Firewalls, as a technology, have been around for over a decade. However, it wasn’t until the explosion of the Internet that the use of firewalls has become commonplace in corporate and small offices, and even in home environments. Cisco’s been in the firewall business for over a decade. Originally they purchased the PIX solution from Network Translations, which then evolved into the Adaptive Security Appliance (ASA). Cisco also supports firewall technology in their router line, starting with Reflexive ACLs, moving to Context-Based Access Control (CBAC), and most recently introducing Zone-Based Firewalls (ZBF). (I use an ASA 5505 for my home office and Eset on my laptop.) I’m continually amazed at the number of times curious people and hackers on the Internet have attempted to scan and probe my home office network.
I’ve worked with the PIXs since version 4 of the operating system and the router’s IOS since version 7 and have seen many security enhancements over the years. One thing I’ve noticed is that the number of enhancements has increased drastically over the last few years; especially with the proliferation of severity of worm, access, and DoS attacks. For example, from version 6 to version 7 of the PIX/ASA OS, the operating system more then doubled in size…the same is true moving from version 7 to version 8 (8.2 is the latest). Recent security enhancements include threat detection/prevention, botnet protection, SSL VPN tunnel mode client features, and many others.
Cisco has a Specialist and Professional certification that covers these technologies:
* ASA Specialist
* Cisco Certified Security Professional
To obtain either certification, you must first have your CCNA and CCNA Security. Once you’ve obtained these, you’ll need to pass the following fo the ASA Specialist:
* Secure Networks with ASA Foundation (SNAF: 642-524)
* Secure Networks with ASA Advanced (SNAA: 642-515)
To obtain your CCSP, you only need to pass the SNRS and IPS exams. Because many, if not a majority, of medium- and enterprised-sized networks use PIXs and/or ASAs, having these certifications, as well as experience to back it up, is important in making you more valuable to your current or future employer. The focus of this blog will be to briefly introduce you to what you can expect for the SNAF exam.
Of all Cisco’s Professional-level exams, the SNAF is, hands-down, the most difficult exam. I teach ASA Specialist and CCSP bootcamps and all my students would heartedly agree with me. The SNAF exam involves the following types of questions:
* Simlet
* Multiple choice (single and multiple answer)
Surprisingly, this command contains no simulation questions (the older 642-523 exam had two of them!). If you’ve taken Cisco exams recently, then you should be familiar with simlet questions. A simlet question is a multi-part question that requires you to log into a Cisco device or devices and answer the multiple parts of the question. With the SNAF exam, you can expect two simlets, both of which require you to use ASDM (the GUI interface for the ASAs and PIXs) to examine the configuration of the security appliance and answer the multiple parts of the question. You can’t access all parts of ASDM, but only the parts you need to answer the multiple parts. As an example, one part of the question might ask you what is true when Device A accesses Device B. Answering this question is not simple, since you’ll have to examine the Interface screen to build a network topology with addressing and security levels, examine the translation policies, the ACLs, and the policies that will effect the answer you should choose. Each sub-question might have 4 or 5 answers, so you’ll be going back and forth between the different ASDM screens to determine which of the answers is correct.
On top of this, the many of the multiple choice questions are not a simple one sentence question and a few words for each question. The most detailed multiple choice question I saw on the exam had two paragraphs for the question and a paragraph for each possible answer…where a paragraph was about 4-6 lines on the screen.
The information on the exam is fair, in that the exam asks you about common things you would have to know in order to maintain a Cisco security appliance on a daily basis…or troubleshoot common problems. However, given the amount of information you have to examine throughout the examine, the single most common reason people fail the exam is that they run out of time. The exam has about 65 questions on it and you have 90 minutes to take the exam (remember that there are two simlet questions with about 5 or 6 sub-questions, though, so you really only have a little over a minute for each question. As I commonly drill into my students, you must be very proficient in using ASDM and understanding how to read the information on the various ASDM screens…and not just for the simlet questions, since many of the multiple choice questions focus on the use of ASDM. We spend more than 4 hours in class on practice exercises on complex ASA configurations (much more difficult that what you’d find on the real exam), where the purpose of the exercises is to help the students understand how to read the information on the various ASDM screens and to do so in a timely fashion.
Unfortunately, no one currently sells a simulator for the ASA…so my recommendation is to either take the official Cisco classes or a bootcamp course that includes the SNAF exam (like the ASA Specialist and CCSP bootcamp courses) where you’ll get valuable hands-on experience during class. There are many certified Cisco training companies that offer this course (I just finished teaching the SNAF course for New Horizons in San Antonio in June). For bootcamp companies, the two I’ve seen most people use are Training Camp in the US and Firebrand in Europe (based in the UK). Instead of official training, you could purchase a book on the ASAs and complement it with hands-on training by purchasing an ASA 5505 and scouring the web for practice exercises. 5505’s are not that expensive (less than $400 US for a new one). Without the appropriate type of hands-on experience will make the 642-524 exam almost impossible to pass. I just completed an ASA book for McGraw-Hill, Cisco ASA Configuration; this book is geared more towards in setting up and maintaining ASAs and PIXs than it is towards passing the exam (it does cover all the topics the exam covers); Cisco Press, however, has a couple of titles that are exam-centric; i.e., they’re focused on the specific topics that the exam covers.
The one thing I find strange is that the SNAF exam is actually more difficult than the SNAA exam…you would expect it to be the reverse, since the SNAA exam covers more advanced topics. Good luck with your studies! and any comments are appeciated.
Cheers!
Richard A. Deal
Tags: Cisco ASA Specialist
