New CCNP Security path

Jobene · January 2014

Why that? Oo

At "mine" branch, we are using 2xAsa5585x! And with ASDM and a little bit of Cli we are using them without any problem!
And saying that ASA isnt a enterprise firewall because of asdm etc is a little bit of unfair!

veritas_libertas · January 2014

Lack of Application "Layer-7" filtering makes it less than adequate in the world we live in. That's my main complaint. I would love to see Cisco embrace web application filtering.

Vask3n · January 2014

I think the main thing to remember about ASDM is that it's a direct extension of the CLI- every single option that shows up on the ASDM has a direct CLI equivalent (you can see this by enabling command previews before sending to device). Because of this, some of the options that appear on the GUI seem a little weird, redundant, or out of place. However, the built-in wizards usually do a pretty good job of abstracting the steps. I also wish that ASDM did not require Java.

azaghul · January 2014

veritas_libertas wrote: »

What I find interesting is the lack of focus on ASAs. I'm curious where Cisco is going with this. I'm also wondering how soon they will have books out for the next version.

Based on the Cisco Press previous track record for R&S, Security or Voice...6-12 months...or in the case of Data Center or Service Provider..."one day over the rainbow"...

veritas_libertas · January 2014

Yeah, that has never made any sense to me. You would think they would plan it out better in order to make more cash.

RouteMyPacket · January 2014

aaron0011 wrote: »

But the management sucks. Sure ASDM has made strides but it's not great by no means.

So this is why Cisco ASA isn't a sound enterprise level firewall solution? Please explain why it is not a valid solution, i'm interested to hear why.

veritas_libertas wrote: »

Lack of Application "Layer-7" filtering makes it less than adequate in the world we live in. That's my main complaint. I would love to see Cisco embrace web application filtering.

This is at least a start at explaining some potential lacking features of the ASA platform. However, strides are being made with the new X generation and CX, application visibility is coming along. It's no Palo Alto in that regard but still to say it's not a sound platform is pure ignorance.

Cisco Prime Security is looking awesome too.

veritas_libertas · January 2014

I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

You had every right to call me out.

RouteMyPacket · January 2014

veritas_libertas wrote: »

I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

You had every right to call me out.

Read again, I have been asking aaron0011 to explain why it is not a good enterprise platform. You on the other hand actually began touching on some lacking functionality that I agree Cisco need to ramp up on.

Jobene · January 2014

but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.)

Could be done with Asa.....

True is that cisco WAS late!
And back to the topic with the change of the ccnp security cisco has done the right step into the future!

shodown · January 2014

Why isn't the ASA a sound enterprise firewall.

Back in 2009 when we were looking at several firewalls. I'll just bring up the Palo Alto vs the ASA. At the time when we got the palo alto we were able to block facebook chat, and Games, while still allow users to get onto facebook. The ASA at the time could not do this. The ASA was still stuck in doing things at layer 3 which we could block the entire site, but not specific features. This was HUGE for my client at the time. You factor in that cisco is still stuck at a layer 3 mindset when it comes to firewalls instead of the application and tie in the lack of good tac engineers when you run into problems made us choose the Palo Alto over the ASA. The ASA had also lost to the Juniper VPN a year prior to that, but I wasn't involved with that purchase.

SecurityThroughObscurity · January 2014

veritas_libertas wrote: »

I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

You had every right to call me out.

ASA CX will help.

RouteMyPacket · January 2014

shodown wrote: »

Why isn't the ASA a sound enterprise firewall.

Back in 2009 when we were looking at several firewalls. I'll just bring up the Palo Alto vs the ASA. At the time when we got the palo alto we were able to block facebook chat, and Games, while still allow users to get onto facebook. The ASA at the time could not do this. The ASA was still stuck in doing things at layer 3 which we could block the entire site, but not specific features. This was HUGE for my client at the time. You factor in that cisco is still stuck at a layer 3 mindset when it comes to firewalls instead of the application and tie in the lack of good tac engineers when you run into problems made us choose the Palo Alto over the ASA. The ASA had also lost to the Juniper VPN a year prior to that, but I wasn't involved with that purchase.

I agree, and again you point out what was lacking in the ASA platform. Layer 7 visibility etc. but it's looking better these days. Also, if you do not have that specific requirement the ASA platform can secure the network edge with the best of them.

Staunchy · January 2014

I prefer Fortigate to Cisco firewalls but when it comes to switches, routers I will stick to Cisco. I'm yet to a chance to play around with Juniper.

What is you guys take on CheckPoint?

shodown · January 2014

RouteMyPacket wrote: »

I agree, and again you point out what was lacking in the ASA platform. Layer 7 visibility etc. but it's looking better these days. Also, if you do not have that specific requirement the ASA platform can secure the network edge with the best of them.

So we are in kinda a agreement. My earlier post indicated that since I've been working for VAR's the majority of the past few years I have seen cisco loose footing to other players in the game. This explains why the CCSP, CCNP, and CCIE security tracks keep changing as they have to keep updating there products to stay in the game. If I was looking to get a CCNP it would make me kinda wary as it could be outdated in a few years, and getting the cert is a pretty large effort. All things in IT change, but I feel security is moving at a faster pace.

Heracles004 · January 2014

Well good thing IPS and Firewall are down, testing VPN on Thursday. I should be able to finish with no issues. But wow, way to spring it on us all of the sudden.

Vask3n · January 2014

Good luck Heracles, I am also taking it this week (Friday). Do you have any recommendations other than OCG and CBT Nuggets? I found the following free ipExpert videos on youtube:

VPN High Availability
CCNP Security Training Video :: VPN High Availability - Failover :: Exam 642-648 - VPN - YouTube

IKEv2 L2L VPN
CCIE Security Lab Video :: IKEv2 L2L VPN - YouTube

ASA Certificate Maps
CCNP Security :: ASA Certificate Maps - Exam 642-648 - VPN - YouTube

IKEv1 IPSec Site-to-Site Digital Certificates
CCNP Security :: IKEv1 IPSec Site-to-Site Digital Certificates - Exam 642-648 - VPN - YouTube

Heracles004 · January 2014

I guess we will find out Thursday afternoon if I had anything good. I used the OCG and the INE videos. I feel comfortable so hopefully it woks out well. Ill drop a new topic on the forums Thursday afternoon when I get home and tell you how it goes and anything I wasn't expecting.

viper75 · January 2014

Man, what a pain this is. I'm almost done with the VPN v2 book. I was planning on re-reading the book again and keep labbing away. I'm not new to VPNs. I have implemented tons of them, but need to learn how Cisco wants you to learn before I take the test.

Anyway, I have completed Firewall v2 already. I am planning to have VPN done before April. So just to get this clear. I have to take 300-207 SITCS
Implementing Cisco Threat Control Solutions and 300-208 SISAS Implementing Cisco Secure Access Solutions to achieve the CCNP Security? The VPN and Firewall exams are still good for the CCNP Security. Is that right?

gregorio323 · January 2014

I just want to give RouteMyPacket a hard time. I don't like the ASA cause when I look at it the lights blink at me! and it lacks personality that UMPH! :P

RouteMyPacket wrote: »

Read again, I have been asking aaron0011 to explain why it is not a good enterprise platform. You on the other hand actually began touching on some lacking functionality that I agree Cisco need to ramp up on.

SteveO86 · January 2014

Sigh... I passed my VPN exam a few weeks ago, so I only got 2 more exams to go.. (IPS & Secure)

2 exams in 3 months...

The race is on... I suppose...

EDIT:

Looks like the specialist certs are getting retired to
https://learningnetwork.cisco.com/community/certifications/security

mistabrumley89 · January 2014

Just want wish everyone that has to rush their studies the best of luck.

instant000 · January 2014

This looks like the future numbering scheme, based on what I've seen so far. Do they have this (the exam numbering scheme) published anywhere?

100 - Freshman/Entry
200 - Sophomore/Associate
300 - Junior/Professional
400 - Senior/Expert
600 - Specialist

Here's the link to all active exams: Current Exam List - IT Certification and Career Paths - Cisco Systems

EDIT: Just today, a coworker was asking about taking exams for CCNP:Security, in order to renew his CCNA:Security. I advised him to take SECURE. I will have to revisit that advice tomorrow, LOL.

gregorio323 · January 2014

Not really, the SECURE and any other exam if taken before the expiration date will count towards the NP Security until December 31st 2014. So, he can still take the SECURE

f0rgiv3n · January 2014

Maybe I read it wrong but it says you only have until April 21, 2014 (not Dec. 31) to take the test?
______________________
642-637 SECURE
Securing Networks with Cisco Routers and Switches

Last day to test
April 21, 2014

From: CCNP Security Certification Exams Migration Path - IT Certifications and Career Paths - Cisco Systems

Vask3n · January 2014

I think you are correct f0rgiv3n.

The December 31 date is for the legacy exams

" * Legacy exams will only be given credit and will be valid for achieving CCNP Security certification through December 31, 2014"

f0rgiv3n · January 2014

OHHH Now I get it... it made no sense at first. If you take and pass the exams before April 14, they still can be counted towards your CCNP Security in combination with the remaining NEW exams you will need to take to finish it off. Crazy.

gregorio323 · January 2014

Correct. I don't think i was very clear

but glad you caught on!

aaron0011 · January 2014

It takes Iron Port and an ASA to form a viable firewall in today's networks with Cisco. The ASA is great with VPNs, ACLs, NATS, PATS, etc. It is not a complete solution. Iron Port is an awesome product btw and should be part of the Security track.

I didn't say the ASA was completely useless. It's just not as good as Check Point and Palo Alto from a firewall perspective IMO. Layer 7 visibility mentioned above is one. Another example would be true hot HA. It takes contexts in the ASA world to provide true HA. Contexts are great but are limiting when it comes to features. I think having a dedicated management appliance (could be virtual) for the ASA platform would be awesome too to centrally manage devices and/clusters. Easy VPN on the other hand has a great load balancing HA feature. It's not a bad product, just needs improvement.

I never plan to go down the Security track anyway so the change in exams doesn't mean anything for me. Good luck to those pursuing!

gregorio323 · January 2014

Woah... You can't compare a stateful firewalls with a application firewalls!!! Though I do Love PAN (manage these things all day) if its not one thing I hate the most is the CLI is sooo dumb (PAN)!. I don't know what you mean by "TRUE" HA if PAN highly recommends not to use ACTIVE/ACTIVE!

.

Personally I'd prefer an ASA over a PAN (personal preference) though If i was recommending it to a client/customer definitely PAN cause even a 5yr old can manage a PAN

.

aaron0011 · January 2014

I'll defend the ASA in regards to having full control in a familiar CLI. That said, with tons and tons of config day to day management and reference isn't ideal...and I am mostly a non GUI always CLI guy.

I'm not Security focused so I won't pretend to be an expert. Just my opinion...and I'll continue to use ASAs in environments for certain functions. The tie in with CUCM with SSL VPN from IP phones is another fantastic feature. For a small office environment there isn't a better product than 5505 as well.

New CCNP Security path

Comments