Jump to content


CCSP My Thoughts


  • Please log in to reply
19 replies to this topic

#1 TheDarkLord

TheDarkLord

    Cisco and Unix Expert

  • Veterans
  • PipPipPipPip
  • 851 posts
  • Gender:Male

Posted 29 March 2009 - 09:05 AM

Ok so i have been debating with myself and my other half (my wife of ten years) on whether i should go for CCIE R&S or should choose the security track. I have my CCNP and i could easily go for CCIE Security, but i decided otherwise. So here i am.

I have decided to take this from a noobs perspective (no offense). i am gonna go through each exam and the main technology that i would need to get prepared for it. I have spent the last weeks trying to gather as much information as possible.

Pre-requisites:

If you have a CCNA and you have passed the SND exam you are got to go. If not you will need to clear the CCNA Security to satisfy the prerequisites.

Exams:

In addition to the pre-requisites you have to pass three required exams and choose one more from the elective exams. Any exam from the electives will satisfy the Certification requirements.

So lets see what you would need to pass these exams. I will also include the study materials that i will be using for each exam.


1) 642-504 SNRS Securing Networks with Cisco Routers and Switches (SNRS)

As the name suggests, securing networks with routers and switches. Expect to use a lot of CLI for this exam. You will be required to configure VPNs, IOS-IPS, layer-2 security and CBAC.

I think this is one of the hardest one in all the CCSP exams. Lots and lots of CLI configurations that surely will give you nightmares.


2.) 642-524 SNAF Securing Networks with ASA Foundation (SNAF)

This is like SNRS but all GUI based. Yup the foundation and the concepts are the same. But instead of using the CLI to perform the security functions you will be required to use a security appliance. You will be using ASDM to do most of the configurations, don't get me wrong you will still be required to do CLI based configurations. You will be using ASDM to configure VPNs, AAA, L3/L4 protocol inspections and firewalls.

This just like SDM, you can either run ASDM on a pc or install it on the ASA device.


3) 642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)

You will be required to deploy, configure, and administer Cisco IPS sensors to protect network devices as well as efficiently manage IPS alarms. This exam is all about IPS. So you have to dig deep and get into the core of Cisco IPS.

Once again you will be required to know how to configure IPS using CLI. There are other appliances also that you will need to use including Cisco IDM and IEV.


4) Elective Exams (Choose One)


a) 642-591 CANAC Implementing Cisco NAC Appliance (CANAC)

So what is NAC?
The NAC Appliance (Cisco Clean Access) is a "shrink-wrapped" network admission control solution that recognizes users, their devices and roles; evaluates the security posture of the endpoint and scans for vulnerabilities; and enforces policy in the network. In particular, prior to allowing users onto the network, the NAC Appliance (Cisco Clean Access) solution allows administrators to authenticate, authorize, interrogate and remediate users and their machines enforcing policy based access control on the network.


b.) 642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System (MARS)

One more security appliance to know off. Once again GUI based and a lot of configuration involved including installing and maintenance along with event and traffic inspections.

c) 642-515 SNAA Securing Networks with ASA Advanced (SNAA)

As the name suggests it is basically SNAF on steroids. You will be required to configure advance features on ASA, including configuring the ASA 5505 dual-ISP support, configuring ASA 5505 VLANs, configuring policy NAT, installing and configuring the Cisco Secure Desktop, configuring the security appliance to pass multicast traffic, configuring Layer 7 class maps and policy maps, and initializing the AIP-SSM and CSC-SSM.

Note: For a complete list of exam objective please visit the cisco's website.


Certification Notes: (things you will need)

i) If you are using GNS3, make sure you are using IOSs with version 12.4(6)T and newer.
ii) ASA and PIX Security Appliance 8.0 AKA ASA 5500 Rev 8.
iii) Adaptive Security Device Manager (ASDM) Version 5.0(2) or 6

Now don't get confused here Cisco ASA are devices, security devices. Using ASA you can configure NAT, VPNs and IPS. More information here : http://www.cisco.com...120/index.html.


My preparations:

Lets be honest i can't in my dreams afford an ASA device to work on, i mean come on they range from $1500 to 10K. So i will be using virtualization to achieve my goals. I will be using GNS, Pemu and Qemu to emulate an ASA device.

Next i will need to get my hands on ASDM. I haven't downloaded it yet, because i couldn't find the version 6.0.

I am also going to need to find some IOSs that support IPS and other security features.

Lets take a minute here. If you look at at its not that difficult. Look you need to know everything about ASA devices, and in doing so you will need to understand all the theory behind the security features as well as the applications you will be using to perform these tasks.

I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other.

So stay tuned i will open another thread for my first two exams and post as i progress.
  • 0

#2 CiscoPal

CiscoPal

    Newbie

  • Members
  • Pip
  • 12 posts
  • Gender:Male

Posted 29 March 2009 - 12:13 PM

Ok so i have been debating with myself and my other half (my wife of ten years) on whether i should go for CCIE R&S or should choose the security track. I have my CCNP and i could easily go for CCIE Security, but i decided otherwise. So here i am.

I have decided to take this from a noobs perspective (no offense). i am gonna go through each exam and the main technology that i would need to get prepared for it. I have spent the last weeks trying to gather as much information as possible.

Pre-requisites:

If you have a CCNA and you have passed the SND exam you are got to go. If not you will need to clear the CCNA Security to satisfy the prerequisites.

Exams:

In addition to the pre-requisites you have to pass three required exams and choose one more from the elective exams. Any exam from the electives will satisfy the Certification requirements.

So lets see what you would need to pass these exams. I will also include the study materials that i will be using for each exam.


1) 642-504 SNRS Securing Networks with Cisco Routers and Switches (SNRS)

As the name suggests, securing networks with routers and switches. Expect to use a lot of CLI for this exam. You will be required to configure VPNs, IOS-IPS, layer-2 security and CBAC.

I think this is one of the hardest one in all the CCSP exams. Lots and lots of CLI configurations that surely will give you nightmares.


2.) 642-524 SNAF Securing Networks with ASA Foundation (SNAF)

This is like SNRS but all GUI based. Yup the foundation and the concepts are the same. But instead of using the CLI to perform the security functions you will be required to use a security appliance. You will be using ASDM to do most of the configurations, don't get me wrong you will still be required to do CLI based configurations. You will be using ASDM to configure VPNs, AAA, L3/L4 protocol inspections and firewalls.

This just like SDM, you can either run ASDM on a pc or install it on the ASA device.


3) 642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)

You will be required to deploy, configure, and administer Cisco IPS sensors to protect network devices as well as efficiently manage IPS alarms. This exam is all about IPS. So you have to dig deep and get into the core of Cisco IPS.

Once again you will be required to know how to configure IPS using CLI. There are other appliances also that you will need to use including Cisco IDM and IEV.


4) Elective Exams (Choose One)


a) 642-591 CANAC Implementing Cisco NAC Appliance (CANAC)

So what is NAC?
The NAC Appliance (Cisco Clean Access) is a "shrink-wrapped" network admission control solution that recognizes users, their devices and roles; evaluates the security posture of the endpoint and scans for vulnerabilities; and enforces policy in the network. In particular, prior to allowing users onto the network, the NAC Appliance (Cisco Clean Access) solution allows administrators to authenticate, authorize, interrogate and remediate users and their machines enforcing policy based access control on the network.


b.) 642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System (MARS)

One more security appliance to know off. Once again GUI based and a lot of configuration involved including installing and maintenance along with event and traffic inspections.

c) 642-515 SNAA Securing Networks with ASA Advanced (SNAA)

As the name suggests it is basically SNAF on steroids. You will be required to configure advance features on ASA, including configuring the ASA 5505 dual-ISP support, configuring ASA 5505 VLANs, configuring policy NAT, installing and configuring the Cisco Secure Desktop, configuring the security appliance to pass multicast traffic, configuring Layer 7 class maps and policy maps, and initializing the AIP-SSM and CSC-SSM.

Note: For a complete list of exam objective please visit the cisco's website.


Certification Notes: (things you will need)

i) If you are using GNS3, make sure you are using IOSs with version 12.4(6)T and newer.
ii) ASA and PIX Security Appliance 8.0 AKA ASA 5500 Rev 8.
iii) Adaptive Security Device Manager (ASDM) Version 5.0(2) or 6

Now don't get confused here Cisco ASA are devices, security devices. Using ASA you can configure NAT, VPNs and IPS. More information here : http://www.cisco.com...120/index.html.


My preparations:

Lets be honest i can't in my dreams afford an ASA device to work on, i mean come on they range from $1500 to 10K. So i will be using virtualization to achieve my goals. I will be using GNS, Pemu and Qemu to emulate an ASA device.

Next i will need to get my hands on ASDM. I haven't downloaded it yet, because i couldn't find the version 6.0.

I am also going to need to find some IOSs that support IPS and other security features.

Lets take a minute here. If you look at at its not that difficult. Look you need to know everything about ASA devices, and in doing so you will need to understand all the theory behind the security features as well as the applications you will be using to perform these tasks.

I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other.

So stay tuned i will open another thread for my first two exams and post as i progress.


thanks for all the supporting pal, :D!

Hi pal, these days im studyng for getting soon SNRS exam, but i want to ask you what exactly study material i should have for getting pass this harder one, im studying from old books (642-503) and also i dont have yet a software that helps me out to configure and practice some CLI security commands, can you tell me a one to?

ill reallly appreciate all your help, thank in avance pal, and have a nice day!
  • 0

#3 Sameh G. Abd-elmalak

Sameh G. Abd-elmalak

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 29 March 2009 - 12:43 PM

thanks for all the supporting pal, :D!

Hi pal, these days im studyng for getting soon SNRS exam, but i want to ask you what exactly study material i should have for getting pass this harder one, im studying from old books (642-503) and also i dont have yet a software that helps me out to configure and practice some CLI security commands, can you tell me a one to?

ill reallly appreciate all your help, thank in avance pal, and have a nice day!



i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .
i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).
my questions :
1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?
2- whats the different between 503 & 504
:blink:

thank you
  • 0

#4 cisco_bobby

cisco_bobby

    Newbie

  • Members
  • Pip
  • 8 posts
  • Gender:Male
  • Location:Europe

Posted 29 March 2009 - 06:47 PM

i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .
i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).
my questions :
1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?
2- whats the different between 503 & 504
:blink:

thank you



Hi,

the differences i have seen, is that there will be less AAA and a lot of GDOI (DMVPN). That are the major differences i think.
Theres a new quick reference sheet from cisco press. Maybe have a look at that one.

regards,

cisco_bobby

Edited by cisco_bobby, 29 March 2009 - 06:48 PM.

  • 0

#5 CiscoPal

CiscoPal

    Newbie

  • Members
  • Pip
  • 12 posts
  • Gender:Male

Posted 30 March 2009 - 03:34 AM

Hi,

the differences i have seen, is that there will be less AAA and a lot of GDOI (DMVPN). That are the major differences i think.
Theres a new quick reference sheet from cisco press. Maybe have a look at that one.

regards,

cisco_bobby


hi pal,

could you address or link me where i can get the lastest reference sheet from cisco press?

thanks in advance!

have a nice day!
  • 0

#6 CertBuster

CertBuster

    Cisco and MS Security

  • Members
  • PipPipPip
  • 314 posts
  • Gender:Male
  • Location:UK

Posted 30 March 2009 - 10:53 AM

Well, I am CCSP since last year.

@TheDarkLord

I think you are making right move after finishing CCNP. I personally lacking R&S skills because I went for CCNA and CCNA Security path to finish my CCSP last year. Now I feel doing CCNP.

"....I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other." <----- I would say do SNRS then SNAF after these two go for SNAA then IPS because IPS will be easier after SNAA due to introduction of IPS module in ASA.

In term of SNRS study material I would recommend SNRS 503 study guides because they are more focused for CLI, ACS and will definitely give big advantage for CCIE Sec studies. Remember CCIE Lab is all about CLI exam except some IDM/IPS Manager Express of IPS. New SNRS is missing CLI and less ACS in it because they pushed some stuff in CCNA Sec. So for new SNRS 504 I would recommend reading SNRS 503 study Guides for CLI and CCNA Sec for GUI material. New SNRS have GET VPN and some SSL VPN.


@Sameh G. Abd-elmalak

See my response above for CLI and GUI. But try to practice and understand partial config of router to find the fault of miss configs. They might ask you such questions, so knowing syntax are important too.

Well, If you have all CCSP Study Guides then you are in better position to do each module. You can build up Lab to practice them. when I did my CCSP last year I didn't have these resources and I had to use old books to pass them. So If you have Lab Guides with Initial Config and Physical Topology/Connection details then I would request you to share with me. I would love to try all Lab Guides at home to refresh my memory.


i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .
i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).
my questions :
1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?
2- whats the different between 503 & 504
:blink:

thank you


Edited by CertBuster, 30 March 2009 - 10:54 AM.

  • 0

#7 cisco_bobby

cisco_bobby

    Newbie

  • Members
  • Pip
  • 8 posts
  • Gender:Male
  • Location:Europe

Posted 30 March 2009 - 06:52 PM

hi pal,

could you address or link me where i can get the lastest reference sheet from cisco press?

thanks in advance!

have a nice day!



Hi,

you can get it as digital shortcut at ciscopress. Its new for the 504 exam.

regards,

cisco_bobby
  • 0

#8 100%digital

100%digital

    Newbie

  • Members
  • Pip
  • 15 posts

Posted 09 April 2009 - 03:14 AM

I have been studing for the SNRS exam for the last month, the only concepts that I find cumbersome are DMVPM... Would anybody like to comment regarding DMVPN on the SNRS???

best,

J
  • 0

#9 chumohod

chumohod

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 14 June 2009 - 03:52 AM

I wonder why doesn't overquoting get punished?

It pains to read these sheets of quoted text and then a two line comment.

Think a bit before posting guys, thank you.
  • 0

#10 TheDarkLord

TheDarkLord

    Cisco and Unix Expert

  • Veterans
  • PipPipPipPip
  • 851 posts
  • Gender:Male

Posted 23 June 2009 - 06:01 AM

^^^^^ Did you even study?
  • 0

#11 ManishBehal

ManishBehal

    Super Member

  • Members
  • PipPipPipPip
  • 989 posts
  • Gender:Male

Posted 23 June 2009 - 06:20 AM

Nice plan. I was thinking of doing the same thing, but decided to dive straight into the IE Security on the back of my RS. As for emulation od the ASA good luck, I spent many hours with little sucess in doing this. I would be intereted in reading how you managed to get it to work. In the end I bit the bullet and have decided to spend the 10,000GBP on building my own Security racks, ASA and IPS included.
  • 0

#12 100%digital

100%digital

    Newbie

  • Members
  • Pip
  • 15 posts

Posted 23 June 2009 - 06:41 AM

QUOTE (TheDarkLord @ Jun 23 2009, 07:01 AM) <{POST_SNAPBACK}>
^^^^^ Did you even study?


your joking right? My work is paying for me to EARN a ccsp, i've two training classes via global knowledge, have a pretty decent test enviroment (couple of 2851xm's and a 3550, and studied pretty hard.

My question is simple. isn't that the nature of this forum, to answer/assist with questions?

If an CBAC rule is being used, then traffic is inspected in the "IN" direction, CBAC opens returns ports... as opposed to "fixup", or a reflexive ACL.


so is the ACL denying the return traffic or outbound traffic???

regards,

j
  • 0

#13 100%digital

100%digital

    Newbie

  • Members
  • Pip
  • 15 posts

Posted 23 June 2009 - 06:45 AM

...its is my position that the traffic is being denied by a "return" acl
  • 0

#14 TheDarkLord

TheDarkLord

    Cisco and Unix Expert

  • Veterans
  • PipPipPipPip
  • 851 posts
  • Gender:Male

Posted 23 June 2009 - 07:05 AM

And BTW the answer is correct in whatever the heck you are using, their is an explicit deny all in ACL 104. No permit statement for http traffic.
  • 0

#15 TheDarkLord

TheDarkLord

    Cisco and Unix Expert

  • Veterans
  • PipPipPipPip
  • 851 posts
  • Gender:Male

Posted 23 June 2009 - 08:07 AM

Sorry just glazed the question, actually HTTP needs to be permitted for it to create an return port.
  • 0

#16 Kostas

Kostas

    Newbie

  • Members
  • Pip
  • 13 posts

Posted 14 July 2009 - 04:26 AM

QUOTE (100%digital @ Apr 8 2009, 06:14 PM) <{POST_SNAPBACK}>
I have been studing for the SNRS exam for the last month, the only concepts that I find cumbersome are DMVPM... Would anybody like to comment regarding DMVPN on the SNRS???

best,

J


DMVPN was way easier for me than EZVPN and GETVPN. I found that you really need to do extensive research though..the quick reference guide and CBT Nuggets dont cover everything the exam needs! I even had to refresh my BCMSN skills for this exam!!! Lucky I am CCNP... others do CCSP and are not CCNP and they will have to study even more!
  • 0

#17 Sunfish

Sunfish

    Ciscoholic

  • Veterans
  • PipPipPipPipPip
  • 1841 posts
  • Gender:Male
  • Location:somewhere at Cisco universe

Posted 10 February 2010 - 09:17 PM

Hi guys,

Did anyone recently passed CCSP; as for this year CCNP changes, did you hear anything about this one? Any changes?

Well, I do not see any need for a major revision of the CCSP exams. Cisco has continously updated those exams during the past 2 years (SND -> CCNA S, SNRS 502 -> 503 -> 504, SNPA -> SNAF/SNAA) unlike the CCNP track which remained unchanged for more than 3 years.

So the CCSP exams are pretty much up-to-date, with only one exception. I really hope that the IPS exam will be updated soon to cover the new hardware and software releases.
  • 0

#18 heavyaris

heavyaris

    Newbie

  • Members
  • Pip
  • 34 posts
  • Gender:Male
  • Location:greece

Posted 06 May 2010 - 02:16 AM

guys i am an ccna security certified, and i want to to earn my ccsp, but i cant spend any money in real equipment, (because i am unemployed), but i have a powerful PC (i7 930, 6g ram 3ple channel, 2 fast hd's in raid 0) and i think i can make some labs with gns3 + vmware running at the same time.
is it possible ?? also what exams do you suggest me ? (so i can "buy" the necessary books :P)
thank you.
  • 0

#19 laf_c

laf_c

    Firewalls&Routing specialist

  • Members
  • PipPipPipPipPip
  • 1787 posts
  • Gender:Male
  • Location:Romania
  • Interests:Networking, tenis and chess

Posted 12 May 2010 - 04:31 PM

guys i am an ccna security certified, and i want to to earn my ccsp, but i cant spend any money in real equipment, (because i am unemployed), but i have a powerful PC (i7 930, 6g ram 3ple channel, 2 fast hd's in raid 0) and i think i can make some labs with gns3 + vmware running at the same time.
is it possible ?? also what exams do you suggest me ? (so i can "buy" the necessary books :P)
thank you.


I believe it's possible. Just pay a visit to the Virtualization section on this forum, so you can simulate ASA on your PC ;). About "books" can't recommend you, as I didn't choose this path, at least until now :D.
  • 0

#20 Darby Weaver

Darby Weaver

    World's Largest Home Data Center

  • Global Moderators
  • PipPipPipPipPip
  • 8291 posts
  • Gender:Male
  • Location:USA
  • Interests:Taking on new CCNA/CCNP/CCIE/CCDA/CCDP/CCDE study group members. Interested?

Posted 22 July 2016 - 03:00 PM

SK - We need to take back the forum.

 

Darby Weaver

 

http://www.darbys.logs.blogspot.com


  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users