CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide (CCSP Self-Study)

Reviewed by Steven Ferguson

The Cisco Press title CCSP Cisco Secure PIX Firewall Advanced (ISBN 1-58720-067-8) is the one of two currently released titles in the CCSP series being release by Cisco Press. The book provides a detailed look into what many consider the best firewall in today's marketplace, the Cisco PIX. Bastien and Degu have written the book in such a way that anyone from beginner to expert can get a lot out of it. The title would lead you to believe that this book is designed only to help you pass the CCSP Cisco Secure PIX Firewall Advanced Exam; however the book is appropriate as a reference guide as well. The authors cover many of the new topics introduced in PIX OS 6.2 that even seasoned professionals may not be aware of. Bastien and Degu provide very detailed walkthroughs of even the most advanced topics. In particular, the coverage of Virtual Private Networks was superb. You will not find as much detail or in depth diagrams for PIX VPN support in any other book written for the PIX firewall. For those that are pursuing certification, there are excellent practice questions at the end of each chapter that effectively test your understanding of the topics covered. The CD that accompanies the book also provides a very helpful practice exam as well as an electronic version of the book, which makes a great searchable reference. There are many examples throughout the book that really help those that do not have a PIX to practice on. Even with these wonderful examples I would still recommend that everyone who is serious about learning the PIX get some hands on experience. There are also case studies that can be used to test your understanding and ability to effectively configure a PIX firewall. Overall, I give the book the book a 5 out of 5. There were a minimal amount of technical errors and I believe the authors have developed the best text available on the Cisco PIX firewall. Even though a good understanding of IP and basic security principles would aid in the understanding of this book I would recommend the title to all levels of Security Professionals. If you are seeking certification or just looking for an excellent reference manual for the PIX, this is the best book available.

Rating:
Summary: Solid book, does have some proofreading mistakes...
Review: As the previous reviewer noted, this book does contain some mistakes which should have been caught in proofreading. That being said, they are easily identifiable and do not take away from the overall content of this book. 5 stars on content, minus 1 star to the editor.

Rating:
Summary: Fair Reference... Poor Study Guide
Review: CCSP Cisco Secure PIX Firewall Advanced - Exam Certification Guide by: Greg Bastien and Christian Abera Degu is a good source for anyone that is interested in setting up and configuring a Cisco PIX. I found page after page of useful information without all the unnecessary filler introduced by other authors.

If you have no experience with a Cisco PIX this book is a good start. It can help you select the proper model for your needs. Each model has different features that may or may not be important to your use. The differences are outline in a model by model summary followed by a complete comparison chart of the all the models.

Once you select your model you will need the basics to get going. The authors do a great job of covering the commands that you will need to get started. Examples highlight the usage, which helps when there are multiple arguments available for a single command.

As you progress through the book the subject matter increases in complexity, but the authors keep you informed. Cicso has built in the power to their operating system, but unleashing that power needs some explaining. The advanced commands are helpful since there are times when difficult configurations push us to the test. Having the insight to the power and proper use of certain commands and configurations help us overcome these obstacles.

I was impressed with the scenarios provided in the end. I like the way that the authors challenged me with their configurations and tested my skill and understanding. Their explanations have helped me to reconsider and change my configuration and setup to provide for a more secure network, which is something that we all need these days.

On the book's negative side I found quite a few errors in spelling and grammar. It seems to have been poorly proofread. I found the word "network" spelled "netowrk." How does that get by? My spellchecker corrected it for me, but somehow this made it passed the spellchecker used by the authors and was not caught by the proofreaders.

There are a few sections where I found some copy and paste errors. For example in the section regarding the Cisco 520, the body text reads "Cisco 515" in error. This leads to some confusion if you are not alert. It could easily lead you to believe the Cisco 515 can function the same as a Cisco 520, which is not always the case.

Another annoyance is the fact that some of the figures in the book do not use the same IP scheme as what is written in the text. It is as if the scenario or configuration was written and the figure was not updated to correspond, or vise versa. This makes it a little hard to follow along. I found it easier to correct the figure with a pen then to change the text.

Overall I feel that the book is a good reference guide, but does not make the cut for a study guide. There are too many errors that are distractions while studying. I should not need to hold a pen in my hand as I read along to make corrections. That is the job of proofreading.

Rating:
Summary: This happens when you rush a book to the press
Review: cons :
These are some weird text from the book ;
01) On page 280 (chapter 14) it redefines outbound and inbound traffic to be precisely the opposite of what it is supposed to be
02) Example 14-8 makes a reference to figure 14-1.. it is all wrong
03) I have encounter like 5 answers which are plain wrong, or the question could be just the opposite.
04) don't read chapter 14 for it will just confuse you a lot.

pros :
Only 329 pages. The writing style tends to be clear and to the point and with good examples.

Conclusion : The tendancy of making mistakes in this book is by putting statements or questions which are exact the opposite of the correct ones. I tend to agree with the first review.. this book is a good example of a careless editor, or one who just doesn't understand what he/she is editing.

Rating:
Summary: Don't waste your time
Review: I can't add much to the comments already posted here, except to support the view that this book is a waste of time and money. It will NOT help you pass the exam. Even if it covered all the material (in my estimation, it omits ~20% of the required curriculum), it still simply copies or paraphrases the (free) Cisco Configuration and Command Reference guides.

At best it's a waste of money, at worst it will give you a false sense of what is required for the exam.

Rating:
Summary: An Embarrassment
Review: I failed the exam because of this book! There are errors everywhere, the most serious being on page 284, where the AAA configuration is simple wrong altogether, and would never work.

As one reviewer pointed out, there are notes from the editor still in the book! I've never seen this before, and it is a disgrace.

The exam covers the PIX MC and AUS -neither of which are even mentioned in here. To make matters worse, the author forgot to mention SSH's requirement for RSA keys to be generated.

This is arguably the worst technical book ever written.

Rating:
Summary: Worst Cisco Press Book
Review: I have been using Cisco Press books since 1998. I have achieved CCNA, CCDA, CCNP, CCDP all by self study using Cisco Press books combined with field experience and lab work. Prior to this book, I was overall satisfied with Cisco Press books and recommended others to use them. When I read this book, I was totally frustrated by the volume of incorrect information and syntax errors. This book was written by authors who are inexperienced with PIX product line. The technical reviewers have done a poor job too. Cisco Press should recall this book until a revised version is released.

The cover says this book is for 9E0-111 (expired) and 642-521. However, the book does not address FWSM and Pix Firewall MC at all. Both of these are 642-521 exam objective. Most command syntax are incorrect. Go to www.cisco.com, on the search engine type "Cisco PIX Firewall Command Reference". Pick the Version 6.2 command reference. Commands are listed by alphabetic order. Check the syntax there. In some sections, the book does not give enough information to get the job done. The list of errors is too long to put here but following is a sampler:

Chapter 4:
Page 49 under "Accessing the Cisco PIX Firewall with Secure Shell" it must be mentioned that the user needs to generate an RSA key pair before attempting to use an SSH client. Setup PIX hostname and domain-name and use "ca generate rsa key" followed by "ca save all", in addition to what has been said under this section otherwise SSH will fail.
Chapter 5:
Page 69, Sentence before the numbered items (1,2,3,4) says "The connection requires four different..." It should be "The connection requires three different..." TCP connection establishment is a 3-way handshake: SYN, ACK+SYN, ACK. So the fourth list should be merged to item 3 above. Also it uses starting TCP sequence number of 125 and 388. Note that this is an example and could be any other number (system dependent).
Page 73, Table 5-1 lists "Translations Commands". This table should be entirely re-written. Only the first 3 are the commands. Rest are argument keywords and variables (user specified values). All three commands (nat, global, and static) should be re-written separately with their own arguments or remove the table entirely.
Page 74, syntax for "global" command has "[global_ip]" indicating a single IP (as in PAT). The syntax should be corrected to indicate a range for NAT pool. The example below is correct, however.
Page 76, syntax for "static" command is wrong and incomplete. Why is the "static" command in "[]" to start with?
Page 77, syntax for "static" for port redirection is wrong.
Page 78, Example 5-1, access-list 101 line 1 and 3 has "[specific source]". I can understand this type of thing in syntax, but when output of a config is given, where did this come from? Mind replacing this with "any" or something more specific??
Chapter 6:
Page 101 lists 6 steps to enable DHCP Server on PIX. What is listed as "Step 1" should be the last step. If you try to do "Step 1" without doing "Step 2", PIX gives error "need to define address pool range first"
Chapter 7:
Page 115, under "nat 0 Command", it mentions the use of nat 0 but fails to mention one of the most important use of it, i.e., VPN configuration.
Page 121, Example 7-6, shows "object-group protocol_grp_citrix" it should be "object-group protocol protocol_grp_citrix" or "object-group protocol grp_citrix". It should be "protocol" keyword followed by protocol object group name.
Chapter 9:
Page 145, under "What is Required for a Failover Configuration", the sentence before the bullets say "Both must be the same for" and the last bullet says "Activation key". How can the activation key be the same on two PIX units? The activation key is unique to each individual unit. It should read "Activation key type" (e.g., both DES or 3DES). One important information that is missing is, one unit must have unrestricted license (UR) while the other unit can have failover license (FO) or restricted license (R) or yet another UR license. UR+FO is the most practical choice (cost wise).
Page 151, "Step 1" should be after "Step 6".
Chapter 10:
Page 162-163, Figure 10-3, 10-4 shows ESP and AH but neglects to mention that the packet format shown are for IPSec transport mode. PIX supports both transport and tunnel mode but tunnel mode is the default and is used mostly.
Page 163, under "NOTE" not sure what is implied. If it means you need DES/3DES, PIX 6.2 came with DES and can now be freely upgraded to 3DES by visiting cisco.com
Page 164, under "Internet Key Exchange (IKE)" the second sentence says "IKE is the short name for ISAKMP/Oakley". This is wrong. IKE is a combination of three different protocols: ISAKMP, Oakley, and SKEME
Page 165, under "NOTE" editors comment can be seen "Please change this sentence to read:". Way to go Cisco Press.
Page 177, all keywords "crypto-map" should be replaced with "crypto map" those are 2 separate keywords.
Page 177, before the "crypto map" command syntax the paragraph says "Normally you have at least 5 crypto-map entries with the same name". It should be 4 crypto map entries and the 5th one is to apply to the interface. As always syntax error on the 5th command syntax. There is no "seq-num" when applying to an interface.
NOTE: None of the configs in this chapter will work until you use the "nat 0" command to bypass IPSec traffic from being natted.
Page 184, "Cisco VPN Client" is misleading and incomplete.
Page 185, Table 10-8 should be frustrating to anybody new to PIX. You have to use "vpngroup group_name" and a space and one of the others in the following list, e.g., "vpngroup my_group_name address-pool my_pool_name"
** Word count of 1000 limits me from adding more to this list

Shamim Khan, BSEE, MSCS
NetPlus, Inc.

Rating:
Summary: Frustrating
Review: I have read many of the Cisco Press books and have been generally pleased with the accuracy and coverage. Unfortunatly, this book has neither. I would like to think this is because the book was supposed to address the beta exam and the new Pix exam. Overall, this guide did not adequately address some of the objectives for the test. In addition, some of the test questions on the CD-ROM had incorrect answers. The book also had syntax errors in their examples. My suggestion would be to read the command reference, configuration guide and do some hands-on work or labs and save your money on this one. Hopefully a revised version on this book will be better....

Rating:
Summary: better than nothing
Review: I met one of the tech writers , Mesfin Goshu, in the bookstore and he signed and verbally endorsed my book. He was really adamant about the strenght of this manual. Ive used the book to assist me in configurations at work with limited success. That said Im useing verserion 6.0 and havent taken the exam yet. The book has tons syntax of errors that I hope wont hurt me for the exam .
With all of the errors Mesfin should be shame of himself as the tech reviewer, clearly the output here is not a cut and paste from the command line of the PIX.

Rating:
Summary: Not worth your money
Review: I originally purchased this book with the intention of completing the 642-521 exam and earning my certification. As a command reference, this book is worthless. As for a certification study guide, many commands are not covered in the level of detail required to really understand them; some exam topics (such as AUS and the PIX Management Console) are not covered at all (much to my surprise when I took the exam). Like many of the other reviewers, I noticed several syntax errors throughout this book, which, rather than prepare me for the exam, only served to make me more confused. The Practice Exam questions that are on the included CD-ROM are just as bad as the book -- several questions respond incorrectly to the correct input (i.e. if you click on "none of the above", and the answer is "none of the above", you will still be marked incorrect even though the summary says that the answer was "none of the above"); other commands are listed with critical information (such as NAT or Global ID numbers) missing; other information is just flat-out wrong (they didn't seem to know the proper sequence of events for a TCP 3-way handshake!!!!). As for the topics that are covered, the authors only seem to cover enough to make the PIX work (that is, when the commands are syntactically correct) -- they do not go into much background information about what the commands are actually doing nor do they discuss much of the theory or implementation behind how the PIX actually handles traffic.

The only reason I can think of for publication of a book that is this bad is to increase revenue from test-takers -- since you WILL be taking the test more than once if you rely solely on this book.

All in all, I was very disappointed in this book and would not recommend it at all to other readers. I have had good luck with Sybex study material in the past and will be picking up their study guide shortly for my second attempt at the 642-521 exam.