Options

New CCNP Security path

2

Comments

  • Options
    JobeneJobene Member Posts: 63 ■■■□□□□□□□
    Why that? Oo

    At "mine" branch, we are using 2xAsa5585x! And with ASDM and a little bit of Cli we are using them without any problem!
    And saying that ASA isnt a enterprise firewall because of asdm etc is a little bit of unfair!
  • Options
    veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Lack of Application "Layer-7" filtering makes it less than adequate in the world we live in. That's my main complaint. I would love to see Cisco embrace web application filtering.
  • Options
    Vask3nVask3n Member Posts: 517
    I think the main thing to remember about ASDM is that it's a direct extension of the CLI- every single option that shows up on the ASDM has a direct CLI equivalent (you can see this by enabling command previews before sending to device). Because of this, some of the options that appear on the GUI seem a little weird, redundant, or out of place. However, the built-in wizards usually do a pretty good job of abstracting the steps. I also wish that ASDM did not require Java.
    Working on MS-ISA at Western Governor's University
  • Options
    azaghulazaghul Member Posts: 569 ■■■■□□□□□□
    What I find interesting is the lack of focus on ASAs. I'm curious where Cisco is going with this. I'm also wondering how soon they will have books out for the next version.

    Based on the Cisco Press previous track record for R&S, Security or Voice...6-12 months...or in the case of Data Center or Service Provider..."one day over the rainbow"...icon_lol.gif
  • Options
    veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Yeah, that has never made any sense to me. You would think they would plan it out better in order to make more cash.
  • Options
    RouteMyPacketRouteMyPacket Member Posts: 1,104
    aaron0011 wrote: »
    But the management sucks. Sure ASDM has made strides but it's not great by no means.

    So this is why Cisco ASA isn't a sound enterprise level firewall solution? Please explain why it is not a valid solution, i'm interested to hear why.
    Lack of Application "Layer-7" filtering makes it less than adequate in the world we live in. That's my main complaint. I would love to see Cisco embrace web application filtering.

    This is at least a start at explaining some potential lacking features of the ASA platform. However, strides are being made with the new X generation and CX, application visibility is coming along. It's no Palo Alto in that regard but still to say it's not a sound platform is pure ignorance.

    Cisco Prime Security is looking awesome too.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • Options
    veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

    You had every right to call me out.
  • Options
    RouteMyPacketRouteMyPacket Member Posts: 1,104
    I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

    You had every right to call me out.

    Read again, I have been asking aaron0011 to explain why it is not a good enterprise platform. You on the other hand actually began touching on some lacking functionality that I agree Cisco need to ramp up on.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • Options
    JobeneJobene Member Posts: 63 ■■■□□□□□□□
    but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.)
    Could be done with Asa.....

    True is that cisco WAS late!
    And back to the topic with the change of the ccnp security cisco has done the right step into the future!
  • Options
    shodownshodown Member Posts: 2,271
    Why isn't the ASA a sound enterprise firewall.


    Back in 2009 when we were looking at several firewalls. I'll just bring up the Palo Alto vs the ASA. At the time when we got the palo alto we were able to block facebook chat, and Games, while still allow users to get onto facebook. The ASA at the time could not do this. The ASA was still stuck in doing things at layer 3 which we could block the entire site, but not specific features. This was HUGE for my client at the time. You factor in that cisco is still stuck at a layer 3 mindset when it comes to firewalls instead of the application and tie in the lack of good tac engineers when you run into problems made us choose the Palo Alto over the ASA. The ASA had also lost to the Juniper VPN a year prior to that, but I wasn't involved with that purchase.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • Options
    SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    I have nothing against the ASA for certain purposes, but when it comes to filtering and allowing only certain Web Apps (Facebook viewing but not posting, etc.) it's less than adequate (Which I'm stuck with doing). The worlds changing and I'm a little disappointed that Cisco is not trying to keep up. I should have been more specific on my complaints.

    You had every right to call me out.
    ASA CX will help.
  • Options
    RouteMyPacketRouteMyPacket Member Posts: 1,104
    shodown wrote: »
    Why isn't the ASA a sound enterprise firewall.


    Back in 2009 when we were looking at several firewalls. I'll just bring up the Palo Alto vs the ASA. At the time when we got the palo alto we were able to block facebook chat, and Games, while still allow users to get onto facebook. The ASA at the time could not do this. The ASA was still stuck in doing things at layer 3 which we could block the entire site, but not specific features. This was HUGE for my client at the time. You factor in that cisco is still stuck at a layer 3 mindset when it comes to firewalls instead of the application and tie in the lack of good tac engineers when you run into problems made us choose the Palo Alto over the ASA. The ASA had also lost to the Juniper VPN a year prior to that, but I wasn't involved with that purchase.

    I agree, and again you point out what was lacking in the ASA platform. Layer 7 visibility etc. but it's looking better these days. Also, if you do not have that specific requirement the ASA platform can secure the network edge with the best of them.
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • Options
    StaunchyStaunchy Member Posts: 180
    I prefer Fortigate to Cisco firewalls but when it comes to switches, routers I will stick to Cisco. I'm yet to a chance to play around with Juniper.

    What is you guys take on CheckPoint?
    2016 Goals: CCNP R&S, CCNA Security, CCNP Security
    LinkedIn
  • Options
    shodownshodown Member Posts: 2,271
    I agree, and again you point out what was lacking in the ASA platform. Layer 7 visibility etc. but it's looking better these days. Also, if you do not have that specific requirement the ASA platform can secure the network edge with the best of them.


    So we are in kinda a agreement. My earlier post indicated that since I've been working for VAR's the majority of the past few years I have seen cisco loose footing to other players in the game. This explains why the CCSP, CCNP, and CCIE security tracks keep changing as they have to keep updating there products to stay in the game. If I was looking to get a CCNP it would make me kinda wary as it could be outdated in a few years, and getting the cert is a pretty large effort. All things in IT change, but I feel security is moving at a faster pace.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • Options
    Heracles004Heracles004 Member Posts: 50 ■■■□□□□□□□
    Well good thing IPS and Firewall are down, testing VPN on Thursday. I should be able to finish with no issues. But wow, way to spring it on us all of the sudden.
  • Options
    Vask3nVask3n Member Posts: 517
    Good luck Heracles, I am also taking it this week (Friday). Do you have any recommendations other than OCG and CBT Nuggets? I found the following free ipExpert videos on youtube:

    VPN High Availability
    CCNP Security Training Video :: VPN High Availability - Failover :: Exam 642-648 - VPN - YouTube

    IKEv2 L2L VPN
    CCIE Security Lab Video :: IKEv2 L2L VPN - YouTube

    ASA Certificate Maps
    CCNP Security :: ASA Certificate Maps - Exam 642-648 - VPN - YouTube

    IKEv1 IPSec Site-to-Site Digital Certificates
    CCNP Security :: IKEv1 IPSec Site-to-Site Digital Certificates - Exam 642-648 - VPN - YouTube
    Working on MS-ISA at Western Governor's University
  • Options
    Heracles004Heracles004 Member Posts: 50 ■■■□□□□□□□
    I guess we will find out Thursday afternoon if I had anything good. I used the OCG and the INE videos. I feel comfortable so hopefully it woks out well. Ill drop a new topic on the forums Thursday afternoon when I get home and tell you how it goes and anything I wasn't expecting.
  • Options
    viper75viper75 Member Posts: 726 ■■■■□□□□□□
    Man, what a pain this is. I'm almost done with the VPN v2 book. I was planning on re-reading the book again and keep labbing away. I'm not new to VPNs. I have implemented tons of them, but need to learn how Cisco wants you to learn before I take the test.

    Anyway, I have completed Firewall v2 already. I am planning to have VPN done before April. So just to get this clear. I have to take 300-207 SITCS
    Implementing Cisco Threat Control Solutions and 300-208 SISAS Implementing Cisco Secure Access Solutions to achieve the CCNP Security? The VPN and Firewall exams are still good for the CCNP Security. Is that right?
    CCNP Security - DONE!
    CCNP R&S - In Progress...
    CCIE Security - Future...
  • Options
    gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    :) I just want to give RouteMyPacket a hard time. I don't like the ASA cause when I look at it the lights blink at me! and it lacks personality that UMPH! :P
    Read again, I have been asking aaron0011 to explain why it is not a good enterprise platform. You on the other hand actually began touching on some lacking functionality that I agree Cisco need to ramp up on.
  • Options
    SteveO86SteveO86 Member Posts: 1,423
    Sigh... I passed my VPN exam a few weeks ago, so I only got 2 more exams to go.. (IPS & Secure)

    2 exams in 3 months...

    The race is on... I suppose...

    EDIT:

    Looks like the specialist certs are getting retired to
    https://learningnetwork.cisco.com/community/certifications/security
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Options
    mistabrumley89mistabrumley89 Member Posts: 356 ■■■□□□□□□□
    Just want wish everyone that has to rush their studies the best of luck.
    Goals: WGU BS: IT-Sec (DONE) | CCIE Written: In Progress
    LinkedIn: www.linkedin.com/in/charlesbrumley
  • Options
    instant000instant000 Member Posts: 1,745
    This looks like the future numbering scheme, based on what I've seen so far. Do they have this (the exam numbering scheme) published anywhere?

    100 - Freshman/Entry
    200 - Sophomore/Associate
    300 - Junior/Professional
    400 - Senior/Expert
    600 - Specialist

    Here's the link to all active exams: Current Exam List - IT Certification and Career Paths - Cisco Systems

    EDIT: Just today, a coworker was asking about taking exams for CCNP:Security, in order to renew his CCNA:Security. I advised him to take SECURE. I will have to revisit that advice tomorrow, LOL.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Options
    gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    Not really, the SECURE and any other exam if taken before the expiration date will count towards the NP Security until December 31st 2014. So, he can still take the SECURE :)
  • Options
    f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Maybe I read it wrong but it says you only have until April 21, 2014 (not Dec. 31) to take the test?
    ______________________
    642-637 SECURE
    Securing Networks with Cisco Routers and Switches

    Last day to test
    April 21, 2014

    From: CCNP Security Certification Exams Migration Path - IT Certifications and Career Paths - Cisco Systems
  • Options
    Vask3nVask3n Member Posts: 517
    I think you are correct f0rgiv3n.

    The December 31 date is for the legacy exams

    " * Legacy exams will only be given credit and will be valid for achieving CCNP Security certification through December 31, 2014"
    Working on MS-ISA at Western Governor's University
  • Options
    f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    OHHH Now I get it... it made no sense at first. If you take and pass the exams before April 14, they still can be counted towards your CCNP Security in combination with the remaining NEW exams you will need to take to finish it off. Crazy.
  • Options
    gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    Correct. I don't think i was very clear icon_sad.gif but glad you caught on!
  • Options
    aaron0011aaron0011 Member Posts: 330
    It takes Iron Port and an ASA to form a viable firewall in today's networks with Cisco. The ASA is great with VPNs, ACLs, NATS, PATS, etc. It is not a complete solution. Iron Port is an awesome product btw and should be part of the Security track.

    I didn't say the ASA was completely useless. It's just not as good as Check Point and Palo Alto from a firewall perspective IMO. Layer 7 visibility mentioned above is one. Another example would be true hot HA. It takes contexts in the ASA world to provide true HA. Contexts are great but are limiting when it comes to features. I think having a dedicated management appliance (could be virtual) for the ASA platform would be awesome too to centrally manage devices and/clusters. Easy VPN on the other hand has a great load balancing HA feature. It's not a bad product, just needs improvement.

    I never plan to go down the Security track anyway so the change in exams doesn't mean anything for me. Good luck to those pursuing!
  • Options
    gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    Woah... You can't compare a stateful firewalls with a application firewalls!!! Though I do Love PAN (manage these things all day) if its not one thing I hate the most is the CLI is sooo dumb (PAN)!. I don't know what you mean by "TRUE" HA if PAN highly recommends not to use ACTIVE/ACTIVE! icon_sad.gif.

    Personally I'd prefer an ASA over a PAN (personal preference) though If i was recommending it to a client/customer definitely PAN cause even a 5yr old can manage a PAN :).
  • Options
    aaron0011aaron0011 Member Posts: 330
    I'll defend the ASA in regards to having full control in a familiar CLI. That said, with tons and tons of config day to day management and reference isn't ideal...and I am mostly a non GUI always CLI guy.

    I'm not Security focused so I won't pretend to be an expert. Just my opinion...and I'll continue to use ASAs in environments for certain functions. The tie in with CUCM with SSL VPN from IP phones is another fantastic feature. For a small office environment there isn't a better product than 5505 as well.
Sign In or Register to comment.