Sign in to follow this  
Followers 0
TheDarkLord

CCSP My Thoughts

20 posts in this topic

Ok so i have been debating with myself and my other half (my wife of ten years) on whether i should go for CCIE R&S or should choose the security track. I have my CCNP and i could easily go for CCIE Security, but i decided otherwise. So here i am.

 

I have decided to take this from a noobs perspective (no offense). i am gonna go through each exam and the main technology that i would need to get prepared for it. I have spent the last weeks trying to gather as much information as possible.

 

Pre-requisites:

 

If you have a CCNA and you have passed the SND exam you are got to go. If not you will need to clear the CCNA Security to satisfy the prerequisites.

 

Exams:

 

In addition to the pre-requisites you have to pass three required exams and choose one more from the elective exams. Any exam from the electives will satisfy the Certification requirements.

 

So lets see what you would need to pass these exams. I will also include the study materials that i will be using for each exam.

 

 

1) 642-504 SNRS Securing Networks with Cisco Routers and Switches (SNRS)

 

As the name suggests, securing networks with routers and switches. Expect to use a lot of CLI for this exam. You will be required to configure VPNs, IOS-IPS, layer-2 security and CBAC.

 

I think this is one of the hardest one in all the CCSP exams. Lots and lots of CLI configurations that surely will give you nightmares.

 

 

2.) 642-524 SNAF Securing Networks with ASA Foundation (SNAF)

 

This is like SNRS but all GUI based. Yup the foundation and the concepts are the same. But instead of using the CLI to perform the security functions you will be required to use a security appliance. You will be using ASDM to do most of the configurations, don't get me wrong you will still be required to do CLI based configurations. You will be using ASDM to configure VPNs, AAA, L3/L4 protocol inspections and firewalls.

 

This just like SDM, you can either run ASDM on a pc or install it on the ASA device.

 

 

3) 642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)

 

You will be required to deploy, configure, and administer Cisco IPS sensors to protect network devices as well as efficiently manage IPS alarms. This exam is all about IPS. So you have to dig deep and get into the core of Cisco IPS.

 

Once again you will be required to know how to configure IPS using CLI. There are other appliances also that you will need to use including Cisco IDM and IEV.

 

4) Elective Exams (Choose One)

 

a) 642-591 CANAC Implementing Cisco NAC Appliance (CANAC)

 

So what is NAC?

The NAC Appliance (Cisco Clean Access) is a "shrink-wrapped" network admission control solution that recognizes users, their devices and roles; evaluates the security posture of the endpoint and scans for vulnerabilities; and enforces policy in the network. In particular, prior to allowing users onto the network, the NAC Appliance (Cisco Clean Access) solution allows administrators to authenticate, authorize, interrogate and remediate users and their machines enforcing policy based access control on the network.

 

 

b.) 642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System (MARS)

 

One more security appliance to know off. Once again GUI based and a lot of configuration involved including installing and maintenance along with event and traffic inspections.

 

c) 642-515 SNAA Securing Networks with ASA Advanced (SNAA)

 

As the name suggests it is basically SNAF on steroids. You will be required to configure advance features on ASA, including configuring the ASA 5505 dual-ISP support, configuring ASA 5505 VLANs, configuring policy NAT, installing and configuring the Cisco Secure Desktop, configuring the security appliance to pass multicast traffic, configuring Layer 7 class maps and policy maps, and initializing the AIP-SSM and CSC-SSM.

 

Note: For a complete list of exam objective please visit the cisco's website.

 

 

Certification Notes: (things you will need)

 

i) If you are using GNS3, make sure you are using IOSs with version 12.4(6)T and newer.

ii) ASA and PIX Security Appliance 8.0 AKA ASA 5500 Rev 8.

iii) Adaptive Security Device Manager (ASDM) Version 5.0(2) or 6

 

Now don't get confused here Cisco ASA are devices, security devices. Using ASA you can configure NAT, VPNs and IPS. More information here : http://www.cisco.com/en/US/products/ps6120/index.html.

 

 

My preparations:

 

Lets be honest i can't in my dreams afford an ASA device to work on, i mean come on they range from $1500 to 10K. So i will be using virtualization to achieve my goals. I will be using GNS, Pemu and Qemu to emulate an ASA device.

 

Next i will need to get my hands on ASDM. I haven't downloaded it yet, because i couldn't find the version 6.0.

 

I am also going to need to find some IOSs that support IPS and other security features.

 

Lets take a minute here. If you look at at its not that difficult. Look you need to know everything about ASA devices, and in doing so you will need to understand all the theory behind the security features as well as the applications you will be using to perform these tasks.

 

I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other.

 

So stay tuned i will open another thread for my first two exams and post as i progress.

0

Share this post


Link to post
Share on other sites
Ok so i have been debating with myself and my other half (my wife of ten years) on whether i should go for CCIE R&S or should choose the security track. I have my CCNP and i could easily go for CCIE Security, but i decided otherwise. So here i am.

 

I have decided to take this from a noobs perspective (no offense). i am gonna go through each exam and the main technology that i would need to get prepared for it. I have spent the last weeks trying to gather as much information as possible.

 

Pre-requisites:

 

If you have a CCNA and you have passed the SND exam you are got to go. If not you will need to clear the CCNA Security to satisfy the prerequisites.

 

Exams:

 

In addition to the pre-requisites you have to pass three required exams and choose one more from the elective exams. Any exam from the electives will satisfy the Certification requirements.

 

So lets see what you would need to pass these exams. I will also include the study materials that i will be using for each exam.

 

 

1) 642-504 SNRS Securing Networks with Cisco Routers and Switches (SNRS)

 

As the name suggests, securing networks with routers and switches. Expect to use a lot of CLI for this exam. You will be required to configure VPNs, IOS-IPS, layer-2 security and CBAC.

 

I think this is one of the hardest one in all the CCSP exams. Lots and lots of CLI configurations that surely will give you nightmares.

 

 

2.) 642-524 SNAF Securing Networks with ASA Foundation (SNAF)

 

This is like SNRS but all GUI based. Yup the foundation and the concepts are the same. But instead of using the CLI to perform the security functions you will be required to use a security appliance. You will be using ASDM to do most of the configurations, don't get me wrong you will still be required to do CLI based configurations. You will be using ASDM to configure VPNs, AAA, L3/L4 protocol inspections and firewalls.

 

This just like SDM, you can either run ASDM on a pc or install it on the ASA device.

 

 

3) 642-533 IPS Implementing Cisco Intrusion Prevention System (IPS)

 

You will be required to deploy, configure, and administer Cisco IPS sensors to protect network devices as well as efficiently manage IPS alarms. This exam is all about IPS. So you have to dig deep and get into the core of Cisco IPS.

 

Once again you will be required to know how to configure IPS using CLI. There are other appliances also that you will need to use including Cisco IDM and IEV.

 

4) Elective Exams (Choose One)

 

a) 642-591 CANAC Implementing Cisco NAC Appliance (CANAC)

 

So what is NAC?

The NAC Appliance (Cisco Clean Access) is a "shrink-wrapped" network admission control solution that recognizes users, their devices and roles; evaluates the security posture of the endpoint and scans for vulnerabilities; and enforces policy in the network. In particular, prior to allowing users onto the network, the NAC Appliance (Cisco Clean Access) solution allows administrators to authenticate, authorize, interrogate and remediate users and their machines enforcing policy based access control on the network.

 

 

b.) 642-545 MARS Implementing Cisco Security Monitoring, Analysis and Response System (MARS)

 

One more security appliance to know off. Once again GUI based and a lot of configuration involved including installing and maintenance along with event and traffic inspections.

 

c) 642-515 SNAA Securing Networks with ASA Advanced (SNAA)

 

As the name suggests it is basically SNAF on steroids. You will be required to configure advance features on ASA, including configuring the ASA 5505 dual-ISP support, configuring ASA 5505 VLANs, configuring policy NAT, installing and configuring the Cisco Secure Desktop, configuring the security appliance to pass multicast traffic, configuring Layer 7 class maps and policy maps, and initializing the AIP-SSM and CSC-SSM.

 

Note: For a complete list of exam objective please visit the cisco's website.

 

 

Certification Notes: (things you will need)

 

i) If you are using GNS3, make sure you are using IOSs with version 12.4(6)T and newer.

ii) ASA and PIX Security Appliance 8.0 AKA ASA 5500 Rev 8.

iii) Adaptive Security Device Manager (ASDM) Version 5.0(2) or 6

 

Now don't get confused here Cisco ASA are devices, security devices. Using ASA you can configure NAT, VPNs and IPS. More information here : http://www.cisco.com/en/US/products/ps6120/index.html.

 

 

My preparations:

 

Lets be honest i can't in my dreams afford an ASA device to work on, i mean come on they range from $1500 to 10K. So i will be using virtualization to achieve my goals. I will be using GNS, Pemu and Qemu to emulate an ASA device.

 

Next i will need to get my hands on ASDM. I haven't downloaded it yet, because i couldn't find the version 6.0.

 

I am also going to need to find some IOSs that support IPS and other security features.

 

Lets take a minute here. If you look at at its not that difficult. Look you need to know everything about ASA devices, and in doing so you will need to understand all the theory behind the security features as well as the applications you will be using to perform these tasks.

 

I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other.

 

So stay tuned i will open another thread for my first two exams and post as i progress.

 

thanks for all the supporting pal, :D!

 

Hi pal, these days im studyng for getting soon SNRS exam, but i want to ask you what exactly study material i should have for getting pass this harder one, im studying from old books (642-503) and also i dont have yet a software that helps me out to configure and practice some CLI security commands, can you tell me a one to?

 

ill reallly appreciate all your help, thank in avance pal, and have a nice day!

0

Share this post


Link to post
Share on other sites
thanks for all the supporting pal, :D!

 

Hi pal, these days im studyng for getting soon SNRS exam, but i want to ask you what exactly study material i should have for getting pass this harder one, im studying from old books (642-503) and also i dont have yet a software that helps me out to configure and practice some CLI security commands, can you tell me a one to?

 

ill reallly appreciate all your help, thank in avance pal, and have a nice day!

 

 

i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .

i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).

my questions :

1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?

2- whats the different between 503 & 504

:blink:

 

thank you

0

Share this post


Link to post
Share on other sites
i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .

i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).

my questions :

1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?

2- whats the different between 503 & 504

:blink:

 

thank you

 

 

Hi,

 

the differences i have seen, is that there will be less AAA and a lot of GDOI (DMVPN). That are the major differences i think.

Theres a new quick reference sheet from cisco press. Maybe have a look at that one.

 

regards,

 

cisco_bobby

Edited by cisco_bobby
0

Share this post


Link to post
Share on other sites
Hi,

 

the differences i have seen, is that there will be less AAA and a lot of GDOI (DMVPN). That are the major differences i think.

Theres a new quick reference sheet from cisco press. Maybe have a look at that one.

 

regards,

 

cisco_bobby

 

hi pal,

 

could you address or link me where i can get the lastest reference sheet from cisco press?

 

thanks in advance!

 

have a nice day!

0

Share this post


Link to post
Share on other sites

Well, I am CCSP since last year.

 

@TheDarkLord

 

I think you are making right move after finishing CCNP. I personally lacking R&S skills because I went for CCNA and CCNA Security path to finish my CCSP last year. Now I feel doing CCNP.

 

"....I have decided to take the SNAF and SNAA first and then the SNRS and IPS. I am pairing them because they are related to each other." <----- I would say do SNRS then SNAF after these two go for SNAA then IPS because IPS will be easier after SNAA due to introduction of IPS module in ASA.

 

In term of SNRS study material I would recommend SNRS 503 study guides because they are more focused for CLI, ACS and will definitely give big advantage for CCIE Sec studies. Remember CCIE Lab is all about CLI exam except some IDM/IPS Manager Express of IPS. New SNRS is missing CLI and less ACS in it because they pushed some stuff in CCNA Sec. So for new SNRS 504 I would recommend reading SNRS 503 study Guides for CLI and CCNA Sec for GUI material. New SNRS have GET VPN and some SSL VPN.

 

 

@Sameh G. Abd-elmalak

 

See my response above for CLI and GUI. But try to practice and understand partial config of router to find the fault of miss configs. They might ask you such questions, so knowing syntax are important too.

 

Well, If you have all CCSP Study Guides then you are in better position to do each module. You can build up Lab to practice them. when I did my CCSP last year I didn't have these resources and I had to use old books to pass them. So If you have Lab Guides with Initial Config and Physical Topology/Connection details then I would request you to share with me. I would love to try all Lab Guides at home to refresh my memory.

 

 

i am also prepare for snrs and it is quite painfull full of ((((((CLI)))))) i hope i can study all of them (seems a dream) .

i study from cbt nuggets & cisco snrs student guide V.2 & lab guide V.2 & my lab (gns3 (2611xm router ios) , vmware with 2 machines (win server 2003 & win xp) , sdm ).

my questions :

1- does cisco snrs student guide V.2 & lab guide V.2 can carry the hole operation or i need more materials and if found what is it ?

2- whats the different between 503 & 504

:blink:

 

thank you

Edited by CertBuster
0

Share this post


Link to post
Share on other sites
hi pal,

 

could you address or link me where i can get the lastest reference sheet from cisco press?

 

thanks in advance!

 

have a nice day!

 

 

Hi,

 

you can get it as digital shortcut at ciscopress. Its new for the 504 exam.

 

regards,

 

cisco_bobby

0

Share this post


Link to post
Share on other sites

I have been studing for the SNRS exam for the last month, the only concepts that I find cumbersome are DMVPM... Would anybody like to comment regarding DMVPN on the SNRS???

 

best,

 

J

0

Share this post


Link to post
Share on other sites

I wonder why doesn't overquoting get punished?

 

It pains to read these sheets of quoted text and then a two line comment.

 

Think a bit before posting guys, thank you.

0

Share this post


Link to post
Share on other sites

Nice plan. I was thinking of doing the same thing, but decided to dive straight into the IE Security on the back of my RS. As for emulation od the ASA good luck, I spent many hours with little sucess in doing this. I would be intereted in reading how you managed to get it to work. In the end I bit the bullet and have decided to spend the 10,000GBP on building my own Security racks, ASA and IPS included.

0

Share this post


Link to post
Share on other sites
^^^^^ Did you even study?

 

your joking right? My work is paying for me to EARN a ccsp, i've two training classes via global knowledge, have a pretty decent test enviroment (couple of 2851xm's and a 3550, and studied pretty hard.

 

My question is simple. isn't that the nature of this forum, to answer/assist with questions?

 

If an CBAC rule is being used, then traffic is inspected in the "IN" direction, CBAC opens returns ports... as opposed to "fixup", or a reflexive ACL.

 

 

so is the ACL denying the return traffic or outbound traffic???

 

regards,

 

j

0

Share this post


Link to post
Share on other sites

And BTW the answer is correct in whatever the heck you are using, their is an explicit deny all in ACL 104. No permit statement for http traffic.

0

Share this post


Link to post
Share on other sites

Sorry just glazed the question, actually HTTP needs to be permitted for it to create an return port.

0

Share this post


Link to post
Share on other sites
I have been studing for the SNRS exam for the last month, the only concepts that I find cumbersome are DMVPM... Would anybody like to comment regarding DMVPN on the SNRS???

 

best,

 

J

 

DMVPN was way easier for me than EZVPN and GETVPN. I found that you really need to do extensive research though..the quick reference guide and CBT Nuggets dont cover everything the exam needs! I even had to refresh my BCMSN skills for this exam!!! Lucky I am CCNP... others do CCSP and are not CCNP and they will have to study even more!

0

Share this post


Link to post
Share on other sites

Hi guys,

 

Did anyone recently passed CCSP; as for this year CCNP changes, did you hear anything about this one? Any changes?

Well, I do not see any need for a major revision of the CCSP exams. Cisco has continously updated those exams during the past 2 years (SND -> CCNA S, SNRS 502 -> 503 -> 504, SNPA -> SNAF/SNAA) unlike the CCNP track which remained unchanged for more than 3 years.

 

So the CCSP exams are pretty much up-to-date, with only one exception. I really hope that the IPS exam will be updated soon to cover the new hardware and software releases.

0

Share this post


Link to post
Share on other sites

guys i am an ccna security certified, and i want to to earn my ccsp, but i cant spend any money in real equipment, (because i am unemployed), but i have a powerful PC (i7 930, 6g ram 3ple channel, 2 fast hd's in raid 0) and i think i can make some labs with gns3 + vmware running at the same time.

is it possible ?? also what exams do you suggest me ? (so i can "buy" the necessary books :P)

thank you.

0

Share this post


Link to post
Share on other sites

guys i am an ccna security certified, and i want to to earn my ccsp, but i cant spend any money in real equipment, (because i am unemployed), but i have a powerful PC (i7 930, 6g ram 3ple channel, 2 fast hd's in raid 0) and i think i can make some labs with gns3 + vmware running at the same time.

is it possible ?? also what exams do you suggest me ? (so i can "buy" the necessary books :P)

thank you.

 

I believe it's possible. Just pay a visit to the Virtualization section on this forum, so you can simulate ASA on your PC ;). About "books" can't recommend you, as I didn't choose this path, at least until now :D.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0