get an ASA 5505 from certification kits for 400 bucks... I might buy 2 of these for my CCNP studies next year... If I do decide to go this route..

Zartanasaurus wrote: »

The costs of the professional level exams are scaled based on how many exams there are in the track. R&S, IP and Security all cost $600. Voice is $750. CCNP/IP is $200 per test. CCNP:Security is $150 per test.

I thought they were all $200...