Firewall Wizards mailing list archives
RE: CISSP
From: "robert_david_graham" <robert_david_graham () yahoo com>
Date: Mon, 26 Nov 2001 15:59:56 -0500
Urk. I hit the "send" button accidentally on previous message, please disregard and replace with this one. Like many "wizards" on this list, I would find it difficult passing the CISSP exam, not because I'm any less of a wizard, but because I understand things differently. For example, I was looking at a sample question that asked: "End-to-end service is provided by which of the following layers?". What you are supposed to know is that TCP (and hence Transport Layer) provides end-to-end reliability for applications. It says so right in the RFCs as well as most texts that describe TCP/IP. I've read CISSP study guides that state that TCP provides end-to-end services. The term "end-to-end" has taken on a life of its own. In the old days, it was always paired with something, like end-to-end reliability, end-to-end congestion control, etc. Nowadays, the term end-to-end means "something that TCP provides", and TCP is defined as the providing "end-to-end" services. It's a circular definition that you are expected to regurgitate when you take the test, the specifics about which things are end-to-end have been lost. (Every layer of the OSI Model is end-to-end, for appropriate ends and appropriate services). To quote RFC 791 (IP): "There are no mechanisms to augment end-to-end data reliability, flow control, sequencing, or other services commonly found in host-to-host protocols." People have taken "end-to-end data" completely out of context. Therefore, if you have recently read the appropriate books, you probably have only seen the phrase "end-to-end" in descriptions of TCP. However, if you are like me and haven't read a description of TCP in over a decade (despite having implemented huge quantities of TCP code), you would miss the question. Understanding concepts is not the same as understanding the description of concepts. I like to use the phrase "I don't know what a firewall is". Sure, I deeply understand (i.e. have written) applications proxies and stateful packet filters, but it doesn't mean that I really understand what somebody intends to convey with the word "firewall". Since most people use the word "firewall" to mean some sort of magic pixie dust that solves the hacker problem, not only do I not understand it, I don't believe in it. I could create a long list of such subtle disagreements I have with the test, but my purpose isn't to debunk it. Certainly those who have gone through the trouble of getting CISSP certified are likely to be more knowledgeable than many newcomers who think they are hot stuff. If you are a manager that doesn't understand security, you'd be better off hiring a CISSP. If you are a newcomer, you are probably better off getting CISSP certified. But if you are really, really good (i.e. a wizard), you want to go to work for somebody who understand how good you are, and then CISSP won't matter, and would be beneath you. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: CISSP robert_david_graham (Nov 26)
- Re: CISSP t (Nov 27)
(Thread continues...)