Sourcefire and SFCP Certification

SfcppinHurray…! My intense work for last couple of weeks has finally paid off. Yeah, I’ve just passed my SFCP (Source Fire Certified Professional) Certification Exam.

First briefly about the company – Sourcerfire was founded by the author of Snort (an open source network intrusion prevention and detection system). Snort is the most popular and widely deployed IDS/IPS and has become the de facto standard for the industry.

So, why do we need Sourcefire (very expensive) if Snort is the best and free?

Right, Snort is the best and free out there but it’s implementation, management and maintenance is not a piece of cake for everyone; that’s where sourcefire comes into play. Sourcefire uses snort at it’s heart to utilize it’s powerful IDS/IPS techonology, with added benefit of plug-n-protect simplicity (the purpose-built appliance is easy to install, maintain and manage), and it comes with tons of extra features that make it very powerful. Sourcefire adds an Adaptive IPS and Enterprise Threat Management (ETM) on top of the Snort IPS. It is managed via user-friendly and intuitive web interface, of course you can always do your advanced config from the shell because it’s a snort installed in a linux box anyway.

Components of Sourcefire 3D System

Sourcefire 3D System is comprised of two appliances (Sourcefire Defense Center and Sourcefire 3D Sensor).

Sourcefire Defense Center (DC) is a centralized management console to manage the sensors, centralized event aggregation and sensor policy administration.

Sourcefire 3D Sensors are purpose-built network security appliances that passively aggregate network and user intelligence while defending the network against internal and external threats.

3D Sensor Modules

Each Sourcefire 3D Sensor is capable of running any combination of the following four software components (you need to buy them separately):

Sourcefire IPS (Intrusion Prevention System) it’s the mighty snort running in background, where you can use rules-based detection engine and utilize the acclaimed Vulnerability Research Team (VRT) to protect your network. The IPS component is included in the base system.

Sourcefire RNA (Real-time Network Awareness) passively monitors real-time network traffic and gathers network intelligence, it can detect operating systems, services, applications, protocols, and potential vulnerabilities that exist on your network. This is a very useful component of Sourcefire but you’ll need to buy the RNA license separately.

Sourcefire RUA (Real-time User Awareness) helps to identify the user identity and contact information, it pairs Active Directory and LDAP usernames with host IP addresses involved in security and compliance events. You’ll need to buy the RUA license separately.

Sourcefire NetFlow Analysis is an optional component of Sourcefire’s Network Behavior Analysis (NBA) solution. It gives additional insight to network threats by aggregating and analyzing NetFlow from routers and switches.

Master-Defence-Center
Sourcefire 3D System deployment with Master Defense Center

OK that was about sourcefire. Here’s how you go about getting certified.


Training Course

Sourcefire offers several instructor-led classroom training for Sourcfire 3D systems, out of which SF3D 360 Bundle is the one I took.

Sourcefire 3D™ 360 Bundle Includes:

• Instructor-led Training Sourcefire 3D™ (4 days)
• Sourcefire Certified Professional (SFCP) Certification Exam
• Sourcefire Guarantees
• CPE Credits 32 (for CISSPs)

Course Outline

• Sourcefire 3D System Sensor Deployment and Communications Architecture
• Sourcefire 3D System Overview & Product Installation
• Interface Navigation and Dashboard views
• Sensor Configuration and Management with the Defense Center
• Configuring Interface Sets and Detection Engines
• Administration, Maintenance and System Policy
• System Health Monitoring and Alerting
• Real-time User Awareness
• Adaptive Profiles
• User Account Management
• IPS & RNA Detection Policy Configuration
• Compliance Policy, White Lists and Host Attributes
• Event Analysis and Reporting
• End-Point Intelligence
• Flow Data Analysis and Network Profiling
• Nmap and Nessus Scanning
• Basic Rule Structure and Syntax
• IPS Features and Configuration
• Trouble Shooting and Behind-The-GUI Navigation and Architecture

Certification Exam

The following products and skill areas are assessed through this process:

• Intrusion Management System
• Intrusion Sensors
• Defense Center
• RNA Sensor
• Installation and Deployment
• Administration and Management
• Policy Configuration and Management
• Policy Non-compliance and Remediation
• User Administration and Management
• Reporting Creation and Management
• Effective and Performance Oriented Rule Writing

The certification exam itself consists of 200 multiple choice questions, which you’ll have to complete within 4 hours. Passing score is 75%, you’ll immediately know whether you pass or fail and if you pass the exam certificates are available online for you to print.

I found the instructor-led course very helpful. I have worked with snort before but this was my first introduction to Sourcerfire. After the 4 day course, you’ll have 60 days to prepare and take the exam. Every student is given a second attempt if a passing grade of 75% or better is not achieved on the first attempt.

To prepare for the exam, I went through the training material (page by page) one more time. I also had an access to sourcefire boxes installed in our office lab so, it was very useful. It’s an open book exam, you’ll have slightly more than a minute to answer each question, so you won’t have enough time to go through your materials during the exams. You’ll need to know your stuff to pass it, but having an access to sourcefire box at the time of exam will be very handy (for the user interface questions).

11 comments on “Sourcefire and SFCP Certification
  1. Sameer says:

    ल बधाई छ दाई सर्टिफिकेशन जाच पास गर्नु भयेकोमा ।
    साथै
    आओस् खुसी र उमङ्ग, पछ्याओस सफलता र उन्नति, छाओस बहार सदैव, यहि छ मेरो नयाँ वर्ष २०६६ को शुभकामना ।

    Good information, in IT field there are so many certification exams, it makes me confusion which one is the best and useful, I am also interested in Networks and Security field. how much its cost for taking exam of SFCP Certification?

  2. Thanks Sameer!

    Wish you a very happy and prosperous 2066 as well.

    Yes, you’re right there’re so many IT certifications in the market, the best and useful depends upon where you’re working and what your company is using. But generally for Networking you should start with CCNA, for security CISSP, for Microsoft MCSE, and so on… The SFCP Certification costs US$ 395.00, but if you want to take the Sourcefire 3D 360 Bundle course (4 days instructor-led training), which also includes the Certification exam – it’ll cost around US$ 4000.

  3. Leon says:

    Congrats, It’s a tricky exam to pass.

  4. Vikram says:

    How you prepared for this exam, Is there any books or course material available?

  5. Vikram, I took 3 days training course. I’m not aware of any books or materials publicly available for this exam, I recommend you to contact sourcefire, they might be able to point you to right direction.

  6. Vikram says:

    Thanks..their training cource is very costly and i don’t think my company will sponcer it for me 🙁

  7. Bikash Supakar says:

    Hi Vikram,

    Please tell me how i will do Sourcefire cirtification.

  8. Minnal says:

    Hi all,

    Please help me. how to pass the exam? i hv failed first attempt with 63% score

  9. Pankaj Sehgal says:

    Hi All,

    Can somebody will help me in knowing about SFCP training fees in India and available training centres in Delhi/NCR,as i would like to go for SFCP exam.