Chris,
I would like to address Gary's points. I am cc:ing the list so that those
that are interested in reading my answer can for those of you who are not
interested just delete this post from your mailbox.
As I am slowly revamping the material that was written 3 years ago, and
incorporating new material as Chris Brenton has stated in a previous
post. I will be including several real world scenarios that I have
encountered in the last few years.
The original tutorial Firewall Troubleshooting and Management included
Symptoms, Identification of the Problem and a few possible Solutions. The
solutions were applicable in a generic sense. The new material I hope will
include some specific fixes for the various commercial and noncommerical
firewall solutions available, updated to the latest stable revs. As of
this writing, I have not had a chance to beat on Raptor 6.5 for Solaris or
NT. Axent just recently switched their High Availability module from
Veritas FirstWatch HA and to a Stonebeat HA solution. I will definitely
include sections on rule building for Raptor, as Chris I think can pretty
much write up rule building for FW-1. License issues will also be
addressed. With a couple of quick tips and how to properly design a fail
over system where you do not have wake the vendor in the middle of the night.
To address Gary's last point. SANS/GIAC is attempting to address the
technical end of where the ISC organization falls short. ISC is also
addressing the same issues that SANS/GIAC is attempting to address. It is
very hard to generalize specific information regarding every single product
out there that could possible be on the wire or installed in an
organization somewhere. Both organization are attempting to address the
issue to encompass the issues to ensure training/certification for the
masses. Some people believe as I do, it takes more than several
certifications and/or a CISSP plaque to be a recognized in the Information
Security field. A former CSO of Cisco once said "The CISSP gets you an
additional $10,000, but that is about it, not much else) It takes hard
work, long hours, (painstakingly so), vicarious reading of RFC's, Manuals,
mailing lists, operating systems ins and outs, SNMP, Sniffer Packet
decodes, various ENMS/IDE/Performance products, release notes, README
files, time consuming product evaluations, ACLs, C/C++, Java, Perl, etc.
I once had a fellow co-worker tell me he was to busy to read an RFC that
was pertinent to the particular task he was doing, and I should tell him
the three of four things he needed to know so that he complete his task
ahead of schedule instead of learning something that he may use in another
engagement. There are no shortcuts in this field and no easy course to
attend to teach one all the tricks, tidbits and real world scenarios.
/hope this helps
/m
At 06:57 AM 7/11/00 -0400, Crumrine, Gary L wrote:
>Chris, I'd like to throw something at you and Mark. First of all, I have
>sat through all of the vendor training courses offered from Raptor and the
>old V-One and frankly they suck big time. You do not get real world
>scenarios, or any data on what I need my new technicians to do on a daily
>basis. What I wanted them to learn were things like, set up of redundancy,
>auto failover, blocking bad sites, how to kill a mail loop, installing
>patches, how to develop rules, properly set up routes to all my different
>networks, how to set up safe DMZ, how to have one backup machine available
>for a spare when you have 10 or more on line, and the spare has to be able
>to quickly replace a faulty or suspect server, and how do you deal with
>license issues and get it back online when the vendor is asleep at 3 in the
>morning etc. Nothing like that was included. Real world stuff that they do
>not address.
>
>If someone like Mark were to develop a comprehensive training boot camp,
>where I can send new technicians and feel certain that they can run a
>network, and solve all the problems they see every day, .... well that
>company is going to get rich...
>
>Not to criticize the SANS offering..... as I think it is a great thing... a
>program that identifies and quantifies the knowledge base a so called expert
>should posses... but I do not think that the two types mix very well. They
>are aimed at two very distinctly different audiences.
>
> > -----Original Message-----
> > From: Chris Brenton [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, July 10, 2000 5:36 PM
> > To: [EMAIL PROTECTED]
> > Cc: janosh ivan; [EMAIL PROTECTED]
> > Subject: Re: SANS GIAC training/certification program
> >
> > [EMAIL PROTECTED] wrote:
> > >
> > > As SANS/GIAC slowly revamps their course material especially Firewalls
> > 101
> > > :) it will be well worth attending.
> >
> > Spoken like someone who is helping to generate the new material. ;)
> >
> > > It really depends on what you are
> > > looking for.. If you are looking for a real hands-on course, enroll in
> > a
> > > vendor course first to get a taste of the product,
> >
> > Here I would have to agree. The SANS course is heavy on theory, design &
> > troubleshooting. While specific products are presented, its more from a
> > "this is the good stuff and this is the bad" perspective. I also try to
> > keep it generic enough that it can be applied to other products. I agree
> > with Mark that the best way to learn a vendor's product inside and out
> > is to attend vendor training.
> >
> > Actually, the course material is in the process of a rewrite with most
> > of the vendor specific stuff being moved to the evening. That way people
> > can pick and choose the products they want to hone in on.
> >
> > > then attend a SANS/GIAC course to understand at 30,000 level.
> >
> > Actually, I would probably recommend the other way around. The GIAC
> > training gives you the foundation you need to:
> > A) Pick the right product
> > B) Ask the right questions
> > C) Tell the difference between geek speak & market hype
> >
> > > Some of the material in Firewalls
> > > 101 is very applicable to every day use, some of it is conceptual.
> >
> > Since we've gone this far... ;)
> >
> > A brief outline of the new material:
> > TCP/IP in depth (frags, bits, etc.)
> > Firewall technology (static, stateful, proxy, SI)
> > Preparing for an implementation
> > Design considerations
> > Overview of different products
> > Reading logs
> > Troubleshooting
> > Designing rule bases
> > split DNS
> > Cisco ACL's (static & reflexive)
> > Defense in depth (running layered firewalls)
> > Host based IDS
> > Logging options
> > More than you ever wanted to know about VPN's
> >
> > The above is broken up over four days. Day 1 was generated by Stephen
> > Northcutt & is complete. Day 3 was done by Lance Spitzner and has just
> > finished final tweaking. The VPN class (day 4) had input from a bunch of
> > people and Mark T. is helping me tweak day 2.
> >
> > > Marcus Ranum used to teach an awesome (and I do mean AWESOME)
> > Introduction
> > > to Firewalls and Practice No Theory course a couple of years back.
> >
> > Agreed. Marcus kicks butt. :)
> >
> > > Chris Brenton also teaches the SANS/GIAC Firewalls 101 course, and is
> > > working on improving the material so that attendees can utilize the
> > > material at their workplace.
> >
> > Don't get me wrong, the current material is very good. I'm just trying
> > to take feedback from previous students in order to make it better. The
> > new material should be done in time for Monterey.
> >
> > > The whole idea of attending a conference like SANS/GIAC is to pick the
> > > tutorial sessions that can be applied to your normal day at work and
> > show
> > > that the amount of money spent will definitely have an instant ROI..
> >
> > Its also to get a vendor neutral spin on the whole thing. As I'm fond of
> > telling my students "I'm equal opportunity. I'll flame as well as sing
> > the praises of product on the market". ;)
> >
> > Cheers,
> > Chris
> > --
> > **************************************
> > [EMAIL PROTECTED]
> >
> > * Mastering Cisco Routers
> > http://www.amazon.com/exec/obidos/ASIN/078212643X/
> > * Mastering Network Security
> > http://www.amazon.com/exec/obidos/ASIN/0782123430/
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
