RE: CISSP

["robert_david_graham" <robert_david_graham () yahoo com>]

Urk. I hit the "send" button accidentally on previous message, please
disregard and replace with this one.

Like many "wizards" on this list, I would find it difficult
passing the CISSP exam, not because I'm any less of a wizard,
but because I understand things differently.

For example, I was looking at a sample question that asked:
"End-to-end service is provided by which of the following
layers?". What you are supposed to know is that TCP (and
hence Transport Layer) provides end-to-end reliability for
applications. It says so right in the RFCs as well as most
texts that describe TCP/IP. I've read CISSP study guides that
state that TCP provides end-to-end services.

The term "end-to-end" has taken on a life of its own. In the
old days, it was always paired with something, like
end-to-end reliability, end-to-end congestion control, etc.
Nowadays, the term end-to-end means "something that TCP
provides", and TCP is defined as the providing "end-to-end"
services. It's a circular definition that you are expected to
regurgitate when you take the test, the specifics about which
things are end-to-end have been lost. (Every layer of the OSI
Model is end-to-end, for appropriate ends and appropriate services).

To quote RFC 791 (IP): "There are no mechanisms to augment end-to-end data
reliability, flow control, sequencing, or other services commonly found in
host-to-host protocols." People have taken "end-to-end data" completely out
of context. Therefore, if you have recently read the appropriate books, you
probably have only seen the phrase "end-to-end" in descriptions of TCP.
However, if you are like me and haven't read a description of TCP in over a
decade (despite having implemented huge quantities of TCP code), you would
miss the question.

Understanding concepts is not the same as understanding the
description of concepts. I like to use the phrase "I
don't know what a firewall is". Sure, I deeply understand
(i.e. have written) applications proxies and stateful packet
filters, but it doesn't mean that I really understand what
somebody intends to convey with the word "firewall". Since
most people use the word "firewall" to mean some sort of
magic pixie dust that solves the hacker problem, not only do
I not understand it, I don't believe in it.

I could create a long list of such subtle disagreements I have with the
test, but my purpose isn't to debunk it. Certainly those who have gone
through the trouble of getting CISSP certified are likely to be more
knowledgeable than many newcomers who think they are hot stuff. If you are a
manager that doesn't understand security, you'd be better off hiring a
CISSP. If you are a newcomer, you are probably better off getting CISSP
certified. But if you are really, really good (i.e. a wizard), you want to
go to work for somebody who understand how good you are, and then CISSP
won't matter, and would be beneath you.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards