CCNP: Security before CCNP R/S?

Hi all, quick question for you: Would I be doing things bass ackwards if I obtained a CCNP Security prior to covering CCNP R/S topics? Shortly I will be starting a position in security with emphasis on the network security devices. I would like to pursue the CCNP: Sec credential this year but I'm not sure if I would be better off studying NP R/S topics first.

Find more posts tagged with

Comments

ChooseLife

My opinion is that they are different tracks and have little dependency on each other. As an example, I am an enterprise sysadmin and CCNP:S is right up my alley. OTOH, I have no plans to do CCNP:R/S, as the routing part of it is not relevant to my daily job.

YFZblu

Thanks ChooseLife. That's sort of what I was hoping for. CCNA Sec did not dive as deep as I was hoping, and I am eager to get into CCNP: Sec material in the next few months.

Ivanjam

YFZblu wrote: »

CCNA Sec did not dive as deep as I was hoping

I'd love to be able to say that - good luck @YFZblu with the CCNP:Sec!

DiZz

I just recently got my CCNA Security, and i feel the same way in a sense that the use of it is giveing you a general foundation of what Cisco Security is to help with better understanding of the indept topics of the CCNP Sec. Thats what i am doing as well is CCNP security. I figure the R:S stuff can be learned though trial and error or just picking up some books if you need the information but i really dont think you would need to go as far as certifying in CCNP R:S to be a good security admin.

Kreken

DiZz wrote:

I figure the R:S stuff can be learned though trial and error or just picking up some books if you need the information but i really dont think you would need to go as far as certifying in CCNP R:S to be a good security admin.

Can't you say the same thing about CCNP:S track? A lot of things can be learned just by picking up a book.

ChooseLife wrote:

My opinion is that they are different tracks and have little dependency on each other.

For being different tracks, they have a lot of overlap. SWITCH exam has more in-depth coverage of switch security than SECURE exam. You do need to have a solid understanding of routing for FIREWALL and VPN exams. CCNP:S is not just about creating rules on a firewall and IPS.

chrisone

ChooseLife wrote: »

My opinion is that they are different tracks and have little dependency on each other. As an example, I am an enterprise sysadmin and CCNP:S is right up my alley. OTOH, I have no plans to do CCNP:R/S, as the routing part of it is not relevant to my daily job.

All tracks depend on routing and switching.

ChooseLife

Kreken wrote: »

For being different tracks, they have a lot of overlap. SWITCH exam has more in-depth coverage of switch security than SECURE exam. You do need to have a solid understanding of routing for FIREWALL and VPN exams. CCNP:S is not just about creating rules on a firewall and IPS.

chrisone wrote: »

All tracks depend on routing and switching.

I am under impression that dynamic routing in explored much deeper in CCNP:R&S track than it is in CCNP:S.
Indeed, understanding of routing is a pre-requisite for CCNP:S, but what is the level required?

As mentioned earlier, I am enterprise sysadmin, and in the decade of the career never touched a dynamic routing protocol in a production network - it has always lived on the other side of the demarc point. At the same time, I have done my share of designing and supporting VPN, enterprise firewalls, ASAs, IDS/IPS, and even with my limited knowledge of BGP, OSPF and IS-IS I still feel comfortable with the knowledge domain CCNP:S covers. Should I not be? Based on your knowledge of the two tracks, do you feel I need to dive into CCNP:R&S -level BGP studies in order to be a successful CCNP:S candidate?

SteveO86

From what I can see as far as CCNP:S goes into routing protocols, involves authenticating peers (Also covered in CCNP:R/S) and setting up the protocols on the Cisco ASA's.

CCNP:S doesn't go into how the routing protocols work, or Layer 2 technologies or how to troubleshoot the protocols. Other then the initial configuration. That doesn't go to say you'll never have to troubleshoot a routing protocol in the real work but you know

Roguetadhg

Darn good posts here, and good thread.

I like the insight from those that have gone both certs. So far it seems like it's a CCNP before CCNP:Security.

SteveO86

Depends on your situation, I've known a few success security people who were CCNP:S and didn't know a lick of routing/switching. (granted they had their CISSP as well with a few other security certs so routing/switching were not really their concern)

vinbuck

Routing and Switching is the biggest weak point I see in Security only types.

The problem IMHO is that they see VPNs, ports and protocols and not the network architecture as a whole. This is extremely limiting when it comes to defending against complex attacks or trying to secure the network. As an example, it's difficult to discuss VRFs or MPLS as a security measure for isolation if you don't understand how either is implemented or what they bring to the table.

I'm not saying that every security engineer should strive for CCIE R&S, but I think if most had a CCNP R&S foundation, they would be much more effective.

Just my 2 pesos as a large scale route/switch guy

bryguy

Don't think CCNP-RS is necessarily required... The last re-vision of the CCNP required ISCW (Implementing Secure Converged Wide Area Networks) which covered a number of security related topics including frame mode MPLS, CBAC IOS firewalls, and hardening the IOS... but that was before the CCNA Security track was available. If I'm not mistaken, CCNA-RS is a prerequisite of the CCNA-Security track. So at one time, prior to the CCNA security track, I think the CCNP would have been helpful, prior to the CCSP, in the same way that the CCNP would have been helpful prior to taking the CCVP, because ONT covered QOS so much. I think, in a security focused environment, the Associate level of RS is enough.

f0rgiv3n

Another thing to take into account is what people will expect you to know when they see those credentials on your resume. They see a CCNP Security on there, will they know that even though it's a CCNP level certification, it doesn't cover much about dynamic routing?

CCNP R&S gives you a great understanding of the big picture. Sure the CCNP Sec by itself (w/o R&S) is success all on its own but if you have the foundation of CCNP R&S before Security it will really make you a lot more valuable because you can see the big picture instead of only the isolated firewall/security domain.

I highly disagree with being able to learn routing by the school of hard knocks. Sure you can learn it by trial and error but the whole point of certifications is to learn best practice. With dynamic routing protocols it is extremely important to know why it does what it does. By knowing the best practices with these things (which you learn through CCNP R&S) you are able to make better educated decisions that are more scalable and reliable in the long run.

There's my two cents

YFZblu

Great responses all, thank you. I'm focusing on the GSEC at the moment, so I have time. I may simmer for a while in this position before making any more decisions.

gorebrush

I found the CCNA Security was a very nice introduction into Security, but as I did the ISCW exam as part of my CCNP - a lot of it was review from that. I mean, you could probably just walk out of the ISCW exam, go and do the CCNA:S in the same day, they are quite similar.

Though, of course, ISCW was 3 years ago

pert

You don't need to know R&S for security, but you do need to understand the routing part. I've seen many cases where all the security work gets done to allow new traffic through the firewalls, get nat and everything else implemented, yet there is no route for the traffic in the other network to get back =D.

wintermute000

pert wrote: »

You don't need to know R&S for security, but you do need to understand the routing part. I've seen many cases where all the security work gets done to allow new traffic through the firewalls, get nat and everything else implemented, yet there is no route for the traffic in the other network to get back =D.

+111111

A firewall guy who doesn't understand R&S is one of the most frustrating obstacles a networker will face in their life, especially when it comes to routing through VPN topologies. I've seen it go so far as the FW work getting taken off the security team (who then get laid off) and put back onto network ops, who google/improv their way through it.

Someone with good R&S will be able to pick up firewalls, but the reverse is rarely true in my experience.

But you have a CCNA already so you theoretically should know ENOUGH. If your job is security then logically CCNP Sec is the best choice.

swild

From what I have seen, security pros are not expected to know networking. I was talking to a network manager about my aspirations to get into security. I asked him if getting into security without learning networking is anything like learning to run before learning to crawl. He said that it is more like learning to fly before learning to swim. Generally, whenever someone in security has a question about networking, they just hand the problem off to networking before it gets passed back to security.

That being said, I like knowing how things work and think that R&S should go before Security. Standing on someone else's shoulders means that it is much harder to take a step forward.

wintermute000

"Generally, whenever someone in security has a question about networking, they just hand the problem off to networking before it gets passed back to security."

Sorry, thats the kind of attitude that I find appalling.

I don't expect a security guy to know the syntax to configure XYZ on a router or understand routing protocols, but I do expect them to understand the basics of subnetting, switching and routing. How the ---- are they expected to evaluate security if they don't even understand the basic path the traffic is flowing through. The network is the #1 technical foundation of security.

Its pathetic and I've seen a lot of very pathetic security guys, all they do is forward vendor advisories and ask you 'is system X patched yet'. I don't even think most of them can code or sysadmin either so WTF are they there for. Can't understand how an exploit works, can't understand how an exploit spreads or an attack vector is created, sheesh lets tick some boxes and get paid LOL.

Pathetic.... btw I've known plenty of security guys who 'gets' networking. Much easier working with those people, they actually understand the implications of the R&S overall structure on security. If you treat the network as someone else's black box you're not going to do a very good job.... how the ---- are you going to do a good job on a firewall or IDS if you don't even understand the traffic flow through it. Note I'm talking about security engineers not general security guys i.e. if you have to deal with firewalls then you better understand R&S basics. The good guys also get systems, because they have to. (are you qualified to tell the DB admins what to do if you don't understand why SQL input parsing is important, and the consequences of running processes with extra privileges?).

I'm a R&S guy but I sure as heck understand the basics of vmware/ESX, because of all the jobs I have to do whereby we have to get connectivity into an vmware environment. What do you think would happen if I just threw up my hands and said 'its not a router or a switch I dunno'?

Thisguy131

Great stuff here guys!

ande0255

To add my 2 cents, I am currently (right now) working a ticket that started out as a possible ASA VPN Licensing issue, but it turns out the customers edge device is a router and not an ASA - and it is running OSPF and BGP.

I am the Voice / Security / Network team, so now I have to untangle this mess, and CCNP R/S level knowledge would come in handy right at the moment cause I am pretty much lost here.

Time for me to start on CCNP R/S pretty quick here