Preparation Tips for the JNCIE-SEC Exam

Wednesday, September 21, 2011

Stefan Fouant


Not a day that goes by since having passed the JNCIE-SEC exam that I don't receive an inquiry in one form or another regarding how I prepared for the exam. 

It seems that there is an incredible amount of interest in this exam, especially from all those die-hard ScreenOS folks that are now converting to Junos. 

So instead of constantly repeating myself, I figured I'd just put it up on the blog so others can benefit (leaving me more time to do other things, 'heh).

NOTE: For full disclosure, I must reveal that I am an Technical Trainer and Certification Proctor at Juniper Networks.  As such, I take EXTRA responsibility towards protecting the content and integrity of the exam and I take the certification credentials very seriously.  Not only that, I worked REALLY, REALLY hard to achieve my JNCIE certifications, and I believe everyone else should too! As such, I kindly ask that candidates refrain from asking me questions which would be considered a violation of the NDA.  Also, I should add that although I work for Juniper, the viewpoints expressed in this article are my own and may not necessarily be shared by my employer.

Let's first start by looking at the exam objectives and then we will move on to the materials I used for preparation and the hardware requirements for building out a lab which would provide for sufficient preparation.

Exam Objectives

Detailed exam objectives are listed on Juniper's JNCIE-SEC Exam Objectives certification page.  Familiarize yourself with these objectives and try to focus your study towards mastering all of these objectives.  Learn to read between the lines to identify if additional subject matter might need to be explored for full preparation.

In Junos there are typically more than one way to accomplish a given task so you would be wise to learn all the different ways of accomplishing a goal to achieve complete mastery of the subject matter. 

For example, can you accomplish bidirectional address translation similar to Static NAT by instead using Source NAT and Destination NAT?  What are the benefits and caveats of each approach?

The current Junos software release that is used throughout the exam is Junos 11.1.  A quick glance through the release notes may be useful to familiarize yourself with some of the new features introduced in this version.

Study Materials

First and foremost, you are going to want to get your hands on the official Juniper courseware for all the requisite curriculum listed under the Junos Security track.  Specifically the following:

If you are unable to attend all of these courses in person, one of the cool things is that Juniper now lets you purchase the course materials for self-study purposes.  Basically you get access to everything that you would normally receive in the class, minus the instructor and access to the lab gear of course.

NOTE: While it is possible to order the materials for self-study, I strongly advocate taking the actual training if you can do so as the instructors tend to augment the subject matter with additional details, first-hand observations and experience not normally found in the materials.  Furthermore, as is the case in classes I normally teach, we tend to reveal tips and techniques which might be useful in certification attempts.

To augment the above, I would highly advise reading the book 'Junos Security' by Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, and James Quinn.  I'll be writing a review of this book in a subsequent post but for now I can't overemphasize how important this book was in my preparations.

In fact, I would advise reading it twice for good measure.  There is a lot of good coverage in this book.  The majority of what you can expect to see in the exam is covered in this book, and what might be missing is adequately covered in the official courseware material.

I would also suggest making note of the links below.  You would be well advised to make use of both of these links during your preparation.  The first link is the JumpStation to a wide variety of SRX knowledge base articles and the second link provides detailed coverage on configuring High Availability across a number of different SRX platforms. 

Familiarize yourself with the subtle differences in HA configuration across all the different platforms as you don't want your first time to be exposed to these differences to be during an examination attempt.

Before moving on to the lab setup, I want to mention that we will be offering JNCIE-SEC bootcamps sometime in the future.  Although there is currently no committed date for such an offering, when available you will get in-depth coverage of the types of topics you will expect to see on the exam in addition to a simulated lab on the final day of class.  Stay tuned for more information regarding our bootcamp offerings on Juniper's Learning Portal.

Lab Buildout

A common question asked throughout the forums is what type of lab setup is required for adequate preparation.  I can tell you that I personally prepared with only two SRX210s and single SRX100 device, but it slowed down my preparations immensely due to constantly having to rearrange and reconfigure the lab setup to accommodate different topologies (hub-and-spoke vs. full-mesh, clustered vs. non-clustered, etc.). 

If you can spring for it, I would say purchase as many devices as you possibly can so you can build out a clustered SRX while leaving others as standalone and build complex VPN topologies.  This way you can spend more of your time learning new features rather than having to rearrange your lab setup.

amtrak_labOne of the benefits of having the smaller branch devices is that they are fairly portable. 

In fact, as seen in the picture to the left, I was able to set up my lab during a trip from DC to New York on an Amtrak train in business class (although others did give me funny looks). 

As you can see, even during a 3 hour trip, I was able to make use of this time for study preparations.

I would also strongly advise purchasing at least one device with the High Memory option as this will let you run the full gamut of IPS and UTM capabilities, assuming you've got the licenses.  Speaking of licenses, you can acquire trial licenses from Juniper which are valid for a period of 4 weeks, so I would advise holding off on activating these until you are completely ready. 

Trial licenses are tied to a devices serial number, and although they are only valid for a period of 4 weeks, you can fetch a trial license once per year for each device serial number.

You can find SRX devices on eBay for as little as a few hundred dollars a piece, so building out a lab doesn't have to break the bank.  And the cool thing is that when you are done you can resell them for a fair market value so in the long term you really shouldn't have to spend that much getting a decent lab built out.

Once you have your lab completely set up, I would strongly advise going through all the labs in the official courseware as these are indicative of the types of things you will likely see on the exam.  Unlike JNCIE-ENT and JNCIE-SP, in this lab it really helps to have incorporated some type of client and server throughout the topology so that various features such as NAT and Stateful Firewall Policy can be properly tested. 

In lieu of this, and with a bit of creative license, you could actually use one of your SRX platforms with a few Virtual Routers configured to simulate both clients and servers, connected to the Trust ports on the other devices throughout your topology.  This won't give you the same parity as having access to real Clients and Servers, but the idea is to be able to generate sufficient flows to properly trigger things like NAT rules or firewall policy. 

A lot can be simulated by simply using 'telnet' and specifying the destination-port required to trigger a particular rule on a downstream device.

Final Notes

A question most often asked is how long should it take to prepare.  The answer to that question really depends on your Junos experience level and background.  If you already have previous working experience with Junos or a JNCIE, I would expect about 4-6 months should be sufficient for adequate preparation. 

Otherwise if you are new to Junos or transitioning over from ScreenOS, I wouldn't even suggest starting exam preparations until you've had at least 1-2 years experience working with Junos and the SRX platforms.

Overall, this might seem like a long time but you'd be amazed at how quickly a few months can go by - if you can carve out even just an hour each day over the course of several months you will be infinitely better served than having to do a bunch of cramming in the last few weeks before your exam.  Remember, slow and steady wins the race here... it's a marathon, not a 100-meter dash.

Last but not least, and this may seem a bit silly but it is really important to try to get to bed early on the night of the exam and get a decent nights rest.  If you're not adequately prepared the night before the exam, cramming all night isn't going to do you any good.  Also, wake up early enough to ensure you can get a good breakfast.  Based on personal experience I can tell you that this makes a big difference. 

I strongly advise oatmeal since it's low on the Glycemic Index and will give you a slow steady release of energy throughout the morning - the perfect way to ensure your mind is focused and you don't have any of those mid-morning dips in energy levels or mental acuity.

A little tidbit that not many folks are aware of - you can bring your own keyboards when you sit the exam as you might find the keyboards we provide to be difficult to use.  This is one of those little things that can really make a difference when you are used to running all those EMACS command sequences on a keyboard you are familiar with.

I will be proctoring this exam so for those of you attempting to sit the exam in our Herndon office, I look forward to meeting you and wish you the best in your upcoming attempt.  With a little bit of luck and a lot of preparation, you may find success and achieve the highly sought-after JNCIE-SEC designation. 

Good luck and may the force be with you!

Cross-posted from Shortest Path First

Possibly Related Articles:
Security Training
Information Security
Certification Training Network Security JNCIE-SEC Junos Threat Management
Post Rating I Like this!
zaman Badoolah Hi-- I like to have your help in setting up real lab for security --please contact me
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.