Cisco Systems has added a new security certification, dubbed Cisco Security Specialist 1 (CSS1), to its ever-popular certification lineup. CSS1 is an excellent option since it shows that you have technical knowledge over both security foundation subjects and Cisco-centric security technologies. CSS1 is a midlevel certification that is similar to the Cisco Certified Network Professional (CCNP) in that you must already have achieved your Cisco Certified Network Associate (CCNA) to be eligible to take the CSS1 tests. The CCNA certification (and exam, as it is only a single test) covers foundational Cisco networking knowledge such as the OSI model, TCP/IP, subnetting, basic Cisco IOS commands, and basic router and switch operation. Components of CSS1
CSS1 requires you to pass four tests. Here's a look at each:
- Managing Cisco Network Security (MCNS) 640-442
The MCNS test could be considered the foundation exam for CSS1. It lays the groundwork for the other three tests and covers such topics as how to evaluate security threats and the basics of configuring IPSec, VPN, AAA, PIX firewalls, and the VPN client. Although you can take the exams in any order, I highly recommend that everyone take this test prior to taking the other three CSS1 exams. - Cisco Secure PIX Firewall Advanced (CSPFA) 9E0-571
Although the 640-442 exam covers PIX firewall basics, the PIX Firewall Advanced exam covers exactly what it says: configuring advanced features of the PIX firewalls and the Cisco IOS Firewall feature set, which can be loaded on routers. PIX devices are Cisco's line of dedicated, hardware-based, firewall devices. As you might imagine, any configuration possible for a PIX firewall is fair game on this test. Hands-on experience is practically a necessity for this and the remaining two tests. - Intrusion Detection System with Policy Manager (CSIDS 2.1) 9E0-572
Yes, that is quite a long title for an exam. Basically, the focus is on operating the Cisco Intrusion Detection System. This is a dedicated hardware device that continually scans for potential attacks. Typically, it sits on the border of your network and looks for suspicious packets. The exam also addresses the Cisco Secure Policy Manager. This software package can distribute security policies to multiple devices in your network. - Cisco Secure VPN (CSVPN) 9E0-570
The CSVPN test covers virtual private networking, the Cisco way. In other words, it deals with configuring the Cisco VPN 3000 Series Concentrator and the Cisco Secure VPN Client; VPN configuration on a PIX firewall; router-based VPN configuration; certificate authorities; and lots of IPSec issues.
As you can tell by the exam descriptions, you can't just read a book and expect to pass the tests. These are definitely intermediate-level topics, where hands-on experience or at least some type of hands-on training is needed to pass the exams. Cisco has authorised Learning Partners that teach classes built around the test topics. It also partners with companies that offer e-learning (virtual classroom) courses on these subjects so that you never have to leave your desk. The cost of the tests is the Cisco standard price ($125 each at the time this article was published). You can take the exams through Prometric or Vue. Cisco Press offers books on each of the exam topics:
- Managing Cisco Network Security, by Mike Wenstrom
- Cisco Secure Intrusion Detection System, by Earl Carter
Cisco Secure Virtual Private Networks, by Andrew Mason
So how does CSS1 compare to the other security certifications available? CramSession has a list of security-related certs on its site, and there are a lot of choices, but I would primarily compare CSS1 to the ISC2 Certified Information Systems Security Professional (CISSP) and the Check Point Certified Security Expert (CCSE).The difference is that the CISSP is industry neutral and not based on configuring actual devices but on more specific book knowledge on security. That can be important if you need to demonstrate that you have the foundational knowledge for an IT security job. The Check Point CCSE is more similar to CSS1 because it's a vendor-specific certification that focuses on configuring a specific vendor's devices. Deciding which certification to choose can be tough because there's no perfect security certification. As you evaluate your options, you should ask yourself:
- Does this certification fit what I do in my current or future job?
- Do I enjoy the topic material? (This will make a difference when you start reading 1,000-page books.)
- Will this certification help me in my career or make me more money?
Cisco's CSS1 certification allows you to demonstrate your knowledge of basic security issues as well as Cisco-centric security technologies. CSS1 also offers an advantage if you plan to pursue an advanced security certification: It can serve as a stepping-stone to beginning work on the Cisco Certified Internetwork Expert (CCIE) Security certification, which is considered one of the most valuable certifications on the market. To help you get a handle on how to prepare for each of the CSS1 exams, I will focus future articles on what it takes to pass each. TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to email to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
For all job and work-related news, or to search for a job and get information on training, go to ZDNet Jobs. If you have something to say about work and employment issues say it here at the Jobs Forum. Let the editors know what you think in the Mailroom.
