Exam Cram 2 Check Point CCSA - Softcover

Sean Walberg is currently a network engineer for a large Canadian financial services company. His responsibilities include maintaining two large Internet hosting centers that make extensive use of Check Point products.

Over his career thus far, Sean has focused on networks and Internet security, with a brief diversion as a Unix developer. The love of Unix, especially Linux, has stuck with him since, and he has found numerous uses for it in his network and security roles.

Although this is Sean's first book-length project, he served a two-year stint as the author of a weekly Linux newsletter for Cramsession.com, a popular IT certification portal.

When not digging into routers and firewalls, Sean enjoys cooking and tinkering with electronics. He's also been known to lock himself in a room while trying to break World War II–era ciphers.

Sean is a graduate of computer engineering, where his undergraduate thesis focused on the Secure Sockets Layer, which today secures eCommerce transactions all over the Internet. He is also a registered Professional Engineer with the province of Manitoba.

He lives in Winnipeg, Canada, with his wife, two sons, and two cats.

© Copyright Pearson Education. All rights reserved.

Introduction

Check Point™ is a leader in the firewall industry. Its mantra, "We Secure the Internet," isn't just a clever catchphrase, it's the truth. Check Point boasts an 87% revenue share of the worldwide VPN/firewall software market and consistently is labeled a "Market Leader" by Gartner Group, so there's a good chance you'll run into one of their products at some point in your career. But Check Point FireWall-1 is a complex beast, and companies are looking for certified individuals to tame it.

Although some might look at the SOHO router they have at home and wonder how hard running a firewall can be, those who have experienced something on a larger scale, such as Internet hosting, know that the environment is dynamic attackers are becoming smarter, and you're being forced to expose more of your systems to the outside. Check Point's flagship product FireWall-1 gives the administrator a unified view of dozens of firewalls, which includes centralized logging and a single security policy. Routers and access lists may have cut it in the 1990s, but not anymore. As you'll see later, firewalls have to inspect all flows, and constantly check all layers for abnormalities. FireWall-1 allows you to do all this and more.

The Check Point Certified Security Administrator (CCSA) certification is the first step toward FireWall-1 guru-dom. Someone with a CCSA has demonstrated, by taking an exam, that he or she understands how to configure, maintain, troubleshoot, and upgrade a FireWall-1 installation. The product is complex, with dozens of nooks and crannies that affect the operation of the device. The exam tests you on these details, and expects that you'll know what knobs to turn in order to achieve a particular objective.

Unlike many other entry-level certifications, the CCSA focuses on the core product. There are no free points for knowing how to subnet, or for knowing the OSI model. This book will walk you through all the key material you can expect to be tested on.

Signing Up for the Exam

Check Point exams are offered exclusively through Pearson Vue. Signing up for the exam is fairly straightforward. Create a web account at http://www.pearsonvue.com/checkpoint/, wait for the confirmation email, and then go back and schedule your appointment. If you want to talk to someone on the phone, such as to schedule a same-day appointment, find your country's number at http://www.pearsonvue.com/contact/checkpoint/. The advantage of doing it online is that it's easier to check the schedules, plus your online account lets you manage your exam bookings.

Before you sign up, you'll want to make sure that you have an account at the Check Point User Center, and that you've used the same email address there as you will with Pearson Vue. After you've passed the exam, your user center account will be updated to reflect this, and give you access to more advanced technical information and logos.

You'll also need a credit card to make the online purchase. As of this writing, the price is $150.

Preparation for the Exam

You may wonder why preparation comes after signing up. If you're like me, unless you have a hard and fast deadline to meet, you'll never get around to studying. Set a date for your exam early on. You can always reschedule it if something comes up (with 48 hours' notice, though).

If you're one of those people who can focus on your studying, then by all means schedule your exam after you've finished studying. Really, I won't be offended.

The key to passing the CCSA exam is to work with the FireWall-1 product. You'll see in Chapter 3, "SmartDashboard," that there are demo modes that let you work within the software without having any real firewalls. You can also set up your own lab, either with real computers or with a virtualization tool like VMWare. For the purposes of the CCSA, a single firewall with a server behind it can do everything you'll be tested on.

This book presents a logical path through all the features covered on the CCSA exam. Trying out things, rather than simply taking my word for it, will help you remember the info come exam time. Even if you run across something that you're not sure is covered on the exam, read through the online help and try to set it up. The worst that happens is that you learn something new.

Firewalls tend to suffer from a lack of good documentation outside of the vendor's site, and Check Point is no exception. There are a few good sites out there I'll be certain to point you their way when the time comes but by and large your information can be found in the documentation and the Knowledge Base. Be careful when looking at Internet sources, because the product has undergone radical changes in the past few years and a lot of the information out there refers to older revisions.

In summary, practice using the product, read the white papers and documents on the Check Point website, and read this book!

Inside the Exam Center

If you've taken a certification exam through one of the major vendors before, this one is no different. If not, here's a rundown of what to expect at the exam center.

The first thing you'll have to do is sign in. This involves presenting two pieces of ID, at least one with a picture, and then reading and signing Vue's agreement. You'll be expected to surrender your jacket, wallet, pager/cellphone, and any bags you might be carrying. Save yourself some undue stress and throw everything in your bag before entering the exam center.

When it's your time, you'll be led to the testing room, and the proctor will sign you in to the computer. You'll also be given either scrap paper or an erasable sheet to make notes on. If you think it will help you, you may want to write out some of the important tables, such as authentication and NAT types, just in case you're prone to forgetfulness in the heat of the moment. You'll have to return all materials they give you at the end. Depending on the testing center, there may be several computers and other people taking exams. At this point, if anything seems wrong, tell your proctor! They may be able to offer you a different computer or some earplugs to help you out. After you begin the exam, it's too late to ask!

At the computer, you'll be expected to agree to Check Point's terms and conditions (that is, that you're not going to walk out of there and post all the questions to your website). Click Start the Exam, and you're off!

The question, any necessary diagrams, and the possible answers are all on the same screen. Answer the question, and click the Next button to continue, or Previous to go back one question. There will also be a check box on the corner of your screen called Mark for Review. At the end of the exam, you'll be given an opportunity to go through all the questions, or just the ones you marked for review. Either way, you can continue to review your answers until either your time runs out or you click End Exam.

When you end the exam, the machine will pause for what seems like an eternity while it figures out your mark. It will display it on the screen, along with its congratulations or condolences, as the case may be. Quietly walk out of the exam room, hand back your scrap paper, and sign out on the same sheet you signed in on. You'll also be given your printed grade report.

Exam Scoring and Strategy

The current exam has 96 questions, and you need a 70% to pass (that's 68 questions, for the mathematically impaired). You get 90 minutes to go through it. Before you think, That's less than a minute per question! realize this: There will be some questions that you'll have to sit back and think about for a minute, but if you prepare yourself in advance, there will be many more that you will immediately know the answer to. In the end, time should not be an issue.

Caution - Although you'll be tempted in some cases to immediately click your answer and then click Next, take the time to read the possible answers thoroughly. These exams are widely known for little tricks, such as asking the question in the negative (for example, "Which of the following are false?") or subtly interchanging some words to trip you up. For instance, some commands are available only in certain modes, and the first correct answer you see may be the right command but the wrong mode.

Although you can go back to a previous question, I'd advise you not to make heavy use of the Previous button. Not only does second-guessing yourself often lead to confusion, but cycling through older questions eats up time. Make a note of the question on your scratchpad and get back to it later. If you are up in the air on the question, you should click the Mark for Review button so that you can find it more easily at the end.

Caution - That Mark for Review button is very handy. If you've narrowed down an answer to a couple of choices, there's a chance that a subsequent question may help you out. This is where the scratchpad also helps.

Time management is important. Try to leave about 10 minutes at the end to review. This means you should be doing at least 25 questions every 20 minutes. An unanswered question is the same as an incorrectly answered one, so if you find yourself with only a few minutes remaining, random guessing is better than not finishing.

Pick an exam time that is to your advantage. Personally, I find mornings to be the best, because my head is fairly clear (after some coffee, that is) and my energy hasn't been drained by the day's work.

A bit of psychological advice: You aren't going to learn anything new in the couple of hours before the test. This is the time to reinforce what you know by reviewing your notes and this book's Cram Sheet, not for frantically memorizing pages from the manual. Relax as much as possible, accept that you've done your best studying, and get ready to write.

Finally, stay away from so-called "braindump" sites, where you can view questions that are purportedly from the real exam. Not only does it devalue the certification that you're going after, but the information on those sites is often wrong. If someone offers you "real" or "actual" test questions, don't fall for it. In the past, some of the sites have been successfully sued by the testing vendor, and the subscriber lists were turned over to the vendor.

Types of Questions on the Exam

Really only two types of questions are asked on the exam, as described next. There are no simulations, but you will find some scenarios, which I also describe.

Choose the Best Correct Answer (Multiple Choice)

Multiple-choice questions are the most prevalent type of question on the exam. Given five possible answers, you're asked to choose the best correct one. Sometimes, you'll see two answers that seem correct, but only one can be the right one. It's possible that you're overthinking or misinterpreting the question.

Here's an example:

Check Point FireWall-1's guiding principle is what?

1. That which is not expressly permitted is prohibited.

3. That which is not expressly permitted is allowed.

4. Rules can be set to either permit or deny traffic.

5. Firewalls should favor performance over security.

6. All attacks come on port 80.

Answer: A. The guiding policy is also referred to as a default deny. B is not correct because it is a default allow. C is not the correct answer because even though it is a correct statement, it is not a guiding principle. D is not correct because firewalls should not trade security. E is not correct because attacks can come on any port or protocol, and it is not a guiding principle.

Choose X Out of Y

These types of questions generally give you five answers and ask you to check a specific number of them. Unlike some on other exams, you'll always know how many answers you have to give (usually two or three). Make sure that you check the correct number of answers, because you can't count on the exam engine to remind you! Sometimes the expected number will be part of the question, or will be stated explicitly after the question.

Here's an example:

What are the three types of authentication that can be used in the action field of a rule?

1. User

2. Computer

3. Session

4. Client

5. Firewall

Answer: A, C, and D. These are the only possible options in the rule action. B is not an option. E is not an option.

Scenarios

Some questions are given in the form of a scenario, sometimes with a network diagram to explain the question. The big thing to keep in mind here is that a lot of information doesn't pertain to the real question, and may be a distraction.

Here's an example:

Sally Sysadmin just bought eight FireWall-1 NG-AI enforcement points and a Smart Centre Server that came with a free hat. The hat was too big, but she was able to trade it in for a shirt. The enforcement points run on Solaris, and are distributed across her WAN. Because the Smart Centre Server runs on Secure Platform, what licensing scheme should she use?

1. Local

3. Central

4. Distributed

5. Enterprise

Answer: B. A is not correct because Check Point does not recommend using local licenses for new installations. B is correct because central licensing is the preferred method. C is not correct because distributed is not a licensing option. D is not correct because enterprise is not a licensing option.

How to Use This Book

Other than the first few chapt...