Path to Senior Network Security Engineer

flt0nujr

We'll all I'm slated to take the CCNA Security exam which I know I'm ready to pass, but I'm still at a crossroads when it comes to the next few steps after this. I've done some digging around and research on the following job roles:

Network Security Engineer
Network Security Analyst

Most of the job's are asking for CCNP, CCNP Security, JNCIA, JNCIS FW, CISSP, Checkpoint. I know if I'm to be a successful Network Security Engineer I will need to have not just 2 or 3 of these certs but also an abundance of experience. Currently my current job role allows me to touch Cisco Firewall's, VPN's, Nat, and some load-balancing with brocade and I feel that I'm getting good experience, but I'm reading that Juniper is more of a demand when it comes to security along with Checkpoint and some Linux. It seems that Cisco ASA's are getting shot down hard. Not to mention, our IP team is bringing in Juniper routers for our infrastructure So now I have to decide if I should stop at CCNA Security and just go all out with the Junos security path or just do both. Here's my career path map that I think will guide me to the promise land. I+ would like feed back from those working within the Network Security realm to chime in on this.

CCNA Security
CCNP Security ??
JNCIA
JNCIS-FW
Compelte MSIS Security Management in 2014

Thanks

Nutsy

Early in your career you need to focus on what you can get hands-on with, and get certified on that. Thus, if you have ASAs, and will for a couple months, do the CCNP:S. If you get the opportunity to work on Juniper hands-on, once finished with CCNP:S, do the Juniper certs.

My logic is this. If I was hiring you at my company and I noticed your work experience stated Cisco. However, you had certs for a vendor you didn't have real world experience. That just wouldn't make sense.

Brass Tax: get proficient at whatever your company has. Get a "professional level" cert at whatever vendor, then expand. Once you are considered mid-career, if you apply for a job that has Juniper but you don't have experience, employers won't care. They will look at it as you have learned one vendor, and been successful. That proves you can learn another. Also, Cisco does have the best market presence. (Localities vary.) So, you shouldn't bad off if you do the Cisco thing.

Lastly, your career will evolve as time goes by. Just change with it and learn new things, and adapt. Once cert, or job, doesn't define your career. Your cumulative actions do. For now though, just get good at one thing/vendor. Then move on to get a professional level understanding at the next technology/vendor.

instant000

If you've already decided that you want to be a network security engineer, then I see a basic, straightforward way to accomplish that.

1 -CCNA:Security
2 - Read the Voice, Wireless, and Design materials (don't necessarily test on them, but knowing these will make your understanding of usage scenarios for security and R&S easier)
3 - CCNP:Security (studying this will make studying for your infosec classes easier, and also CISSP should be easier)
4 - CISSP (it's well marketed. face the facts.)
5 - Infosec Master's
6 - CCNP:R&S (a big part of security is Availability of services. This course is good for making sure you have that, and according to Ahriakin, he wish he'd done his CCNP before attempting the IE Security.)
7 - CISM (it's time to be the boss [if you aren't already])
8 - CCIE:Security (You probably have an indepth picture of Cisco network security at this point.)
9 - CCDA/CCDP (A big part of security is understanding the big picture of how everything fits together. This set should allow you to "zoom out" from your detailed look at look at things from a different perspective. You'll transition to the point where you design solutions, and get involved for high-level troubleshooting. With sound foundations in security and networking, you should be fine.)

You should be at the point of either changing jobs or getting a promotion (or should have received several already) by the time you're at steps 4 and 5.

I charge only $250/hour for certification recommendations. I appreciate speedy payment.

JDMurray

instant000 wrote: »

I charge only $250/hour for certification recommendations. I appreciate speedy payment.

And TechExams.Net charges only $350 for each certification recommendation posted in our public forums by independent certification consultants. We appreciate a speedy payment too.

instant000

Great, another losing business proposition, another tax deduction ...

flt0nujr

All I have are IOU's.....

flt0nujr

Nutsy, your so right about only studying with what you can get your hands on. I don't have money to just go after certs I cant get experienced in. I've already spend money for Cisco books, gear, boson, etc.. Plus CCNP Routing lab books and video. The decision is made.

CCNP Security
CEH
CISSP

"IT'S ABOUT TO GO DOWN"

jasong318

Like others have said, it depends what the shop your attached to runs. When my job title was 'Sr. Net Sec Eng', it was all Cisco so thats what all my networking certs are based on. But I think once to get the experience in, you've learned the core fundamentals and understand what is happening at each level of the OSI, the rest is just semantics of whatever equipment you might be using at the time, whether it's Cisco or Juniper. Most people during the tech interview will realize this I think...

YFZblu

Just a thought - If you go too heavy on the Administration track (Cisco), you may be ruled out when it comes to Analyst jobs; or you will find that an Analyst job will quickly strip you of your Administration skills because they are not being used.

I would recommend picking one (engineering or analyst) first.

.02

docrice

"Network security engineer" from a title perspective is very typically an infrastructure role dealing with firewalls, hardening layer 2 and 3 devices, IPS, maybe WAF, etc.. I will warn however that vendor-based training and certifications generally teach you how to configure appliances, not instill a good security mindset. There can be a big difference between merely configuring boxes versus having a solid mental picture of how attacks work and defending against them. Commercial products are generally over-promised in their capabilities and you need to look beyond the literature and admin guides. Understanding and testing the limits of these devices is crucial, but a typically-neglected aspect of the job.

My company is looking for additional head count in this realm and I've specifically told my manager that I don't want simple button-pushers, but rather individuals who understand a broad set of fundamentals to think and do analysis on a ton of nuances. The last time I interviewed several people who had histories in network security, I could tell they knew how to configure things, but not really dig deep and find the needle in the haystack.

I'll agree with others in that as you're starting out, learn the vendor-specific knowledge on the equipment in front of you (Cisco, Juniper, Check Point, or whatever else it may be) and get comfortable with that. It gets the ball rolling. In time though, you should branch out and play with open source tools and read non-vendor material. Attend conferences like Black Hat, DEFCON, B-Sides, etc. as they'll open your eyes more.

For example, in the IDS/IPS side of things, tinker with Snort or Suricata. Understanding how they work does a whole lot more good for you than simply knowing which buttons to tick in a web UI. I've learned that many people who are "network security engineers" who know firewalls and are also tasked with intrusion detection rarely can do the latter. This is kind of a sore point for me since I've dealt with a number of commercial products which are technically IPS, but I feel generally cater towards network engineers rather than network security engineers since they provide less depth and analysis workflow than I'd like.

After a while, certifications become less important in the security space (not including HR expectations as they review resumes). We're looking for attitude, aptitude, and motivation. Understand the fundamentals and you can adapt that to any vendor product. And be aware that much of the job may involve frustrations stemming from the existing policy that you're enforcing as well as possibly limited management support on some of the efforts which you'll no doubt consider important, but deemed secondary in business priorities of the organization you work for.

flt0nujr

So, now that I'm in the role Network Engineer IP Tier1 spot, Im now beginning to understand the importance of skill and not so much of the paper certification, or selecting the proper one. So, I've been giving some much needed thought over the last few months and it seems that CCNP would be the best option since it touches on the following:

Wireless
Voice
Layer 2 Security
QOS
COS
BGP, OSPF, Troubleshooting

Then later tackle the CEH and just stop right there for a while. The CCNP Security seems to be centrally focused on Firewall (which I already know some of), VPN ( I know some of), IPS (Just shunning IP's and need more info) and Layer 2 type secure(surprisingly CCNP covers a lot of this). So, I'm only looking at the CCNP, CEH at this time for now along with my MSIS degree in 2014. I dont have to much time to just study all day and night especially with a wife and (2) kids. I'll just hang my hat there and sharpen my skills on snort, wireshark and surciata, by the way thanks for that information dotrcie. It was clear, precise, and honest.