Cisco Systems has added a new security certification, dubbed Cisco Security Specialist 1 (CSS1), to its ever-popular certification lineup. CSS1 is an excellent option since it shows that you have technical knowledge over both security foundation subjects and Cisco-centric security technologies. CSS1 is a midlevel certification that is similar to the Cisco Certified Network Professional (CCNP) in that you must already have achieved your Cisco Certified Network Associate (CCNA) to be eligible to take the CSS1 tests. The CCNA certification (and exam, as it is only a single test) covers foundational Cisco networking knowledge such as the OSI model, TCP/IP, subnetting, basic Cisco IOS commands, and basic router and switch operation.

Components of CSS1
CSS1 requires you to pass four tests. Here’s a look at each:

  • Managing Cisco Network Security (MCNS) 640-442
    The MCNS test could be considered the foundation exam for CSS1. It lays the groundwork for the other three tests and covers such topics as how to evaluate security threats and the basics of configuring IPSec, VPN, AAA, PIX firewalls, and the VPN client. Although you can take the exams in any order, I highly recommend that everyone take this test prior to taking the other three CSS1 exams.
  • Cisco Secure PIX Firewall Advanced (CSPFA) 9E0-571
    Although the 640-442 exam covers PIX firewall basics, the PIX Firewall Advanced exam covers exactly what it says: configuring advanced features of the PIX firewalls and the Cisco IOS Firewall feature set, which can be loaded on routers. PIX devices are Cisco’s line of dedicated, hardware-based, firewall devices. As you might imagine, any configuration possible for a PIX firewall is fair game on this test. Hands-on experience is practically a necessity for this and the remaining two tests.
  • Intrusion Detection System with Policy Manager (CSIDS 2.1) 9E0-572
    Yes, that is quite a long title for an exam. Basically, the focus is on operating the Cisco Intrusion Detection System. This is a dedicated hardware device that continually scans for potential attacks. Typically, it sits on the border of your network and looks for suspicious packets. The exam also addresses the Cisco Secure Policy Manager. This software package can distribute security policies to multiple devices in your network.
  • Cisco Secure VPN (CSVPN) 9E0-570
    The CSVPN test covers virtual private networking, the Cisco way. In other words, it deals with configuring the Cisco VPN 3000 Series Concentrator and the Cisco Secure VPN Client; VPN configuration on a PIX firewall; router-based VPN configuration; certificate authorities; and lots of IPSec issues.

CSS1 preparation
As you can tell by the exam descriptions, you can’t just read a book and expect to pass the tests. These are definitely intermediate-level topics, where hands-on experience or at least some type of hands-on training is needed to pass the exams. Cisco has authorized Learning Partners that teach classes built around the test topics. It also partners with companies that offer e-learning (virtual classroom) courses on these subjects so that you never have to leave your desk.

The cost of the tests is the Cisco standard price ($125 each at the time this article was published). You can take the exams through Prometric or Vue.

Cisco Press offers books on each of the exam topics:

The books can serve as a handy resource, both to prep for the exams and to learn more about these topics. I am also looking forward to an upcoming and more advanced title, Network Security Principles and Practices, by Saadat Malik. This book isn’t set to be released until November 2002 but sounds as though it will include all these topics and talk about using the advanced configurations together.

Although I’ve provided links to, you can purchase all these books from other sources as well. In addition to and, I have found that Bookpool usually has some of the best pricing on technical books such as these. Another source for exam preparation material is HelloComputers. It offers technical training and write certification preparation materials. I suggest HelloComputers because it’s one of the few that offers a CSS1 workbook and virtual-rack practice time.

Selecting a security certification
So how does CSS1 compare to the other security certifications available? CramSession has a list of security-related certs on its site, and there are a lot of choices, but I would primarily compare CSS1 to the ISC2 Certified Information Systems Security Professional (CISSP) and the Check Point Certified Security Expert (CCSE).The difference is that the CISSP is industry neutral and not based on configuring actual devices but on more specific book knowledge on security. That can be important if you need to demonstrate that you have the foundational knowledge for an IT security job. The Check Point CCSE is more similar to CSS1 because it’s a vendor-specific certification that focuses on configuring a specific vendor’s devices.

Deciding which certification to choose can be tough because there’s no perfect security certification. As you evaluate your options, you should ask yourself:

  • Does this certification fit what I do in my current or future job?
  • Do I enjoy the topic material? (This will make a difference when you start reading 1,000-page books.)
  • Will this certification help me in my career or make me more money?

If you answer yes to most of those questions, the certification is probably right for you.

Down the road
Cisco’s CSS1 certification allows you to demonstrate your knowledge of basic security issues as well as Cisco-centric security technologies. CSS1 also offers an advantage if you plan to pursue an advanced security certification: It can serve as a stepping-stone to beginning work on the Cisco Certified Internetwork Expert (CCIE) Security certification, which is considered one of the most valuable certifications on the market. To help you get a handle on how to prepare for each of the CSS1 exams, I will focus future articles on what it takes to pass each.