Dear Juniper – Please Make JNCIA-Junos a Pre-Requisite Exam for JNCIA-AC. THANKS!

23 November 2011 by 4 Comments

If there was ever a technology which had a minimum pre-level of knowledge attached, it was JNCIA-AC. Understanding the dead-simple IVE-based UAC OS quite frankly is no help at all; you really need knowledge about the following topics:

  • Ethernet Switching, Wireless and 802.1x
  • DHCP, DNS, NTP and PKI
  • Firewalls, Routers & Security Policy Design
  • Windows Domain and RADIUS authentication
  • Supplicants, endpoints and client OS

When UAC was launched, Juniper had no switching platform and ScreenOS was the only firewall; it had to be deployed on other vendor’s networks. However, that has changed significantly. With both EX and SRX platforms gaining traction in the market, Juniper now has the technologies and training courses in place to compliment it. Whilst UAC may well be continue to be deployed in other vendors networks (indeed, it’s a strength), the time is right to actively enforce a wider knowledge before you can be certified in it and the bar raised in terms of who can sell and deploy it. Sticking it on the edge of the portfolio makes no sense; it is a product which never will be deployed in isolation like a Firewall, IDP, SSL or even WX; it will always be tightly integrated into the network. Even the JNCIA-Junos exam probably isn’t stringent enough; to encourage the development of best-practice in this area, I wonder if it shouldn’t be pushed up the “Enterprise” or “Security” tracks, making it passing it a requirement for JNCIP-SEC/ENT or even JNCIE-SEC/ENT. Not having reached those lofty heights myself yet, I don’t know how much overlap there is, but I can’t help but think that the knowledge gained on the UAC course would cross-fertilise the higher tiers of the Networking and Security Tracks and ultimately produce engineers with a wider knowledge base.

Why this rant? I can’t see stand to see a good technology deployed badly or mis-sold. I still run into this more than I should, despite the massive efforts Juniper have put into training programs for sales, technical and pre-sales. At the moment, “Select” Juniper partner are able to sell the UAC products, which is not far from “anyone”. I think that it should be restricted to Elite Partners only, as the entry requirements are not purely commercial, a bunch of sales, presales and of course technical exams need to be completed. Ideally a Juniper SE should be attached to the project as well to provide design signoff as this is a key point. This is a premium technology which requires planning and forethought. If you have a requirement to deploy a hard-core Network Access Control solution, you need hard core people to do it. Raising the bar and referencing it part of the higher-order Juniper certifications will enable this keystone piece of technology to be front and centre and more widely deployed. What I’m aiming for is to promote better end to end understanding of the network infrastructure.  Deploying NAC is relatively easy if you know which bit of the network is connected to which; in my experience very few people do (excluding the loyal listeners of the PPP!).  Tweaking the certification process will better reflect the knowledge required to actually deploy such solutions rather than leaving it as an optional extra.

Filed Under: Blogs, Certification Tagged With: , , , ,
About Glen Kemp

Enterprise Security Architect & Juniper Ambassador. Designing & deploying “keep the bad guys out” technologies. Delivering elephants and not hunting unicorns. You can find me @ssl_boy and at my personal blog http://sslboy.posterous.com/

  • Guest

    don’t think so,they are absolutely different.

  • http://twitter.com/ssl_boy Glen Kemp

    Thanks Kevin for the comments, nice to know that I’m not barking up completely the wrong tree.  What trigged my little rant was that I’m about to recertify in both Junos AND UAC and the tracks just didn’t seem joined up in the way they could be.
    Given how far advanced the plans for the JPACS must be if there is beta course, I look forward to taking the class when it comes available and (hopefully) sitting the associated exam. I’ve put back my UAC/Junos anyway exams for a couple of months and hope to pick up the new track then.

  • Kieran Milne

    Hi ssl_boy,
     
    Your post is timely, as we are just about to update the UAC exam and have been discussing this very topic recently.
     
    The JNCP is designed to serve several audiences: customers, partners and employees. Each audience uses certifications in a different way, and for a different purpose, and we keep all these audiences in mind when making decisions about the program, its structure, and its interlocks.  Adding a pre-req requirement to an exam is a good example of where it is important that we keep all audiences in mind… by taking such a step are we serving the overall cert audience, or just one part; would the pre-req exam be best applied to all, or does is it more appropriately discussed as a possible partner compliance requirement, etc.
     
    You are correct that there is a need for some Junos knowledge in an AC context (due to JPACS’s interaction with Junos devices).  However, the amount of specific Junos knowledge required is relatively narrow, enough so to make it difficult to justify having Junos exams as hard pre-requisites.  Adding a Junos exam (or exams) as a pre-req in front of the AC exam would introduce the issue of candidates needing to study and learn a broad range of topics that go beyond the scope of what is relevant towards the end goal of qualifying someone as proficient to configure and manage JPACS.  For example, a logical pre-req exam in this case would be not so much JNCIA-Junos but JNCIS-SEC; however, putting JNCIS-SEC in front of an AC exam adds a substantial amount of ‘overhead’ as it means becoming knowledgeable about topics ranging from IPsec to HA to UTM, when the actual pre-requisite Junos knowledge required for JPACS is more in the range of some general Junos plus enough about zones and policies to get by.  In addition, JNCIS-SEC has its own pre-requisite requirement (JNCIA-Junos), making obtaining an AC credential a 3-exam effort.
     
    It’s also worth mentioning (as you correctly do above) that JPACS is sometimes implemented in a non-Juniper environment, so adding Junos exam pre-req’s would make the path for these people more cumbersome than it needs to be.  And finally, JPACS simply does not run Junos; adding Junos exams as pre-req’s ultimately overstates the role Junos has as part of an AC credential – Junos is relevant but does not represent fundamental required knowledge.
     
    I can follow on from Kevin’s comments above and confirm that the JPAC course now includes the recommendation to have some Junos knowledge coming in, and it points to some relevant suggested pre-req courses.  We will effectively do the same for the new AC exam by explicitly calling out Junos-related topics in the exam blueprint, as well as within the list of recommended study resources.  We will also take your suggestion to the group that manages our partner program, and propose it as a possible partner-centric requirement.
     
    Thanks for your interest in the JNCP and for taking the time to post, we value comments and appreciate the input.  Best of luck with your studies.
     
    Best regards,
    Kieran Milne
    Tech Lead, JNCP
    Education Services
    Juniper Networks

    • http://twitter.com/ssl_boy Glen Kemp

      Thanks Kieran, It’s flattering and pleasing that these things are being looked at and feedback from the wider community is taken seriously.  I look forward to seeing the proposed tweaks to the program. UAC, switching and security are all intertwined and trying so study for one in isolation is kind of tough. If the relevant aspects of Junos (as an example of a an 802.1x platform) is on the “recommended” reading list then the there should be no surprises for anyone attempting to sit the exam.

      Thanks again

      Glen