Information Security Certification Guide
Information Security Certifications are part of the credentialing landscape for an information security professional, and in many ways, those just generally interested in the subject.
Setup32.com writers have put together the definitive list of the top 50 information security certificates and certification paths for those who are serious about getting their information security certification.
In fact, the sheer number of credentials can make navigating the security certification landscape a dizzying experience. Simply identifying the vast array of offerings can be time consuming and overwhelming — never mind determining which certification best fits your situation.
There is always going to be concerns about the money, the time, and the value of a security certificate. The question comes in as to how much you want to have any hope at job security. There is job security in information security by keeping your skills up and adopting life long learning. That is a reality, even if you get canned from one company, having a string of letters after your name can help, as long as it is not too many. If you have a dozen use only the three latest ones on your title, while interesting, if you have a dozen, it looks like all you did was go to school.
The very good part about the article is that they really do cover the whole certificate landscape in line with what people might want to do. Do you want a generalist or a specialized certificate? One thing they do not do is go into the comparable wage process for each security certificate (you have to make sure there is a payoff for the certificate, if there is no bump in dollars for having it, then it is not worth getting because everyone else has it and the market is diluted).
This is one of those career planning articles that would do folks looking to start out, or those seasons veterans looking for something new, to plan and plot out their information security careers. The key here is to keep on learning, keep on being challenged, and keep on building your marketability always.
Check it out: Information Security Certification Guide
Almost ready: OCA Linux Certification
Oracle is almost ready to go live with the Oracle Enterprise Linux Certified Administrator (OCA) certification. This certification, a stepping stone to upper-level Linux certifications to come, requires passing two exams:
- 1Z0-402, the Enterprise Linux Fundamentals exam (which went live on March 22).
- 1Z0-403, the Enterprise Linux System Administration exam (which closed beta on March 31).
The Fundamentals exam — which you can skip if you’re already certified for LPI, Linux+, Ubuntu, Red Hat or Novell — consists of 87 questions that must be answered in 120 minutes (with 57 correct required to pass). The exam’s topics include messaging, printing, text editing and enterprise Linux fundamentals, among others.
The System Administration exam — for which appointments are now being taken for the production exam — consists of 113 questions that must be answered in 120 minutes (with 62 percent correct required to pass). Topics include Linux kernel compilation, client networking, enterprise Linux installation and more.
Both exams are administered through Prometric testing centers.
Troubleshooting HSRP
Q: I have two HSRP-enabled routers in Chicago and two HSRP-enabled routers in the neighboring suburb of Wood Dale connected by point-to-point T1 links. My problem is when the active line goes down, the standby does not automatically take over the role of active router. I have to manually change the priority on the standby routers in Chicago and Wood Dale for traffic to flow.
Here are my router configuration files in attachments…
Answer:
Well, without giving too much of your configuration information away to the rest of the world, I think that your problem lies in the idea that your physical interface (which you’re tracking) is still considered “up,” even though you may lose routing or functional connectivity along the way.Debugs may help look at the specific information there, but we can look at different ways of tracking between them to perhaps give more accurate listings. Your configuration, as far as managing the priority levels and looking at your use of “standby preempt,” looks very good.
Boiling that idea down, there aren’t too many reasons for HSRP to not work properly. So take a look at a route learned over that serial interface that you’re using. Any route (non-static) is fine, but what’s most important is one that you’ve seen disappear when you’re having problems and need to manually change priorities.
If you don’t know which route to use, you can always try to look at “debug IP routing” and see what changes when there’s a problem. Like most debugs, we try to be very careful when using them on live production equipment. Hopefully, though, your routing table shouldn’t be changing that much on a consistent or ongoing basis, so it should be OK.
As a side note, if you do see lots of changes in your routing table, your IGP may be the issue and not necessarily the link between sites. At least it’ll target your troubleshooting!
Back to tracking. Ever since 12.2T IOS, we’ve added the ability to track other things like IP routes, IP route metrics and interface line protocol functionality. In later releases, we’ve added things like SLA monitoring or latency issues. We went into some detail on this in a Q&A article a little while ago.
Once you pick a learned route — let’s say 10.10.10.0/24 — we can track on it for either of your routers performing HSRP. These will be global commands to set things up:
Track 1 ip route 10.10.10.0/24 reachability
Then change how your HSRP configuration is set on your interfaces:
Int fa0/0
No standby track Serial0/0
Standby track 1
If you’re using only static routes, you may consider looking at interface line protocol instead of the full interface (which requires down/down to trigger the failover). Just change our tracking object globally:
Track 1 interface serial0/0 line-protocol
Or
Track 1 interface serial0/0 ip routing
Try these and see if your HSRP starts behaving the way you want it to work. If you continue to have problems, look at the output from “debug standby events” and see if any information there is helpful to you.
Hope that helps :)Scott
Running EIGRP in PIX: What’s the Workaround?
Q: We have a network which connects to the ISP with an E-1 for Internet and, at the same time, connects to a satellite link (different ISP) which we use as a backup to the Internet.I want to install a PIX firewall (535) for this network and we are running EIGRP. Almost all reference materials show how to configure PIX to work with a default route in gateway router. Since PIX is not supporting multicast, is there any workaround method to run EIGRP in PIX? (My requirement is to switch to satellite link when E-1 is down.)
Answer:Plain and simple, the PIX does not support EIGRP. You can run RIP, OSPF or static routing.
You can specify static routes with different metrics so that if one is unavailable (ARP timeout) then it will switch over to the other one. You may have to play with some timers for really good convergence time, though.
I suppose the first question I would have for you is: If you are using these for Internet connections, you are really just concerned with the 0.0.0.0/0 route, correct?
If the answer is yes, then simply run EIGRP on the inside portion of your network, and get all of the benefits and simplicity that you have come to love.
On the outside of your PIX (so, PIX, E-1 router and satellite router) run RIP or OSPF. Because all you’re looking for is a simple preference for which way to go out in case of failure, the configuration can be very basic and very simple.
With OSPF, you have more controls and faster convergence time. Knowing a little bit (or assuming a little bit) about your network design here, what I would do is generate a default route from your satellite router first using OSPF. On the off chance that this is some proprietary box where configuration may not be simple to manipulate the details, I’d start here.
Everyone on the outside of your PIX should learn the 0.0.0.0/0 route at this point. Look at the metric associated with it, whatever it may be by default. Then go to your Cisco router with the E-1 and create a default route, as well.
We can even go a step further here and generate a conditional default route. Let’s assume that the satellite router generated its default route with a metric of 20.
On the Cisco router, let’s assume that 10.4.4.4/30 is your E-1’s link address to the Internet. (Assumptions are good to get us started since I don’t know all the details of your configuration.)
Config: Access-list 10 permit 10.4.4.4 0.0.0.3
Route-map ConditionE1 permit 10
Match ip address 10
Router ospf 1
Default-information originate always metric 10 route-map ConditionE1
With this configuration, you will originate a default route into OSPF as long as the route in ACL 10 exists (the E-1 link). If the E-1 goes down, that route will disappear from your routing table and, thus, the 0.0.0.0/0 route will disappear from OSPF.
The fact that we set a metric of 10 here makes it better than the metric of 20 from your satellite router. But at the same time, if the metric 10 disappears, 20 will still exist. Your PIX is simply learning from OSPF, so it’s getting the best of all worlds at this point.
Without getting into too many other details of your configuration, I’d say this would be a nice way to dynamically give yourself some failover within the confines of protocols that actually exist on the PIX.
Hope that helps 
IPv6: What’s the Rush?
Q: I saw a recent article about IP version 6 and how everybody needed to start changing their addresses over in order for the Internet to continue working. My boss started asking me questions about this, and I don’t know what kind of answer to give.
None of my friends seem to be concerned or interested in changing, though, so is it really a problem?#
Answer:
If you look hard enough, the sky really is falling. Or perhaps the Earth is rising. I haven’t figured out which one yet.
The bottom line is, “it depends” — which is a standard Cisco answer for things, but it seems to apply to everyone in the case of IPv6. So let’s look at a few things.
What problems are we having with IPv4 that may require us to change? Namely, there are not enough addresses. Part of this problem, of course, was that in the beginning, people were handing out IP addresses like they were candy and in class-full boundaries. So absolutely there weren’t enough!
I have clients who have /16 address space that they honestly use perhaps 50 to100 devices on. But there isn’t any incentive for them to give things back, so they aren’t giving them up. And regional Internet registries (RIRs), like the American Registry for Internet Numbers (ARIN), have made things incredibly complicated and convoluted for transferring these older portable addresses, so selling them is hardly worthwhile. Consequently, people just hang on to them for no good reason while others struggle.
Even with the advent of Variable Length Subnet Masking (VLSM) and the ability to assign addresses in smaller allocations, we still saw the writing on the wall: The number of people and businesses on the Internet will increase all the time. That was just a way to delay the inevitable.
IPv6 offers us significantly more addresses than before. We would move from a 32-bit addressing scheme (4.2 billion varieties) to a 128-bit addressing scheme (lots of varieties!). IPv6 promises us somewhere in the neighborhood of 340 dodecillion usable addresses, in case you really cared there. Google that one!
But we have other things that are staving off a mass exodus, the first one being humankind’s resistance to change. Oh, yeah, and the money thing. We won’t spend money unless we have to.
The other big thing is Network Address Translation (NAT). There’s actually a large debate these days about the viability and proximity of IPv6 usage because more and more people are using private addressing (RFC1918), and the quality of NAT devices and firewalls is much better today than it ever has been before.
Newer items also cropping up are Application Layer Gateways (ALGs), Layer 7 Firewalls or super proxy servers. Each of these things, though, does not obviate the need for more addresses; it just delays our need to change.
After we get past the desire, motivation and money allocation, we get into the technical aspects. Is all of your networking equipment capable of IPv6 configuration? How about your security equipment? How about your operating systems and applications? How much of a deployment you will want to explore will depend on many of these. There are many ways to do NAT between IPv4 and IPv6, so that your internal systems may not need to migrate (or at least not as quickly) and your outside-facing configuration changes over.
How about your IT and networking staff? Has everyone been trained on IPv6? There’s a lot more involved than just extra bits. There are many nuances and differences in protocol and particulars along the way. DNS changes, DHCP changes…the world is a different place!
All of those things are important to think about. Now may be a good time to start evaluating your readiness. But in the end, as a normal enterprise (small to medium business), you likely aren’t going to change any faster than what your upstream provider is doing or requires. So what I would do is ask them.
A couple of smaller ISPs I’ve talked to aren’t even in the planning phases for IPv6 yet. Many are fairly well along in testing, and some even have implementations underway. IPv6 does not need to eliminate IPv4 initially, so it makes things nicer for planning an implementation. But it’s still something that takes a lot of detailed planning before jumping into it.
Jeff Doyle wrote a blog entry not long ago about this where he pointed out a similar idea: Much of the deployment depends on what people are ready for. There is no magic to making it happen. Eventually, yes, we will run out of IPv4 addresses, but the question is when.
ARIN (and other RIRs) are recommending people to push for IPv6 going forward. Most will stop handing out IPv4 allocations in 2009 (get ‘em while you can!). But who knows what trends in reallocation or security and NAT will change in the next couple of years, which may push things off further.
The bottom line is that, most likely, there isn’t any dire or immediate need to change everything out. On the other hand, if your upper management is interested and/or concerned, now may be a great time for any budget approval you need to change things! But you should at least consider your five-year planning phase. How many addresses will you need for your entire company network? Can you get those now? Do you need to get those now?
In planning for IPv6, don’t forget the human part. After all of the pieces (network, applications, OS, etc.) are done, do you have enough people with enough knowledge to manage and design things? Now may be a good time for some training!
There are various vendor-based training courses out there on IPv6. There are also different presentations at meetings like the North America Network Operators Group (NANOG) regarding important topics like this. I would advise you to take the time to research things with regard to your organization and what it would take to migrate over. No rush, but having the time to plan is good!Hope that helps
LINUX CERTS AND THE CUTTING EDGE
I was struck by an odd observation this week. Desperately in need of shelf space, I began going through stacks of old books and tossing them or packing them away for storage.
Among the books on NetWare 3 — the first Novell certification I earned — I realized that there isn’t a single thing in them that would be meaningful today; they were tossed. The first Microsoft certification I earned was on Windows 95 and, similarly, those books were tossed because nothing in them has merit anymore. Same story for Cisco and many others.
Then, there was “Inside Unix.” This was a book for which I actually wrote a few chapters in 1993 and was published in 1994. As I looked through this 14-year-old text, it struck me how it still contains much of what you’d need to know to pass a Linux certification today. While Microsoft, Novell, Cisco, Oracle and so many others have updated their products to the point where the exams no longer resemble the originals, Linux — so often the darling of the cutting-edge — still measures expertise in terms of knowing how to work with tools that are just plain old.
Look at the tools you need to know for the Linux+ exam from CompTIA: df, du, kill, ls, mv, rm, tar, umask, vi and so on. Sure, you might get a question or two about KDE or GNOME, but those would be rare and you could guess at every one of them and still get a passing percentage. The same is true of the LPI and all entry- and lower-level certification exams.
The most likely reason for this — and one that might get brought up a few times in your comments — is that when it comes to vendor-neutral testing, the focus is on the commonality between the distributions. Another possible reason is that Linux is so stable and supported by such a fine toolset that all you’d need to be a great administrator is to know the commands well.
These reasons are all well and good if you want to make Washington Irving proud — but not if you want to authenticate an administrator with skills for today’s world. I’d like to hire someone who knows something new, not something that existed before Netscape Navigator 1.0 was released. And I’d hope that the certifications they hold reflect that.
NEW NOVELL LINUX CERTIFICATIONS
Novell recently rolled out one new Linux certification: Certified Linux Desktop Administrator (CLDA), and is expected to soon go live with Certified Linux Administrator (CLA), as well. Both consist of a single exam on SUSE Linux Enterprise 10 that’s administered through either Prometric or VUE testing centers. The exam numbers are 050-708 and 050-710 (not yet available), respectively.
The CLDA focuses on SUSE Linux Enterprise Desktop 10. Test objectives can be found here:
http://www.novell.com/training/testinfo/objectives/3086tobj.html
The CLA focuses on SUSE Linux Enterprise Server 10. The test objectives aren’t posted yet, but the exam will focus on topics taught in Novell’s 3071 and 3072 courses, the objectives for which can be found here and here, respectively.
A LOOK AT THE SUN CERTIFIED ENTERPRISE ARCHITECT CERTIFICATION
One of the more interesting certifications from Sun is the Sun Certified Enterprise Architect (SCEA), an upper-level certification aimed at those working with Java EE-compliant applications. What makes it interesting is the way you go about obtaining it.
To become certified, you’re required to do a number of things:
- Pass the requisite testing-center exam (CX-310-052: Sun Certified Enterprise Architect for the Java Platform, Enterprise Edition 5). Administered through Prometric, you have 120 minutes to answer 64 multiple-choice and drag-and-drop questions and get 57 percent correct to pass. The cost is $200.
- Pass an assignment exam (CX-310-301A). After passing the testing-center exam, you download an assignment directly to your computer and then have 12 months to complete it. There are several parts to the exam and you must get 71 percent of the assignment correct in order to pass. The cost is $250.
- After successfully completing the first two requirements, return to a Prometric testing center and take an essay exam (CX-310-062). The exam consists of eight questions based on your assignment and you have 90 minutes to answer them. The cost is $200.
What I like most about this approach is that it’s broken into three completely different parts, with a hands-on component to weed out those who only have knowledge-based skills from those who can actually apply what they know.
CODES OF CONDUCT
There seems to be a trend afoot to create or refine codes of ethics for all professions. CompTIA has one of the most succinct ethics policies that I’m aware of; instead of belaboring the point ad infinitum, the company takes a difficult topic and condenses it rather pithily: http://certification.comptia.org/resources/conduct_policy.aspx
Now, while CompTIA doesn’t publish numbers for all of its good-for-life certifications, it does so for three:
- The A+ certification, which has been around since 1993, has awarded over 700,000 certifications.
- Network+, which has been around since 1999, has awarded over 180,000 certifications.
- Security+, which has been around since 2002, has awarded over 45,000 certifications.
That means that over 925,000 people have agreed to CompTIA’s conduct policy. Of those, I can’t help but wonder what percentage actually read the policy beforehand versus how many merely agreed to whatever was presented to them for the sake of getting the certification. How many of those certified are unaware of the policy’s existence — or that they’ve even agreed to it?
And, perhaps most importantly, what’s the penalty if those policies aren’t adhered to? If you disclose confidential client information, does a representative from CompTIA show up at your office and revoke your good-for-life certificate? What if you bought the coffee mug with the logo on it — do they take it back, too?
NUMBERS DON’T LIE, BUT…
Many of you wrote to take issue with my recent discussion of vendor numbers: Cisco topped 1 million certifications granted since the beginning of its program, Microsoft is over 2 million, etc.
While I wholeheartedly agree that the numbers aren’t mutually exclusive — one individual may hold more than one Microsoft certification, or may hold a certification from Microsoft and Cisco, and so on — the key issue is that these are numbers the vendors are actually proud of, as witnessed by Cisco’s press release when it hit the 1 million mark.
Should vendors be pleased with those numbers, or should they report ONLY the number of certifications that are currently valid? From a marketing standpoint, it sounds good to say X-number of administrators are certified by your program — never mind if those administrators certified 15 years ago on a platform that has since lost support. From an administrator’s standpoint, however, it’s better to compete against those who have the same exact certifications as you and to stand out from those who have antiquated certifications.
Arguably, creating new titles is one solution (we’re moving from “engineer” to “architect,” and I’m guessing “draftsman” isn’t too far down the road). By creating a new title, you immediately start with zero certification holders, and then only those with current skills will hold the title. One drawback to this approach, though, is generating enough market education — particularly among hiring managers — of the new certification.
I would think that a better solution is to simply strike from the record all old certifications. A Microsoft Certified Trainer (MCT) can’t be an MCT if their skills aren’t kept up-to-date, so why shouldn’t the same be true of all other certifications? This would require an expiration date to be affixed to ALL certifications, not just the ones which currently implement it.