CCSP vs CCNP Security: Exam Comparison

With the introduction of the new Cisco Certified Network Professional Security (CCNP Security) Certification, there have been modifications in the path that a Cisco Security Professional must study in order to obtain certification.

This article focuses on the differences between the existing (and expiring) Cisco Certified Security Professional (CCSP) track and the new CCNP Security track. The new CCNP Security exams include:

• Securing Networks with Cisco routers and switches (SECURE Exam 642-637)
• Deploying Cisco ASA Firewall Solutions (FIREWALL Exam 642-617)
• Deploying Cisco ASA VPN Solutions (VPN Exam 642-647)
• Implementing Cisco Intrusion Protection System v7 (IPS Exam 642-627)

Each of the new exams costs $150 and is offered through Pearson VUE. The only prerequisite for the CCNP Security is a valid CCNA Security, or any CCIE certification.

As the format being used for the new exam blueprints is a bit different from their older counterparts, some of the comparisons can be a bit subjective. There does seem to be some consistent differences between the new and old certification tracks including an emphasis in design and troubleshooting.

Let’s go through each of the exams and take a closer look at the changes in curriculum.

CCNP Security SECURE Exam (642-637)

Follow this color guide to see which exam topics existed in the old Securing Networks with Cisco Routers and Switches (SNRS) exams and which ones have been added to the new SECURE curriculum.

Existed in SRNS Curriculum
Added to the SECURE Curriculum

Pre-Production Design

• Choose Cisco IOS technologies to implement HLD (High Level Design)
• Choose Cisco products to implement HLD
• Choose Cisco IOS features to implement HLD
• Integrate Cisco network security solutions with other security technologies
• Create and test initial Cisco IOS configurations for new devices/services
• Configure and verify ASA VPN feature configurations

Complex Operations Support

• Optimize Cisco IOS security infrastructure device performance
• Create complex network security rules to meet the security policy requirements
• Optimize security functions, rules, and configuration
• Configure & verify Classic IOS Firewall and NAT to dynamically mitigate identified threats to the network
• Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
• Configure & verify the IPS features to identify threats and dynamically block them from entering the network
• Maintain, update and tune IPS signatures
• Configure & verify IOS VPN features
• Configure & verify Layer 2 and Layer 3 security features

Advanced Troubleshooting

• Advanced Cisco IOS security software configuration fault finding and repairing
• Advanced Cisco routers and switches hardware fault finding and repairing

CCNP Security VPN Exam (642-647)

Again, this color guide will help you identify which exam topics were brought over from the SNAA exam and which ones were introduced to the VPN curriculum.

Existed in SNAA Curriculum
Added to the VPN Curriculum

Pre-Production Design

• Choose ASA VPN technologies to implement HLD based on given requirements
• Choose the correct ASA model and license to implement HLD based on given performance requirements
• Choose the correct ASA VPN features to implement HLD based on given corporate security policy and network requirements
• Integrate ASA VPN solutions with other security technology domains (CSD, ACS, Device managers, Cert servers, etc.)

Complex Operations Support

• Optimize ASA VPN performance, functions, and configurations
• Configure and verify complex ASA VPN networks using features such as DAP, CSD, Smart tunnels, Anyconnect SSLVPN, Clientless SSLVPN, Site-to-Site VPN, RA VPN, certificates, QOS, etc. to meet security policy requirements
• Create complex ASA network security rules using such features as ACLs, DAP, VPN profiles, certificates, MPF, etc, to meet the corporate security policy

Advanced Troubleshooting

• Perform advanced ASA VPN configuration and troubleshooting

CCNP Security FIREWALL Exam (642-617)

Use this color guide to see which exam topics remain from the Securing Networks with ASA Foundation (SNAF) curriculum and which ones have been introduced in the FIREWALL exam.

Existed in SNAF Curriculum
Added to the FIREWALL Curriculum

Pre-Production Design

• Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
• Choose the correct ASA model to implement HLD based on given performance requirements
• Create and test initial ASA appliance configurations using CLI
• Determine which ASA licenses will be required based on given requirements

Complex Operations Support

• Optimize ASA Perimeter Security features performance, functions, and configurations
• Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM
• Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM
• Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM
• Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM
• Configure, verify and troubleshoot ASA transparent firewall operations using CLI
• Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM

Describe Advanced Troubleshooting

• Advanced ASA security perimeter configuration/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing

CCNP Security IPS Exam (642-627)

This color guide will guide you through the IPS curriculum changes and show you which exam topics came from the CCSP Implementing Cisco Intrusion Prevention System (IPS) curriculum and which ones have been added to the new CCNP Security IPS exam.

Existed in IPSv6 Curriculum
Added to the IPSv7 Curriculum

Pre-Production Design

• Choose Cisco IPS technologies to implement HLD
• Choose Cisco products to implement HLD
• Choose Cisco IPS features to implement HLD
• Integrate Cisco network security solutions with other security technologies
• Create and test initial Cisco IPS configurations for new devices/services

Complex Support Operations

• Optimize Cisco IPS security infrastructure device performance
• Create complex network security rules, to meet the security policy requirements
• Configure and verify the IPS features to identify threats and dynamically block them from entering the network
• Maintain, update and tune IPS signatures
• Use CSM and MARS for IPS management, deployment, and advanced event correlation
• Optimize security functions, rules, and configuration

Advanced Troubleshooting

• Advanced Cisco IPS security software configuration fault finding and repairing

What The CCNP Security Changes Mean For You

The vast majority of the changes between the new CCNP Security and the older CCSP exams seem to be updates in equipment and technologies. Some reorganization seems to be focusing a bit more on the design and troubleshooting parts of the job which are used quite a lot in the process of day-to-day activities but which has not been overly focused on in previous tests with the majority being focused on operations. Hopefully, this overview will help you in preparing for the different exams.

And if you’re currently preparing for the CCSP or CCNP Security exams keep in mind that at this time you do have the ability to obtain both of the certifications. For more information on this, check out my previous article on the new CCNP Security Certification exams.

More Related Posts

1. Cisco CCNP ONT (642-845) Exam Guide
2. Passing My Cisco CCNP ISCW Certification Exam
3. Cisco Revises CCNP: BSCI, BCMSN, ISCW and ONT Exams Retire
4. Cisco Certified Design Professional (CCDP) Certification Guide
5. New Training Release: Cisco CCNP BSCI Training