+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 34
  1. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #1

    Default CCNP Security expenses

    I am wondering why CCNP Security path is so expensive? I mean the most cheapest one is regular CCNP. Everyone have to start with CCNA, progress to CCNP by taking 3 exams. Ok. However, for CCNP Security you would have to get CCNA, CCNA Security and then pass 4 (!) exams to get your CCNP Security. Much more expensive. And for example if you take CCDA and CCNA, then pass 3 exams for CCNP and one exams for CCDP (ARCH), then you get two certificates: CCNP and CCDP. Total cost is more than CCNP Security (not by much), but if you divide the cost per certificate it is actually way cheaper. So, why Security path is so expensive? I am also wondering is Cisco firewall is actually used so much around the world? Is it actually beneficial to study it? So far I have seen Checkpoint firewalls being used, but not Cisco.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #2
    I think I read somewhere that cisco ASAs are like 30% of the market. They aren't "next generation" but they do have their following.

    CCSP was 4 test so I guess they decided to keep that structure. They should have dropped the IPS exam and made it three test.
    Reply With Quote Quote  

  4. Member
    Join Date
    Apr 2011
    Posts
    78

    Certifications
    CCNA, CCNA:S/CNSS4011, BCNE, Cisco ASA Specialist
    #3
    There are a lot of firewall flavors out there and it depends on the company's preference and requirements I guess. Where I'm at, that's all we use is ASAs, with exception to some PaloAltos.

    I'd say its definitely worth it to study the firewall portion of the CCNP:S, who knows maybe your company will start getting some Cisco firewalls especially with SecureX coming around, or maybe another job will have Cisco.

    And yea I definitely agree, CCNP:S is so expensive with the exams alone. And if you buy equipment to practice with...LOL nice lottery you'd have to win to buy it all...but then again it will probably all be useful when/if you study for your CCIE:Sec.
    Reply With Quote Quote  

  5. Senior Member alan2308's Avatar
    Join Date
    Apr 2010
    Location
    Ann Arbor, MI
    Posts
    1,807

    Certifications
    CCNA, CCNA Sec, MCSA 2008, MCSA 2012, CISSP
    #4
    Quote Originally Posted by l!ght View Post
    And for example if you take CCDA and CCNA, then pass 3 exams for CCNP and one exams for CCDP (ARCH), then you get two certificates: CCNP and CCDP. Total cost is more than CCNP Security (not by much), but if you divide the cost per certificate it is actually way cheaper. So, why Security path is so expensive?
    The thing there is that there is overlap between R&S and Design where as that isn't true for other tracks. Security is it's own beast, as is Voice and Wireless. Its not an apples to apples comparison.
    Reply With Quote Quote  

  6. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #5
    Yeah, you are totally right about the cost of hardware for labs.But is is interesting that firewalls is I think one subject that is not good to just study by concentrating on one company. I mean in Europe there are plenty of others. Astaro, etc. And they use BSD as a base. So, yeah, its a software not hardware like Cisco, but many smaller companies might go for that due to cheaper price. You can basically run pfSense or others on a not so fast computer and it will be enough for the company. It even offers everything that a company will need QoS, IPSec, Load Balancing, etc.In my case I am deciding between going for OSCP or continue to CCNA Security path.
    Reply With Quote Quote  

  7. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #6
    alan2308, of course its not apples to apples. But I bet a person with CCDP and CCNP is not less worthy for the company than CCNP Se. Salary wise and otherwise.
    Reply With Quote Quote  

  8. coffee all day everyday. nicklauscombs's Avatar
    Join Date
    May 2008
    Location
    virginia
    Posts
    881

    Certifications
    CCNP, CCNA: Security, JNCIA-FWV, JNCIA-SSL, MCP, A+, Network+, Security+, CNSS 4011
    #7
    i'm balancing out lab cost (i'm lookin' at you specifically IPS exam) by just buying rack time with vendors.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #8
    Quote Originally Posted by alan2308 View Post
    The thing there is that there is overlap between R&S and Design where as that isn't true for other tracks. Security is it's own beast, as is Voice and Wireless. Its not an apples to apples comparison.

    You don't think R/S, Design and Security intersect? They most certainly do. You should design with security in mind and you need to understand r/s to build a network. All of the tracks truly build off a common knowledge base (which is R/S whether you have the certification or not). Networks are complex and require all sorts of knowledge from many areas to support and secure. Consider a firewall engineer who is trying to support a problem but don't understand basic or even mid level Routing and switching or understand the design of the network. It could be a huge problem.


    Quote Originally Posted by l!ght View Post
    Yeah, you are totally right about the cost of hardware for labs.But is is interesting that firewalls is I think one subject that is not good to just study by concentrating on one company. I mean in Europe there are plenty of others. Astaro, etc. You can basically run pfSense or others on a not so fast computer and it will be enough for the company. It even offers everything that a company will need QoS, IPSec, Load Balancing, etc. In my case I am deciding between going for OSCP or continue to CCNA Security path.
    Pfsense for the win. I think people (and by people, I mean business owners) don't leverage open source solutions since people usually equate open source to unreliable. I like pfsense and actually replaced a cisco router with a pfsense firewall and it worked great.
    Last edited by Bl8ckr0uter; 12-16-2011 at 02:30 AM.
    Reply With Quote Quote  

  10. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #9
    Yeah, I know. When or when this old generation will already leave their positions at companies? pfSense is pretty cool. Its a solid product. And actually I can argue that open source gets fixes and vulnerabilities found faster than proprietary. After all one company cannot "really" compete with the world of developers that look, test open source code.I run pfSense at home interconnected to all kinds of stuff. It works great. I would suggest it to any of my friends or "customers". And I totally agree with you about CCNP/CCDP/CCNP Security all interdependent.
    Last edited by l!ght; 12-16-2011 at 04:59 AM.
    Reply With Quote Quote  

  11. Surprised Badger TesseracT's Avatar
    Join Date
    Jul 2010
    Posts
    166

    Certifications
    BSc, CCNP, MCSA, MCTS Exchange. CCIE Written
    #10
    meh, I use ASA's more than routers at the moment. I'm a CCNP and have no desire to get the CCNP Security.

    My reasoning is that I've never seen the CCNP Security as a prerequisite for a job. CCNP + ASA experience yes but I don't recall ever seeing a security job I'd be turned down at because I have the CCNP but not the CCNP security. I also can't be bothered sitting a Cisco IPS exam. The time it takes + the expense is just not worth it IMO. Sourcefire and Tippingpoint have been running rings around them for years in this area. The only reason for implementing it would be as a cost-saving solution.
    Reply With Quote Quote  

  12. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #11
    Well, I am more concerned with security field. And you voiced my reservations about CCNP Security. Indeed, where are the jobs with CCNP Se as a requirement? Security positions are requiring stuff like CISSP and other smaller certificates. I am getting more and more convinced to go OSCP and maybe CCNP route. Also, one more thing that is bothering me is CCNA Se covering SDM. What is the point of testing this outdated technology? Wasn't it superseded by other stuff already?
    Reply With Quote Quote  

  13. lrb
    lrb is offline
    Senior Member
    Join Date
    Aug 2010
    Location
    Australia
    Posts
    522

    Certifications
    CCIEx2 #45527 (RS,SP)
    #12
    The SDM got replaced with the CCP - The CCNA Security covers SDM (and it's coverage isn't exactly massive from memory) but the CCNP Security doesn't. There are a few jobs in AU with the CCSP/CCNP Security as 'nice to have' listed but most senior jobs will still have the CCNP as a 'must have'. Personally I think the CCNP and CCNP Security is a good combo from a knowledge point of view: intermediate routing and switching knowledge mixed with knowledge of ASAs, basic security threats, and how to configure their IPS product line. However someone who does security as their sole job (i.e. consultancy, engineering, design, etc) has to know a hell of a lot more than what is covered in the CCNP Security material to a well rounded 'security person'.

    And yes the IPS appliances are a pain in the arse if you have no exposure to them and just have to do the test to get the CCNP Security qualification, but the appliances themselves are actually quite good and I doubt anyone who has used them on a day-to-day basis would say otherwise. Plus for the VPN/FIREWALL/IPS exams I'd rather just use rack rental anyway.

    Lastly, I've found the Juniper SRX series to the best appliance for a firewall solution: cheap, great performance, great port density, security policies in Junos are an absolute godsend, and can actually terminate GRE tunnels (and in different VRFs too!). Plus its just BSD under the hood anyway so you can pretty much do whatever you like with the devices!
    Last edited by lrb; 12-16-2011 at 06:33 AM.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #13
    Quote Originally Posted by lrb View Post

    Junos are an absolute godsend, and can actually terminate GRE tunnels

    What do you mean by this? ASAs can run gre tunnels.

    There were rumors of a CCNA:S update to cover CCP but I don't know if they are true.

    There are jobs that want CCNP:S (infact most of the jobs I have seen looking for CCSP/CCNP:S don't include CCNP, at least in my general area). I've heard mixed reviews about the cisco IPS and after sitting in a demo, I am NOT impressed. It seems like a lot of companies are killing cisco in security (in terms of features and the like). I think a course like OSCP would do any security pro a lot of good (especially a networking security pro) since often times we do things for the sake of security without understanding what we are really protecting from. There is something concrete about practical application. I remember my first DDOS attack. Fun times.....
    Last edited by Bl8ckr0uter; 12-16-2011 at 07:04 AM.
    Reply With Quote Quote  

  15. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #14
    Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.
    Reply With Quote Quote  

  16. coffee all day everyday. nicklauscombs's Avatar
    Join Date
    May 2008
    Location
    virginia
    Posts
    881

    Certifications
    CCNP, CCNA: Security, JNCIA-FWV, JNCIA-SSL, MCP, A+, Network+, Security+, CNSS 4011
    #15
    Quote Originally Posted by l!ght View Post
    Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.
    they're gaining traction and i would at minimum work through the jncia-junos exam to have some fundamental knowledge if you don't deal with them hands on at work. all study material is provided free of charge on the juniper website and the exam is only $50 so why not....
    Last edited by nicklauscombs; 12-16-2011 at 07:15 AM. Reason: added quote
    Reply With Quote Quote  

  17. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #16
    The CCNP:Security track covers the general base of Cisco's security offerings. The firewall component, the VPN functionality which folded into the firewall platform after the PIX era, the general security technologies implemented in switching and routing, and the IPS. I would probably consider sitting the exam for the first three, but I could care less about their IPS unless I'm at a company that uses them.

    I haven't touched Cisco's IPS personally, but I've never heard anything great about them. In my opinion, Cisco is a routing and switching technology company first, a security company second. MARS is pretty much deprecated, the ASAs are becoming stale as more functional firewalls like Palo Alto Networks gain more traction, and Juniper has a loyal following. ASAs are a very common firewall platform, but I don't consider them leading edge right now. That said, for simple common scenarios they work just fine.

    As a network security engineer for an organization that has intrinsic high availability requirements, I'll be the first to say I would never consider using open source solutions for inline production traffic unless I have official vendor support (and for some reason all commercial offerings really sucked). For example, I would never use Snort inline as an IPS for a production network, but would definitely consider Sourcefire. Essentially the same technology, but if something goes wrong I can call someone in the middle of the night on a Sev1 ticket and there would be a fix commitment or an officially-provided workaround while providing a (perhaps legal) sense of assurance to management that our liabilities can be transferred somewhere in the event of major problems.

    While pfSense can provide commercial support, I have to wonder how good their resources are for large demanding enterprise customers. I say this as a part-time OpenBSD user and someone who has implemented active-standby pf in the past for a startup. While good open source products can function very well, they don't provide the ASICs performance that a hardware vendor can provide. In some cases the technology can be superior, but corporations want that assurance which can be demonstrated by name. And unfortunately, the whole "No one gets fired for buying Cisco" mentality still rings true, probably for a few good reasons.

    I hadn't heard of Cisco's SecureX until now, but was aware of their identity-plug-in (much like Palo Alto's User-ID). Interesting.

    My comment on the OSCP - having an understanding of web application pentesting is good, but for a day-to-day firewall management context it currently isn't that relevant unless you're a jack-of-all-trades infosec guy where you deal with WAF, application data management, etc.. I would think most firewall guys sit under the "network infrastructure" part of the org chart which is part of the larger routing / switching competency, and that's a serious mouthful to take in by itself. In the grand scheme of things at the moment, I consider them different skill sets from general vendor-specific firewall management.
    Reply With Quote Quote  

  18. lrb
    lrb is offline
    Senior Member
    Join Date
    Aug 2010
    Location
    Australia
    Posts
    522

    Certifications
    CCIEx2 #45527 (RS,SP)
    #17
    Quote Originally Posted by Bl8ckr0uter View Post
    What do you mean by this? ASAs can run gre tunnels.
    What I mean is that you can't have the GRE interface (i.e. interface TunnelXX) actually on the ASA - last time I checked you could only pass GRE packets through the firewall and reference them in firewall rules but the GRE tunnel can not actually terminate on the ASA itself. Happy to be informed differently though!
    Reply With Quote Quote  

  19. lrb
    lrb is offline
    Senior Member
    Join Date
    Aug 2010
    Location
    Australia
    Posts
    522

    Certifications
    CCIEx2 #45527 (RS,SP)
    #18
    Quote Originally Posted by l!ght View Post
    Oh wow. I didn't know Junos are BSD based. Do you think that Juniper certs weight a lot, or is Cisco still the king? I have seen some positions requiring Juniper certs.
    The Juniper certification program has nowhere near the same following as Cisco but Juniper seems to be making a MASSIVE effort to get people certified with some great incentives. For example, you take the pre-assessment test and get 50% off the corresponding exam, and they give you the resources to study for the exam for free with their fast track program (albeit these docs don't cover as much as their official courseware).
    Reply With Quote Quote  

  20. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #19
    I took a look at CCNP Security track one more time. Actually, Cisco has specialist certs. So, by taking Secure and then Firewall you are not CCNP yet, but already a Firewall Specialist. Taking VPN after that will give you VPN Specialist AND ASA Specialist. So, that means 3 exams give you 3 certs. However, after that one would take IPS and become CCNP Se, and then there is no more use for those specialist certs. Maybe just to impress HR people. And again, as I calculated all the fees before, the same amount one will spend reaching CCNP Se will get them CCDP and CCNP. The same amount. However, that means each one is half the price of the CCNP Security Its more efficient to go that route. You get certs at Profesional level in two different paths. Kind of sweet.
    About OSCP. Well, I guess I am kind of a generalist as oposed to specialist. I like to grab as much knowledge as possible and it seems that I just like too many things <grin>. However, yes, right now maybe firewall maintainers do not need pentesting skills. But who knows what the future will bring? Hacking tools and tricks evolve, networks become more and more complex, maybe in the future just knowing one thing or another will not be enough.
    Reply With Quote Quote  

  21. Senior Member alan2308's Avatar
    Join Date
    Apr 2010
    Location
    Ann Arbor, MI
    Posts
    1,807

    Certifications
    CCNA, CCNA Sec, MCSA 2008, MCSA 2012, CISSP
    #20
    Quote Originally Posted by Bl8ckr0uter View Post
    You don't think R/S, Design and Security intersect?
    What I mean is that R&S intersects a lot more with design than it does with security, not that there isn't any. R&S and Design certainly think about doing things in a secure manner, but not at the level of depth that the security guys look at things with. And Cisco's certs reflect that logic, though I can't say I completely agree with the complete lack of r&s in the CCNP Sec.

    To put it another way, when one is designing a network or moving in some new switches, they know you should use SSH instead of Telnet to access the device. They also know version 2 is better than version 1 because version 1 is flawed. But they don't really care to know what's in all 650 pages of SSH: The Definitive Guide. Guys like us do care.
    Last edited by alan2308; 12-16-2011 at 11:14 PM.
    Reply With Quote Quote  

  22. Senior Member btowntech's Avatar
    Join Date
    Mar 2007
    Location
    Alpharetta, GA
    Posts
    198

    Certifications
    CCNP, CCDP, CCNA Security, CCNA Voice, Security+, Network+
    #21
    Quote Originally Posted by l!ght View Post
    Everyone have to start with CCNA, progress to CCNP by taking 3 exams. Ok. However, for CCNP Security you would have to get CCNA, CCNA Security and then pass 4 (!) exams to get your CCNP Security.
    I remember when you had to pass 4 exams to get your CCNP (BSCI, BCMSN, ONT, ISCW). Quit looking at it from the point of what is the best bang for the buck, but which one will help you the most at this point in your career. Also, look at the objectives for the exams and figure out which certification is most beneficial. If you focus on becoming a great network engineer everything else will fall into place down the road.
    Reply With Quote Quote  

  23. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #22
    One extra 642-level exam is what ... $200? That's small change in the grand scheme of things. If you really enjoy working on Cisco security products and want to achieve the certification in the area, one additional exam shouldn't feel like such a burden. One can argue that certifications are a scam and the vendors are trying to sell you shallow "investments" (I feel this may at least be partially true), but it is what it is. At the end of the day, achieving the CCNP: Security only might get additional consideration from some companies looking at your resume. What you can demonstrate for real-world results and the benefit to an organization's bottom as a professional is what really counts.
    Reply With Quote Quote  

  24. Member
    Join Date
    Jul 2011
    Location
    RAM
    Posts
    48

    Certifications
    Network+, CCNA, Security+
    #23
    Well, i see it this way. For progression to or at any job most employers will look first for CCNP not CCNP Se. I think when companies are looking for security people they are probably require GSEC, not security certs from Cisco. Also, it is faster to get CCNP, it will give more weight to the resume, and at the same time you are working towards it you can get CCDP for the same amount of effort. I am sold. CCNP Se seems like "maybe" a next step after that. It takes less hardware to study for CCNP too. Right now I need to sponsor myself, so I would prefer not to buy old Firewalls and IPs.
    Reply With Quote Quote  

  25. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #24
    In my experience (not that I've been in the game for decades or anything), security folks tend to value strong fundamentals rather than only vendor-specific training. If I were to interview someone for a firewall administration position, I wouldn't ask about all the commands on an ASA (well, maybe if that's what their experience was based on). I'd be more interested if they understand how TCP works, or how fragmentation reassembly could be used to bypass ACLs, or how to interpret a network trace. Maybe someone knowledgeable can comment on this, but I get the sense that Cisco security training doesn't actually teach you anything other than configuring Cisco security products.

    So in that sense the traditional CCNP route would be a good path if you're really interested in all the routing and switching because I'm under the impression that much of the core material is very much applicable across all vendors. From a security perspective, having vendor-neutral skills is valuable.
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Sep 2006
    Location
    San Francisco Bay Area
    Posts
    2,043

    Certifications
    None?
    #25
    Well, I am guessing if your in the USA and at the CCNP:Sec level they assume the cost of 1 or 2 extra exams isn't really a major factor. ($80k employees right?) and chances are at that level your employeer makes some sort of investment in you also. At the very least to maintain their partnership statuses.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks