Today's post lists opinions, results, impressions, and so on of my review of the content of the CCNA Security exam - or, more literally, the IINS exam. The set the stage, I'm using the Cisco Press CCNA Security Exam Cert Guide to predict the content of the IINS exam. I've looked over the entire book, created a summary doc of what's in the book, and this AM, I sat back over a cup of coffee to ponder not only what's there, but how is it different than the pre-requisite CCNA cert. I've also formed a few opinions about what it would take for a newly-minted CCNA to prep for this exam.
The first big impression is that the size of the effort to learn the configuration topics seems less than the CCNA (640-802) exam. If you look at the summary doc, and look to the end to the table of configuration topics, you'll see some that require CLI, some that require SDM, and some that require both. Some of the line items in the table expand out to 20+ CLI config commands - eg, the section about router login security expands to 20+ config commands, but most of them are straightforward. The most complicated CLI config in the book is probably the IPSec configuration, which just by itself is probably more detailed/complicated that any one topic in the CCNA exam. However, my view is that the sheer volume of CLI config on the IINS exam is less as compared with base CCNA.
The next big difference is that CCNA Security includes config using the Cisco Security Device Manager (SDM) tool. This tool runs on a PC, creating a GUI, which in turns communicates with the router/switch. You follow the bouncing config wizards, and SDM then creates the CLI commands and blows them into the router or switch. The book includes several topics that are configured only with SDM, and not CLI, with some shown with both CLI and SDM. In my opinion, learning the SDM config is easier than learning the CLI config, just because the GUI intuitively links to the underlying concept, whereas the CLI commands can be less intuitive.
For example, take the SNMPv3 topic. The book explains SNMP, as well as the reasons why SNMPv3 is more secure than earlier versions. Then, it also includes SDM-only config, with the 5 or so GUI screen shots in the book showing the basic settings, all of which link specifically back to the concepts already discussed. In my opinion, if you know the concepts, but had never seen the SDM screens before the test, you could interpret the screen image and figure out the answer to a test question (assuming the exam uses SDM screen images).
The big bear on this exam though, in my opinion, is the security theory. I was surprised by the number of topics, and the detail. If you look at the summary document for the tables at the end, you can see two tables - the first lists all the topics that focus on concepts. I also took the time to add up all the pages in the "Foundation Topics" section of the chapters, ignore the pages with exam prep material (eg, pre-chapter assessment, practice suggestions, etc). There were 440 or so such pages, with roughly half devoted to concept/theory that was not then tied to a particular CLI command or SDM config action. It seemed like a large amount of new theory to me.
For my final general observation, I was surprised that there was little content focused on troubleshooting. The exam topics list the word "troubleshooting" once, and only in the intro to the exam topics - not in any specific topic. (The CCNA exam topics lists 13 specific exam topics with "troubleshoot", and CCNA Security came out after the current CCNA exam.) I looked for configuration and verification coverage in the book, watching to see things that looked like it was prepping the reader to be ready to t'shoot, and found only two topics - AAA and SSH - that might fall into that category. I would have expected to see maybe a little more depth into t'shooting, and maybe a little less on theory that, while interesting, discusses things that an engineer does not need to know in order to config/verify/t'shoot.
Next, let me draw a few conclusions. I'm basing these conclusions on what I've read in the book, and NOT based on what I've seen on the IINS exam - I've not even taken the exam at this point. (I must admit, I may just take it now, just to see, after doing this analysis.) But here's my impression just on what I see:
While it's best to practice on real/Emulator/Simulator for the hands-on skills, this may be a test that you could pass without doing any hands-on. Harder, certainly, and it is better to prep with some hands-on practice, but it is possible. Of course, one goal is to pass, another is to build the skills - and practicing is a must to build the skills.
A solid lab for hands-on practice, with real gear, does not require a lot. Best I can tell, you could get away with having a pair of routers, one switch, and preferably one PC on which to run Cisco Secure ACS server software, or maybe some alternative. You would live without a few pieces and do most of what's there as well. For example, some of the router config relies on an external TACACS+/RADIUS server. If you can get a copy of Cisco Secure ACS, great, but if not, if you get a freeware/trial version of another TACACS+/RADIUS server, that may be good enough for practice. (I've seen links when googling to get free trial TACACS+ and/or RADIUS software - I've not tried it yet. Any of you found such a link yet?) The IOS would need to support all the features, including IPS, and you'd need SDM. But you wouldn't need more hardware than you would have for base CCNA, and hopefully, what you already have will fit the bill. (OK, you might want a little more hardware, to have something to generate traffic for testing.) Next post, I'll take a look at some lab requirements for CCNA Security.
The theory may require 2 reads through all such material, and maybe a 2nd source. Even if the Cisco Press Security ECG book is excellent at describing the theory, reading other descriptions can help as well. If you have no one to help you, if you don't happen to get it with one book's explanation, another's may help.
So, let me know what you think. What else should be a challenge for this exam? What should be relatively easy? Any surprises? Thanks...
Odom, CCIE No, 1624, splits time between writing books for Cisco Press and teaching classes for Skyline ATS. In his 25-ish years in the networking industry, he has worked as as a pre-sale and post-sale SE for a few networking vendors, as well as a network engineer implementing network technology. Wendell has spent the majority of the last 15 years teaching, consulting, and writing about networking technologies, most of which in some way relate to Cisco products. His books include titles on QoS, CCIE R/S, as well as several titles related to CCNA certification, including the September 2007 book CCNA Official Exam Certification Library (CCNA Exam 640-802) (Read a sneak peek of chapter 7). Click for the list of current titles by Wendell.
The Leader in Network Knowledge
How similar to the ISCW?
I'm currently working on my CCNP and have already passed the ISCW. I can't but help notice that this test looks exactly like the ISCW. How similar are the two tests?
50-70% overlap?
AS,
I did two quick looks to compare to get a number. I looked at ISCW exam topics, and then at the outlines/page count of the ISCW Exam Cert Guide compared to the CCNA Security ECG. Per the ECG page counts, looks like 50% overlap. From the exam topic comparison, counting individual topics, looks like 70% overlap. However, I think the book comparison is probably closer to the truth. But 50% overlap is considerable. So, maybe CCNA security is a way to get wide, and make progress for... CCNP? Seems odd to me too...
Wendell
It makes more sense if you
It makes more sense if you believe the rumor that ISCW and ONT are about to be retired and CCNP is going to become a straight routing and switching exam. (http://content.ll-0.com/cisco_netacademy/CCNP-FAQ-23Sep09.pdf)
Interesting...
Hi Kale,
An interesting doc. I agree, if you believe the rumor, it would certainly erase the overlap between CCNA Security/IINS and the ISDCW exam. I don't see the equivalent at Cisco.com.
I haven't seen any official
I haven't seen any official announcements from Cisco either. That document looks official enough that I believe changes are coming soon, though I wouldn't rule out that the information is an early draft and may not be completely accurate. Assuming that the document is legit and the dates are accurate we should be hearing something from Cisco before the end of the year, they generally give six months or so advance notice before the cut-off dates.
Also interesting...
While it's ultimately trivial, also interesting to me is the new exam names. I have a circa 2002 CCNP book set, back when the exams were known simply as Routing, Switching, Support, and Remote Access. Not far from the rumored new titles of Route, Switch, and Troubleshoot.
It's nice to see a return to more straight forward titles.
CCNA Sec V's ISCW.
It has been mentioned before hwo the two exam overlap, people studying CCNA sec often look at the other as well as the CCSP 642-504 SNRS. (i read the SNRS for the ISCW exam).
One of the guys at my work passed two of his CCSP exam and then Cisco brought in the CCNA sec, which he is studying for now. He says how much informtion is in the exam is worthy of a CC*P exam.
Overlap with CCSP
Hi Big Evil,
Yep, I'd expect some overlap with CCSP - certainly with the SNRS exam in this case. Thanks for the tidbits about the material on the IINS study books appearing more CCxP-like - it certainly seemed detailed/complicated to me.
W
TACAS+/RADIUS
Wendell,
If you're not afraid of Unix (and anyone reading this blog shouldn't be), then you can run TACAS+ and/or RADIUS on Linux/BSD/Solaris. Any of the more common distributions can be quickly and easily set up in a VM and there are plenty of docs online that will have you running these and any other services you need.
Thanks for the heads up
Thanks, Alan! I am not afraid, I am not afraid, I am not afraid...
Wendell
Post new comment